: Device > Setup > ACE
Focus
Focus

Device > Setup > ACE

Table of Contents

Device > Setup > ACE

Enable or disable App-ID Cloud Engine (ACE) settings and settings related to SaaS Security Inline policy recommendations.
ACE Settings
Description
ACE Settings
Disable the App-ID Cloud Engine
Deselect this checkbox to enable ACE or select this checkbox to disable ACE.
ACE is a service that enables the downloading of App-IDs for unknown SaaS applications from the cloud. ACE converts unknown applications to known applications, vastly increases the number of known App-IDs, speeds up the availability and delivery of new App-IDs, and dramatically increases visibility into applications. App-IDs make it possible to take action (enforce policy) on the SaaS apps you define in SaaS policy rule recommendations.
You must have a valid SaaS Security Inline license on the firewall to use ACE. If you do not have a SaaS Security Inline license on a firewall, that firewall cannot install ACE App-IDs or use them in Security policy. Panorama does not require a license to manage firewalls that use ACE.
SaaS Inline Settings
The SaaS Inline Settings are displayed only if your license includes SaaS Security Inline.
For certain discovered applications, SaaS Security Inline, using information that PAN-OS writes to Strata Logging Service, can detect the specific application tenants that users are accessing. SaaS Security Inline displays these tenant details, and you can submit policy rule recommendations at the tenant level. This tenant-level detection and control is available only for select applications.
You can enable the following SaaS Security Inline settings to increase the amount of information that PAN-OS logs to Strata Logging Service. By logging this additional information, PAN-OS extends SaaS Security Inline's tenant-level detection and control capabilities.
(PAN-OS 11.2.3 and later releases) Enable Additional HTTP Header Logging
Select this checkbox to enable additional HTTP header logging. When you have enabled additional HTTP header logging, the firewall logs more information about applications to Strata Logging Service. This additional information enables SaaS Security Inline to detect the individual application tenants for more applications, including Microsoft Outlook, Microsoft OneNote, Dropbox, Microsoft Teams, and Windows Azure. For a full list of the applications that require additional header logging for tenant detection, refer to the instructions on creating a policy recommendation in SaaS Security Inline.
Because SaaS Security Inline is the only consumer of this information, and because you might not require tenant-level policy rules for the additional applications, additional header logging is disabled by default.