>
    Strata Copilot
    SaaS Visibility and Controls for NGFW
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Get Started with SaaS Security Inline
    4. SaaS Visibility and Controls
    5. SaaS Visibility and Controls for NGFW
    Download PDF
    SaaS Security

    SaaS Visibility and Controls for NGFW

    Table of Contents

    SaaS Visibility and Controls for NGFW

    Use this workflow to onboard both SaaS visibility and policy enforcement on SaaS Security Inline on NGFW.
    With PAN-OS 10.1 or later, SaaS Security Inline protects against cloud‑based threats by blocking traffic for unsanctioned SaaS apps and risky user activity using Security policy. Use the following workflow if you want to use all the features of SaaS Security Inline, including App-ID Cloud Engine (ACE), SaaS policy rule recommendations, and SaaS visibility.
    Step 1: Activation
    Because SaaS Security Inline is tightly integrated with your NGFW, you and your NGFW administrator will perform a few handoffs throughout the activation process.
    • Learn about ACE and SaaS Security Inline. (SaaS administrator and NGFW administrator)
    • Start the ACE deployment on your unmanaged NGFW or use a Panorama® management server to deploy ACE on NGFW (Managed by Panorama). (NGFW administrator)
    • Activate SaaS Security Inline to push the SaaS Security Inline license to your NGFW. (SaaS administrator)
    • Complete the ACE deployment on your NGFW. (NGFW administrator)
    Step 2: System Configuration
    • Integrate with Azure Active Directory so that SaaS Security Inline can identify your AD groups. (SaaS administrator)
    • Add administrators to manage Security policy. (SaaS administrator)
    Step 3: Security Policy Configuration
    • Review the guidelines for effective collaboration and rulebase management. (SaaS administrator and NGFW administrator)
    • Verify log forwarding on all firewalls. (NGFW administrator)
      As part of your ACE deployment, you enabled log forwarding. SaaS Security Inline cannot display SaaS app visibility data and might not be able to enforce policy rule recommendations without logs for all NGFW.
    • Author and submit SaaS policy rule recommendations to your NGFW administrator, after adhering to prerequisites. (SaaS administrator)
    • Import new SaaS policy rule recommendations. (NGFW administrator)
    Step 4: Security Policy Maintenance
    • Continuously monitor the SaaS policy rule recommendations to ensure they’re in sync. (SaaS administrator)
    • Continuously monitor the SaaS policy rule recommendations for changes. (NGFW administrator)
      • For updates, reimport changes to active SaaS policy rule recommendations.
      • For deletions, remove recommendation mapping, then delete the policy rule.
    • Use Policy Optimizer to determine when and how many times traffic matches the Security policy rule to determine its effectiveness. (NGFW administrator)

    © 2026 Palo Alto Networks, Inc. All rights reserved.