Update Your Security Policy Rulebase for ACE App-IDs
Table of Contents
Expand all | Collapse all
-
-
- Allowed List of IP Addresses
-
- Begin Scanning a Bitbucket App
- Begin Scanning a Box App
- Begin Scanning ChatGPT Enterprise App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a Gmail App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a ShareFile App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App (Beta)
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
- Google Drive Labeling
- Configure Phishing Analysis
- Configure WildFire Analysis
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- Filter Incidents
- Configure Slack Notification Alerts on Data Security
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Strata Logging Service
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard a Dropbox Business App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitHub Enterprise App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Register an Azure AD Client Application
- View the Health Status of Application Scans
- Delete SaaS Apps Managed by SSPM
Update Your Security Policy Rulebase for ACE App-IDs
Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to
allow and block the correct app traffic.
Where Can I Use This? | What Do I Need? |
---|---|
|
You have one of the following licenses at the time of
renewal.
Or you have an existing NGFW or Prisma Access
user and are enabling one of the following licenses:
|
If you're an existing NGFW or Prisma Access user enabling ACE
for the first time, you must explicitly add the new ACE App-IDs to your Security
policy rules after you enable ACE.
If you don't explicitly add the new ACE App-IDs to your Security policy rules,
the NGFW or Prisma Access tenant continues to control app
traffic with the same rules that controlled apps identified by the
ssl or
web-browsing App-IDs before you enabled ACE.
This can result in blocked access to previously allowed apps and unintentional
business interruption.
Prisma Access Worldwide Enterprise Mobile User and Worldwide Enterprise Remote
Branch licenses now include the SaaS Security Inline subscription by default,
which also includes App-ID Cloud Engine (ACE) as part of the SaaS Security Inline subscription. SaaS Security Inline provides
complete visibility and control of SaaS app usage from corporate networks and
managed devices. With ACE, you gain further visibility and control into thousands of
apps that previously were identified as ssl or
web-browsing in Prisma Access.
For example, the NGFW or Prisma Access tenant sees an app
identified as web-browsing and then receives an ACE
App-ID for the traffic. However, you don't use the new ACE App-ID in a Security
policy rule. In this case the NGFW or Prisma Access tenant still
controls that traffic using the Security policy rule that controls
web-browsing traffic — if you allow
web-browsing traffic, the traffic is allowed.
Conversely, this might also result in an app you allow to be unintentionally
blocked.
You need to modify the App-IDs in your policy rules if:
- Your NGFW are running PAN-OS 10.1 or later release or your Prisma Access tenants are running Prisma Access 3.0 Innovation or later release (PAN-OS 10.1 or later dataplane version) at the time of renewal.
- You use Application Filters in any Security policy rule configured on Panorama or Strata Cloud Manager deny or block traffic to any app.
- You use Application Filters in any Security policy rule configured on Panorama or Strata Cloud Manager to allow traffic for ssl or web-browsing App-IDs for any users.
Update Your Policy Rulebase for ACE App-IDs on Strata Cloud Manager
Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to
allow and block the correct app traffic for NGFW and Prisma Access(Managed by Strata Cloud Manager).
- Activate SaaS Security Inline for Prisma Access.ACE automatically activates for your Prisma Access tenant after you successfully activate SaaS Security Inline.Log in to Strata Cloud Manager.Verify that SaaS Security Inline is activated on your Prisma Access tenant.You can check for an activate SaaS Security Inline using one of the following ways:
- Hub
- NGFW or Prisma Access (Managed by Strata Cloud Manager)On Strata Cloud Manager, the SaaS Security app is now available under ManageConfigurationSaaS Security.
Select ManageConfigurationNGFW and Prisma Access and change the Configuration Scope as needed.Select ObjectsApplicationsApplication Filter and create an application filter that includes the App-ID Cloud Engine tag.An application filter allows you to dynamically group apps based on specific app attributes you define. In this case, the application filter applies to any app that includes the predefined App-ID Cloud Engine tag.For this example we named the application filter ace-appid-filter.Create a Security policy rule to allow traffic for the same users you allow access to apps with the ssl or web-browsing App-IDs.- Select Security ServicesSecurity Policy and create a new Security policy rule.For this example we named the new Security policy rule ace-appid-allow.Configure the Source and Destination settings to match the existing Security policy rules allowing access to apps with the ssl or web-browsing App-IDs.For the Application in the Application/Service settings, click SelectApplication Filters and select the application filter you created in the previous step.For the Action in the Actions settings, select Allow.Configure the rest of the Security policy rule as needed.Save.Order the newly created Security policy rule at the bottom of the policy rulebase.By ordering this Security policy rule at the bottom of your Security policy rulebase, you block unsanctioned app traffic before allowing legitimate access to apps with App-IDs delivered through ACE.Identify and allow access to allowed apps unintentionally blocked after you enable ACE.In some cases, application filters associated with an existing Security policy rule might unintentionally block traffic to legitimate apps you allow access to after you enable ACE. For example, consider the unsanctioned-apps Security policy rule with the block-apps application filter. Before you enabled ACE this application filter matched 100 apps but after you enabled ACE it matches 1,000 apps. However, of the additional 900 apps there are 10 apps you need to allow. In this case, you need to create a Security policy rule allowing traffic to these apps.
