: Activate SaaS Security Inline for Prisma Access
Focus
Focus

Activate SaaS Security Inline for Prisma Access

Table of Contents

Activate SaaS Security Inline for Prisma Access

Learn how to activate SaaS Security Inline on Prisma Access.
To unlock the SaaS Security Inline capabilities—SaaS visibility, SaaS policy rule recommendations, and ACE (App-ID Cloud Engine), simply activate SaaS Security Inline from the activation email that you received. After activation, you can log in to your SaaS Security Inline tenant to explore SaaS visibility data.
If you are enabling SaaS Security Inline for Next-Generation CASB, activate in SASE Cloud Management Console using the activation email you received.
SaaS Security Inline activation:
  • Creates a URL for SaaS Security Inline login.
  • Adds the SaaS Security Inline license to Prisma Access so that you can unlock SaaS Security Inline features.
  • Enables a secure and encrypted connection and successful, mutual authentication between SaaS Security Inline, Prisma Access, and
    Cortex Data Lake
    .
Before you activate:
  • Verify log forwarding. Because SaaS Security Inline requires network traffic data for analysis, you must enable Prisma Access to forward logs with that data to
    Cortex Data Lake
    . Your SaaS Security Inline subscription requires that you also have an active
    Cortex Data Lake
    instance, which stores the data logs from Prisma Access and streams them to SaaS Security Inline. Without logs, SaaS Security Inline cannot display SaaS application visibility data and might not be able to enforce SaaS policy rule recommendations. (
    Security administrator
    )
    • Panorama Manged Prisma Access—Enable log forwarding. Not enabled by default.
    • Cloud Managed Prisma Access—Verify log forwarding. Enabled by default.
  • Ensure that your environment meets all the activation requirements for the SaaS Security Inline features you want to enable for your platform. (
    SaaS administrator
    )
    Requirement
    Features
    SaaS Visibility
    SaaS Policy Recommendations Synchronization (Policy Enforcement) and ACE
    Supported Prisma Access release.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    Cloud Managed Prisma Access—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide. The Web Security feature must be enabled on the tenant.
    Panorama Managed Prisma Access—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide
    One new or existing
    Cortex Data Lake
    license.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes, one per SaaS tenant
    Same Support Account (CSP ID) for SaaS tenant,
    Cortex Data Lake
    , Enterprise DLP, and Prisma Access tenant.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    One SaaS Security Inline license per CSP ID.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    Enterprise DLP license on Prisma Access and in the same CSP account as the SaaS tenant.
    Cloud Managed Prisma Access— Yes
    Panorama Managed Prisma Access— Yes
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    SaaS Security Inline requires network traffic data for analysis. Prisma Access automatically forwards logs with that data to
    Cortex Data Lake
    . Your SaaS Security Inline subscription requires that you have an active
    Cortex Data Lake
    instance, which stores the data logs from Prisma Access.
The example activation below is for a new Panorama Managed Prisma Access deployment. Adding a SaaS Security Inline license to an existing Panorama Managed Prisma Access deployment or Cloud Managed Prisma Access deployment is similar, but not identical. Use this example as a guide.
  1. Open your SaaS Security Inline activation email and click
    Activate
    .
    The number of Activate buttons in the email you received depends on what you purchased. Each Activate button launches the same onboarding workflow that lets you activate all your purchased products together. Click any
    Activate
    button to begin. Additionally, your activation email depends on the type of activation: purchase, trial, or evaluation.
  2. Log in with your Palo Alto Networks Customer Support Portal account credentials.
  3. Select the products to activate, then
    Start Activation
    .
    If you have multiple items to activate, leave them all selected when you
    Start Activation
    .
  4. Select a
    Customer Support Account
    , then
    Next
    .
    If you have more than one Support account, select the one associated with the Prisma Access tenant to subscribe to SaaS Security Inline.
  5. Choose how to manage Prisma Access, then
    Next
    .
    • Cloud-Based Management Console
      —Use the Prisma Access app on the Palo Alto Networks hub to quickly onboard branches and mobile users.
    • Panorama
      —Use the Cloud Services plugin on Panorama to set up and manage Prisma Access. If new Panorama,
      Register New Panorama
      .
  6. In
    Finalize Selections
    , configure SaaS Security Inline.
    • Cortex Data Lake
      Selection
      and
      Region Selection
      —You must have an active
      Cortex Data Lake
      or activate a new one now. Do one of the following:
      • New
        Cortex Data Lake
        —Select
        Activate New
        if you are activating a new
        Cortex Data Lake
        subscription, then choose its region.
      • Existing
        Cortex Data Lake
        —Select an existing instance to use if you did not purchase a new
        Cortex Data Lake
        . If you have more than one
        Cortex Data Lake
        instance, choose the one to which Prisma Access will forward logs with network traffic metadata.
    • SaaS Tenant
      ,
      SaaS Region
      , and
      SaaS Subdomain
      —Do one of the following:
      • New Tenant
        —Select
        Activate New
        to create a new SaaS Security Inline tenant, then type a subdomain name, which completes the URL for your SaaS Security Inline app and becomes the URL where you log in to the SaaS Security web interface.
        SaaS Subdomain
        is prepopulated with the domain name from your email address, but you can change it if you want.
      • Existing Tenant
        —Select an existing tenant if you did not purchase a new
        Cortex Data Lake
        or you don’t want to activate a newly purchased
        Cortex Data Lake
        . Each SaaS tenant requires a unique
        Cortex Data Lake
        . You cannot reuse
        Cortex Data Lake
        s. The onboarding process enforces this requirement and automatically populates
        SaaS Tenant
        with the SaaS tenant that is mapped to the existing
        Cortex Data Lake
        .
        SaaS Region
        defaults to
        Cortex Data Lake
        region.
  7. Verify your activation selections, read and agree to the terms and conditions, then
    Confirm Selections
    .
    Depending upon what you onboard, the activation process creates a URL for your SaaS Security web interface and applies SaaS Security Inline licenses to the selected Prisma Access tenant and links them to your SaaS Security account.
  8. Verify that your
    Cortex Data Lake
    serial number displays on the web interface and indicates
    Monitoring
    .
  9. Navigate to
    Settings
    License Info
    , then verify your SaaS Security Inline license.

Recommended For You