Update Your Policy Rulebase for ACE App-IDs on Panorama

1. Activate SaaS Security Inline for Prisma Access.

   ACE automatically activates for your Prisma Access tenant after you successfully activate SaaS Security Inline.
2. Log in to Strata Cloud Manager and verify that SaaS Security Inline is activated on your Prisma Access tenant.

   You can check for an activate SaaS Security Inline using one of the following ways:

   • Hub
     The Hub now displays a Data Security tile redirecting you to SaaS Security Inline on Strata Cloud Manager.

   • NGFW or Prisma Access(Managed by Panorama)
     On Strata Cloud Manager, CASB displays and you can now configure SaaS Security Inline.

3. Log in to the Panorama web interface.
4. Select ObjectsApplications Filters and Add a new application filter that includes the App-ID Cloud Engine tag.

   An application filter allows you to dynamically group apps based on specific app attributes you define. In this case, the application filter applies to any app that includes the predefined App-ID Cloud Engine tag.

   You can create the application filter as part of the Shared device group scope to make the application filter available to all other device groups, or you can select a specific device group scope.

   For this example we named the application filter ace-appid-filter.
5. Create a Security policy rule to allow traffic for the same users you allow access to apps with the ssl or web-browsing App-IDs.

   1. Select PoliciesSecurity and change to the appropriate Device Group scope.
   2. Add and create a new Security policy rule.

      For this example we named the new Security policy rule ace-appid-allow.
   3. Configure the Source and Destination settings to match the existing Security policy rules allowing access to apps with the ssl or web-browsing App-IDs.
   4. Select Application and Add the application filter you created in the previous step.

   5. For the Action in the Actions settings, select Allow.

   6. Configure the rest of the Security policy rule as needed.
   7. Click OK.
6. Order the newly created Security policy rule at the bottom of the policy rulebase.

   By ordering this Security policy rule at the bottom of your Security policy rulebase, you block unsanctioned app traffic before allowing legitimate access to apps with App-IDs delivered through ACE.

7. Identify and allow access to allowed apps unintentionally blocked after you enable ACE.

   In some cases, application filters associated with an existing Security policy rule might unintentionally block traffic to legitimate apps you allow access to after you enable ACE. For example, consider the unsanctioned-apps Security policy rule with the block-apps application filter. Before you enabled ACE this application filter matched 100 apps but after you enabled ACE it matches 1,000 apps. However, of the additional 900 apps there are 10 apps you need to allow. In this case, you need to create a Security policy rule allowing traffic to these apps.

   1. Contact your Palo Alto Networks representative to generate a SaaS Risk Report and to help you compile a list of ACE App-IDs that match your application filter after you enable ACE.

      Compiling a list before you enable ACE allows you to understand how many new App-IDs are going to match your existing Security policy rules. By taking proactive steps to identify allowed apps and to create a Security policy rule to explicitly allow them before you enable ACE helps minimize blocked access to allowed apps and unintentional business interruption.
   2. Review your Deny Security policy rules and identify all application filters associated with them.
   3. Select ObjectsApplicationsApplication Filter and select each application filter to review the lists of impacted apps. Make note of any legitimate apps you want to allow.
   4. Generate a SaaS Security Report to see a list of top used apps.
   5. Select ObjectsApplicationsApplication Group and create application groups to logically group the apps you want to allow.

      For this example we named the application group allowed apps.
   6. Select Security ServicesSecurity Policy and create a Security policy rule to allow traffic to the application groups you created in the previous step.

      Alternatively, you can create different Security policy rules for each application group if different users are allowed access to different apps.
   7. Order the newly created Security policy rule above your Deny Security policy rules to allow access to those apps.

8. (Best Practices) After you enable ACE and update your Security policy rulebase, Palo Alto Networks recommends you frequently review our Traffic logs and respond to user complaints about blocked access to previously allowed apps.

   Frequently review the traffic logs on Panorama(MonitorLogsTraffic) to confirm that unsanctioned apps are correctly blocked while sanctioned apps are allowed. The Application and Action columns provide you with data on which applications are blocked and allowed. As you review your logs and respond to users about access issues, you can create additional application groups and Security policy rules to restore access to these apps.