| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by Panorama or Strata Cloud Manager)
- Prisma Access (Managed by Panorama or Strata Cloud Manager)
|
One of the following:
- AI Access Security license
- CASB-PA license
- CASB-X license
|
In September 2024, we updated the way application tagging
is implemented. If you tagged apps prior to this update, be aware that tag
information displayed in the
AI Access Security, the Activity Insights
Applications page, and the
Strata Cloud Manager Command Center
might no longer reflect what is being enforced on the
NGFW or
Prisma Access deployment. The predefined Sanctioned and Tolerated tags that you
applied prior to this update can still affect tag-based policy enforcement on the
NGFW or
Prisma Access deployment. If you tagged apps as
Sanctioned or Tolerated prior to this September 2024 update, complete the following
steps:
- Tag the apps in the
Application-Tagging snippet to match the tags that you had previously
applied.
- In the configuration scope where you added the tags to an app, remove the
tags.
- Navigate to the Applications page in Strata Cloud Manager ( NGFW and Prisma Access ()
- From the list of applications, select the app that you tagged.
- Add/Edit Tag, and remove the Sanctioned or
Tolerated tag.
- Complete the following steps to associate the Application-Tagging snippet
with the scopes.
To support tagging, a
predefined snippet named
Application-Tagging is available in
Strata Cloud Manager. This snippet
is required to support tag-based policy rule enforcement. The Application-Tagging
snippet contains tagging information to indicate which GenAI apps are approved for
use within your organization. Tags are written to, and read from, the
Application-Tagging snippet to determine whether an app is tagged as Sanctioned or
Tolerated. Apps that are not explicitly tagged as Sanctioned or Tolerated are
considered Unsanctioned. Tags are displayed in
AI Access Security, the
Activity Insights
Applications page, and the
Strata Cloud Manager Command Center from the information in the Application-Tagging snippet.
You can
re-tag an app based on a GenAI app’s
risk score and other considerations. The
changes that you apply are written to the Application-Tagging snippet. You can then
push the new tags as configuration changes to the
NGFW or
Prisma Access deployment. If you have tagging-based rules on the
NGFW or
Prisma Access deployment, traffic for the re-tagged app
will be enforced according to the app's new tag. For example, you might have a rule
on the
NGFW that allows traffic only for Sanctioned or Tolerated
apps. By tagging an app as Sanctioned and pushing the changes to the
NGFW, you can allow traffic for the app without having to modify the
rule.
To push tags to your
NGFW or
Prisma Access deployment, you must
first associate the Application-Tagging snippet with the appropriate scope. Make
sure that you associate the Application-Tagging snippet only with
NGFWs or
Prisma Access deployments that have the
App‑ID Cloud Engine (ACE) enabled. The
Application-Tagging snippet uses ACE because the
AI Access Security,
CASB-PA license, and
CASB-X licenses give you access to a wider
array of apps through the ACE service. Apps are identified in the
Application-Tagging snippet by using ACE App-IDs. For this reason, the configuration
push will fail if the
NGFW or
Prisma Access deployment isn't
configured to receive App-IDs from ACE.
