Activate SaaS Security Inline for Prisma Access

Table of Contents

Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits

Activate SaaS Security Posture Management

Activate SaaS Security Inline for Prisma Access

Learn how to activate SaaS Security Inline on Prisma Access (Managed by Panorama or Strata Cloud Manager).

Important

Palo Alto Networks is rolling out a new, unified activation experience in stages. For supported SASE products, you might see the new activation console now, or you maybe directed to use the Hub for activation until the update reaches your tenant.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager)	SaaS Security Inline license Prisma Access license Or any of the following licenses that include the SaaS Security Inline license: CASB-X CASB-PA

Where Can I Use This?

What Do I Need?

Prisma Access (Managed by Panorama or Strata Cloud Manager)

SaaS Security Inline license
Prisma Access license

Or any of the following licenses that include the SaaS Security Inline license:

CASB-X
CASB-PA

To unlock the SaaS Security Inline capabilities—SaaS visibility, SaaS policy rule recommendations, and ACE (App-ID Cloud Engine), simply activate SaaS Security Inline from the activation email that you received. After activation, you can log in to your SaaS Security Inline tenant to explore SaaS visibility data.

If you're adding SaaS Security Inline to a Prisma Access deployment that is already enforcing App-ID based security policy rules, activating SaaS Security Inline might result in unexpected changes in policy enforcement. These unexpected changes might occur because the App-ID Cloud Engine (ACE) included with SaaS Security Inline gives you visibility and control into thousands of applications that were previously identified generically as SSL or web-browsing applications. When ACE identifies an application that was previously classified as SSL or web-browsing, it reclassifies the application with the new specific App-ID. Traffic for this App-ID will be blocked or allowed based on the first security policy rule it matches. Because the application is now classified with a specific App-ID, it will no longer match rules that are configured for the generic SSL or web-browsing App-IDs. Prisma Access might now block traffic that it previously allowed, possibly resulting in unintentional business interruption. Conversely, the firewall might allow traffic that it previously blocked, potentially leading to security gaps.

If you're adding SaaS Security Inline to a Prisma Access deployment that is already enforcing App-ID based security policy rules, update your security policy rulebase for ACE App-IDs.

If you're enabling SaaS Security Inline for Next-Generation CASB, activate on Strata Cloud Manager using the activation email you received.

SaaS Security Inline activation:

Creates a URL for SaaS Security Inline login.
Adds the SaaS Security Inline license to Prisma Access (Managed by Panorama or Strata Cloud Manager) so that you can unlock SaaS Security Inline features.
Enables a secure and encrypted connection and successful, mutual authentication between SaaS Security Inline, Prisma Access (Managed by Panorama or Strata Cloud Manager), and Strata Logging Service.

Before you activate:

Verify log forwarding. Because SaaS Security Inline requires network traffic data for analysis, you must enable Prisma Access to forward logs with that data to Strata Logging Service. Your SaaS Security Inline subscription requires that you also have an active Strata Logging Service instance, which stores the data logs from Prisma Access and streams them to SaaS Security Inline. Without logs, SaaS Security Inline can’t display SaaS application visibility data and might not be able to enforce SaaS policy rule recommendations. (Security administrator)
- Prisma Access (Managed by Panorama)—Enable log forwarding. Not enabled by default.
- Prisma Access (Managed by Strata Cloud Manager)—Verify log forwarding. Enabled by default.

Ensure that your environment meets all the activation requirements for the SaaS Security Inline features you want to enable for your platform. (SaaS administrator)

Requirement	Features
Requirement	SaaS Visibility	SaaS Policy Recommendations Synchronization (Policy Enforcement) and ACE
Supported Prisma Access release.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes	Prisma Access (Managed by Strata Cloud Manager)—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide. The Web Security feature must be enabled on the tenant. Prisma Access (Managed by Panorama)—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide
One new or existing Strata Logging Service license.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes, one per SaaS tenant
Same Customer Support Account for SaaS tenant, Strata Logging Service, Enterprise DLP, and Prisma Access tenant.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes
One SaaS Security Inline license per Customer Support Account.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes
Enterprise DLP license on Prisma Access and in the same Customer Support Account account as the SaaS tenant.	Prisma Access (Managed by Strata Cloud Manager)— Yes Prisma Access (Managed by Panorama)— Yes	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes

SaaS Security Inline requires network traffic data for analysis. Prisma Access automatically forwards logs with that data to Strata Logging Service. Your SaaS Security Inline subscription requires that you have an active Strata Logging Service instance, which stores the data logs from Prisma Access.

The example activation below is for a new Prisma Access (Managed by Panorama) deployment. Adding a SaaS Security Inline license to an existing Prisma Access (Managed by Panorama) deployment or Prisma Access (Managed by Strata Cloud Manager) deployment is similar, but not identical. Use this example as a guide.

Click the link provided to you by Palo Alto Networks when you purchase the SaaS Security Inline subscription.
Enter your Palo Alto Networks Customer Support Portal (CSP) Email Address. This email address must match the email address that received the link to activate SaaS Security Inline.
In the Manage Subscriptions page, choose the product you want to activate and Activate.
On the activation page, specify the tenant, region and Activate Now to begin activating SaaS Security Inline.
After the activation is complete, you will receive the following email. Also, you can either View Details of the subscription or Launch your SaaS Security Inline instance from the Manage Subscriptions page.
Get Started with SaaS Security Inline.