AI Access Security
Tag GenAI Apps
Table of Contents
Tag GenAI Apps
Apply tags to the application to reflect whether the application is approved within
your organization.
Where Can I Use This? | What Do I Need? |
|---|---|
| One of the following:
|
Based on a GenAI application’s
risk score and other considerations, you can apply tags to
the application to reflect whether the application is approved within your
organization. The following tags are available:
Tag | Description |
|---|---|
Sanctioned | The application is approved by your organization, and is being
used by members of your organization. |
Unsanctioned | The application isn't approved by your organization. For example,
the application might be unsanctioned due to security risks
associated with the application. Because members of your organization should not be using the
application, you should take action to block the application.
You can use a policy rule to block the application. |
Tolerated | The application isn't trusted like a sanctioned application.
However, your organization allows its use until your
organization can identify a more secure application. The
application is tolerated so as not to inhibit your
organization's productivity. Because the application is allowed despite potential security
risks, you might take steps to restrict certain actions. For
example, you might create a policy rule to block upload or
download operations for the application. |
Palo Alto Networks
groups the child App-IDs for app functionality in a container
App-ID. However, tagging an App-ID container is not supported. You must
individually tag the specific child App-ID that are sanctioned, unsanctioned, or
tolerated within your organization.For example, consider the
claude
container App-ID
that contains the following child App-IDs:
claude-base
,
claude-upload
,
claude-edit
,
claude-post
, and
claude-delete
.You create an application filter to enforce the same
data exfiltration controls for
Sanctioned
applications.
In this case, you must tag all the child App-IDs of the
claude
App-ID container to apply the policy rule action for all
sub-processes of the Sanctioned
claude
GenAI app. - Log in toStrata Cloud Manager.
- Obtain the child App-IDs you want to tag.You can obtain the child App-IDs for a GenAI app using one of the following ways.
- Use theAI Access SecurityInsights dashboard to discover risks posed by GenAI apps.AI Access SecurityInsights shows you the detected child App-IDs used across your organization.
- Review the list of supported GenAI apps and use Applipedia to search for the child App-IDs of supported GenAI apps.
- Select .
- In theConfiguration Scope, select the folder for which you want to apply the new tag.If you are tagging an App-ID delivered through App-ID Cloud Engine (ACE), then allNGFWorPrisma Accesstenants associated with the selected folder must be configured to receive App-ID updates from ACE.ACE is enabled by default for aNGFWorPrisma Accesstenant when they have an activeSaaS Security InlineorAI Access Securitylicense. You can also manually enable ACE for yourNGFW.The configuration push fails if you tag an App-ID delivered from ACE and at least oneNGFWorPrisma Accesstenant associated with the selected folder isn't configured to receive App-IDs from ACE.For this reason,Palo Alto Networksdoesn't recommend selecting theGlobalConfiguration Scope.
- In theCategory Filterssearch field, enter the App-ID you want to tag and select it.You can only tag one App-ID at a time.
- Add/Edit Tag.
![]()
- Click+to apply a predefinedSanctioned,Tolerated, orUnsanctionedapplication tag.In this example, theclaude-baseApp-ID is tagged with theSanctionedtag.
- Save.
![]()
- Review the values in theTagcolumn to verify you successfully applied the application tag.
![]()
- ClickOverview.
- Push ConfigandPushyour configuration changes.
