AI Access Security
Associate the Application-Tagging Snippet
Table of Contents
Associate the Application-Tagging Snippet
Perform the initial AI Access Security configuration to enable safe
adoption of GenAI applications across your organization.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following:
|
To support tagging, a predefined snippet named
Application-Tagging is available in Strata Cloud Manager. This snippet is required to support tag-based policy rule
enforcement. The Application-Tagging snippet contains
tagging information to indicate which GenAI apps are approved for use within your
organization. Tags are written to, and read from, the
Application-Tagging snippet to determine whether an
app is tagged as Sanctioned or Tolerated. Apps that are not explicitly tagged as
Sanctioned or Tolerated are considered Unsanctioned. Tags are displayed in AI Access Security, the Activity Insights
Applications page, and the Strata Cloud Manager Command Center
from the information in the Application-Tagging
snippet.
You can re-tag an app based on a GenAI app’s risk score and other considerations. The
changes that you apply are written to the
Application-Tagging snippet. You can then push the
new tags as configuration changes to the NGFW or Prisma Access
deployment. If you have tagging-based rules on the NGFW or Prisma Access deployment, traffic for the re-tagged app will be enforced
according to the app's new tag. For example, you might have a rule on the NGFW that allows traffic only for Sanctioned or Tolerated apps. By
tagging an app as Sanctioned and pushing the changes to the NGFW, you
can allow traffic for the app without having to modify the rule.
To push tags to your NGFW or Prisma Access deployment, you must
first associate the Application-Tagging snippet with
the appropriate scope. Make sure that you associate the
Application-Tagging snippet only with NGFWs or Prisma Access deployments that have the App‑ID Cloud Engine (ACE) enabled. The
Application-Tagging snippet uses ACE because the
AI Access Security, CASB-PA license, and CASB-X
licenses give you access to a wider array of apps through the ACE service. Apps are
identified in the Application-Tagging snippet by using
ACE App-IDs. For this reason, the configuration push will fail if the NGFW or Prisma Access deployment isn't configured to receive
App-IDs from ACE.
- Log in to Strata Cloud Manager.Tag GenAI apps in the Application-Tagging snippet to match the existing tags that you applied to app.Remove the existing Sanctioned and Tolerated app tags from all Configuration Scopes.In September 2024, we updated the way application tagging is implemented. If you tagged apps prior to this update, be aware that tag information displayed in the AI Access Security, the Activity Insights Applications page, and the Strata Cloud Manager Command Center might no longer reflect what is being enforced on the NGFW or Prisma Access deployment. The predefined Sanctioned and Tolerated tags that you applied prior to this update can still affect tag-based policy enforcement on the NGFW or Prisma Access deployment. To ensure correct tag-based policy enforcement, remove all Sanctioned or Tolerated app tags applied prior to this September 2024 update.
- Select .Remove all Sanctioned and Tolerated app tags from all other Configuration Scopes.
- Change the Configuration Scope to the folder where you previously managed your app tags.For example, if you manage your app tags from the Global folder, select Global in the Configuration Scope.
- Select your apps from the list of Matching Applications.You can use the Sanctioned and Tolerated Tags filters to quickly narrow down the list of tagged apps.
- Remove Tag and confirm to remove existing tags.This only removes tags added by an admin and not any of the predefined tags associated with the app by default.
- Repeat this step to remove all Sanctioned and Tolerated tags from all apps in all Configuration Scopes.
Select .Select .In the Snippet Associations area, select the settings gear icon to display the scopes that you can associate with the Application-Tagging snippet.Select the scopes that you want to associate with the Application-Tagging snippet. Remember to make sure that you associate the Application-Tagging snippet only with NGFWs or Prisma Access deployments that have ACE enabled.If you tag apps as Sanctioned or Tolerated from the Applications page in Strata Cloud Manager (), make sure you set the Configuration Scope to the Application-Tagging snippet.Tagging to the Application-Tagging scope is important for the following reasons:- The tags that are displayed in AI Access Security, the Activity Insights Applications page, and the Strata Cloud Manager Command Center are read from the Application-Tagging snippet. If you tag an application in a different scope, the tags that are enforced by policy might not be the same as the tags shown in the various user interfaces.
- If the app that is tagged in the Application-Tagging scope and also tagged in a different scope, tag-based policy enforcement will be based on an evaluation order that might cause unexpected enforcement behavior.
