AI Access Security
Perform Initial AI Access Security Configuration
Table of Contents
Expand All
|
Collapse All
AI Access Security Docs
Perform Initial AI Access Security Configuration
Perform the initial AI Access Security configuration to enable safe
adoption of GenAI applications across your organization.
Where Can I Use This? | What Do I Need? |
---|---|
|
One of the following:
|
An initial configuration is required before you can begin using AI Access Security to safely adopt generative AI (GenAI) apps across your
organization. This includes enabling role-based access, setting up and configuring
Enterprise Data Loss Prevention (E-DLP) to prevent exfiltration of sensitive data, and creating
a Vulnerability Protection profile to stop attempts to exploit system flaws or gain
unauthorized access to systems.
This procedure assumes you already activated the AI Access Security license.
- Set up and configure Enterprise Data Loss Prevention (E-DLP).Enterprise DLP is the detection engine that prevents exfiltration of sensitive data to GenAI apps. Associate an Enterprise DLP data profile with a Security policy rule to define what is considered sensitive data and the action Enterprise DLP takes when sensitive data is detected.
- Set Up Enterprise DLP.Edit the Enterprise DLP settings to define the Cloud Content, data filtering, and snippet settings.Review the supported advanced Detection Methods to use in your Enterprise DLP configuration.The are advanced traffic match detection techniques used to prevent exfiltration of sensitive data. They can be used alongside any combination of predefined, custom regex, or file property data patterns in an advanced data profile.Create data patterns and data profiles to define your sensitive data match criteria.Palo Alto Networks recommends creating advanced data profiles as they allow you to use advanced detection method techniques to strengthen your security posture.(Strata Cloud Manager only) Modify the DLP Rule to specify the impacted file types and file direction (upload or download) and the action Enterprise DLP takes when sensitive data is detected.Enable Role Based Access to define the access privileges for your security administrators.Configuring access privileges AI Access Security and Enterprise DLP, as well as for the management interface (Panorama™ management server or Strata Cloud Manager.Create a Vulnerability Protection profile.Vulnerability Protection profiles are associated with your Security policy rule and stop attempts to exploit system flaws or gain unauthorized access to systems.(NGFW only) Create an internal trust zone and an outbound untrusted zone.Zones are a logical way to group physical and virtual interfaces on the NGFW to control and log the traffic that traverses specific interfaces on your network. Policy rules on the NGFW use zones to identify where the traffic comes from and where it's going.The internal trust zone designates traffic originating from within your organization while the outbound untrusted zone designates traffic destined for the internet.Create application filters to dynamically group GenAI apps for which you want to apply the same Security policy requirements.AI Access Security includes dynamic predefined GenAI application filters based on the GenAI app use case.Create Custom Security policy rules to begin safely adopting GenAI apps in your organization.Modify the Default Web Access Policies to allow Enterprise DLP to successfully inspect traffic for non-GenAI apps.Skip this step if you don't have an active Enterprise DLP license. An active Enterprise DLP, CASB-PA, or CASB-X license is required to forward traffic to Enterprise DLP for inspection and verdict rendering.
- Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesPoliciesWeb Security.Select your Configuration Scope.Navigate to the Default Web Access Policies.Select the Global Catch All Policy policy rule and Disable.Select the Global Web Access policy rule to edit it.Remove all entries from the Global Web Access policy rule configuration.
- Allowed Web Applications
- Blocked URL Categories
- Allowed URL Categories
Save.Push Config and Push.