- Contact your Palo Alto Networks representative to generate a SaaS Risk Report and to help you compile a list of ACE App-IDs that match your application filter after you enable ACE.Compiling a list before you enable ACE allows you to understand how many new App-IDs are going to match your existing Security policy rules. By taking proactive steps to identify allowed apps and to create a Security policy rule to explicitly allow them before you enable ACE helps minimize blocked access to allowed apps and unintentional business interruption.Review your Deny Security policy rules and identify all application filters associated with them.Select ObjectsApplicationsApplication Filter and select each application filter to review the lists of impacted apps. Make note of any legitimate apps you want to allow.Generate a SaaS Security Report to see a list of top used apps.Select ObjectsApplicationsApplication Group and create application groups to logically group the apps you want to allow.For this example we named the application group allowed apps.Select Security ServicesSecurity Policy and create a Security policy rule to allow traffic to the application groups you created in the previous step.Alternatively, you can create different Security policy rules for each application group if different users are allowed access to different apps.Order the newly created Security policy rule above your Deny Security policy rules to allow access to those apps.(Best Practices) After you enable ACE and update your Security policy rulebase, Palo Alto Networks recommends you frequently review our Traffic logs and respond to user complaints about blocked access to previously allowed apps.Frequently review the Traffic logs in the Log Viewer to confirm that unsanctioned apps are correctly blocked while sanctioned apps are allowed. The Application and Action columns provide you with data on which applications are blocked and allowed. As you review your logs and respond to users about access issues, you can create additional application groups and Security policy rules to restore access to these apps.
Update Your Policy Rulebase for ACE App-IDs on Panorama
Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to allow and block the correct app traffic for NGFW and Prisma Access(Managed by Panorama).- Activate SaaS Security Inline for Prisma Access.ACE automatically activates for your Prisma Access tenant after you successfully activate SaaS Security Inline.Log in to Strata Cloud Manager and verify that SaaS Security Inline is activated on your Prisma Access tenant.You can check for an activate SaaS Security Inline using one of the following ways:
- HubThe Hub now displays a Data Security tile redirecting you to SaaS Security Inline on Strata Cloud Manager.
- NGFW or Prisma Access(Managed by Panorama)On Strata Cloud Manager, CASB displays and you can now configure SaaS Security Inline.
Log in to the Panorama web interface.Select ObjectsApplications Filters and Add a new application filter that includes the App-ID Cloud Engine tag.An application filter allows you to dynamically group apps based on specific app attributes you define. In this case, the application filter applies to any app that includes the predefined App-ID Cloud Engine tag.You can create the application filter as part of the Shared device group scope to make the application filter available to all other device groups, or you can select a specific device group scope.For this example we named the application filter ace-appid-filter.Create a Security policy rule to allow traffic for the same users you allow access to apps with the ssl or web-browsing App-IDs.- Select PoliciesSecurity and change to the appropriate Device Group scope.Add and create a new Security policy rule.For this example we named the new Security policy rule ace-appid-allow.Configure the Source and Destination settings to match the existing Security policy rules allowing access to apps with the ssl or web-browsing App-IDs.Select Application and Add the application filter you created in the previous step.For the Action in the Actions settings, select Allow.Configure the rest of the Security policy rule as needed.Click OK.Order the newly created Security policy rule at the bottom of the policy rulebase.By ordering this Security policy rule at the bottom of your Security policy rulebase, you block unsanctioned app traffic before allowing legitimate access to apps with App-IDs delivered through ACE.Identify and allow access to allowed apps unintentionally blocked after you enable ACE.In some cases, application filters associated with an existing Security policy rule might unintentionally block traffic to legitimate apps you allow access to after you enable ACE. For example, consider the unsanctioned-apps Security policy rule with the block-apps application filter. Before you enabled ACE this application filter matched 100 apps but after you enabled ACE it matches 1,000 apps. However, of the additional 900 apps there are 10 apps you need to allow. In this case, you need to create a Security policy rule allowing traffic to these apps.
- Contact your Palo Alto Networks representative to generate a SaaS Risk Report and to help you compile a list of ACE App-IDs that match your application filter after you enable ACE.Compiling a list before you enable ACE allows you to understand how many new App-IDs are going to match your existing Security policy rules. By taking proactive steps to identify allowed apps and to create a Security policy rule to explicitly allow them before you enable ACE helps minimize blocked access to allowed apps and unintentional business interruption.Review your Deny Security policy rules and identify all application filters associated with them.Select ObjectsApplicationsApplication Filter and select each application filter to review the lists of impacted apps. Make note of any legitimate apps you want to allow.Generate a SaaS Security Report to see a list of top used apps.Select ObjectsApplicationsApplication Group and create application groups to logically group the apps you want to allow.For this example we named the application group allowed apps.Select Security ServicesSecurity Policy and create a Security policy rule to allow traffic to the application groups you created in the previous step.Alternatively, you can create different Security policy rules for each application group if different users are allowed access to different apps.Order the newly created Security policy rule above your Deny Security policy rules to allow access to those apps.(Best Practices) After you enable ACE and update your Security policy rulebase, Palo Alto Networks recommends you frequently review our Traffic logs and respond to user complaints about blocked access to previously allowed apps.Frequently review the traffic logs on Panorama(MonitorLogsTraffic) to confirm that unsanctioned apps are correctly blocked while sanctioned apps are allowed. The Application and Action columns provide you with data on which applications are blocked and allowed. As you review your logs and respond to users about access issues, you can create additional application groups and Security policy rules to restore access to these apps.