: Create SaaS Policy Rule Recommendations
Focus
Focus

Create SaaS Policy Rule Recommendations

Table of Contents

Create SaaS Policy Rule Recommendations

Learn how to create SaaS policy rule recommendations on SaaS Security Inline.
This feature requires the
SaaS Security
add-on license for your platform.
You can create a SaaS policy rule recommendation from scratch, or, alternatively, apply a predefined policy rule recommendation or copy an existing recommendation. Before you create any recommendations, consider a few collaboration and authoring guidelines.
SaaS policy rule recommendations enable you to recommend Security policy rules to your Palo Alto Networks firewall administrator or Prisma Access administrator. SaaS Security Inline pushes SaaS policy rule recommendations to your firewall or Prisma Access. Your firewall administrator or Prisma Access administrator will see your policy rule recommendations in the firewall web interface or Prisma Access web interface, then can accept and commit the SaaS Security policy rule. After your firewall administrator or Prisma Access administrator commits the policy rule, the policy rule becomes active. You can update your SaaS rule recommendations at any time.
Before you begin
:
Ask your firewall administrator to verify that SSL decryption is enabled on the firewall. SSL decryption is required for PAN-OS to detect specific user activities, such as upload or download activities, in the network traffic. SSL decryption is also required for PAN-OS to identify individual application tenants in the network traffic.
(
NGFW Only
) Ask your firewall administrator to verify that all firewalls have log forwarding enabled as instructed in the ACE deployment. The SaaS Security web interface cannot display SaaS application visibility data and might not be able to enforce policy rule recommendations without logs for
all
firewalls.
  1. Navigate to SaaS Security Inline.
  2. To navigate to the Policy Recommendations view, select
    Discovered Apps
    Policy Recommendations
    .
  3. Add Policy
    .
  4. Select the application granularity for your policy recommendation.
    You can define policy recommendations that are effective at the
    Application Level
    or at the application
    Tenant Level
    . Application-level policies, if committed on the firewall, will affect all instances of the application identified in the policy recommendation. Tenant-level policies, if committed on the firewall, will affect only the application tenants identified in the policy recommendation. Before you select the application granularity for your policy recommendation, consider some common scenarios for defining application-level and tenant-level policy recommendations.
    The option to create tenant-level policy recommendations appears only in SaaS Security Inline for NGFW, or on tenants that have a Next Generation Cloud Access Security Broker (CASB-X) license.
    Tenant-level policy recommendations have the following requirements for NGFW and Prisma Access. Although you can submit policy recommendations without meeting these requirements, firewall and Prisma Access administrators can view and import the recommendations only if these requirements are met:
    • NGFW
      : Tenant-level policy recommendations require a firewall running PAN-OS 10.2.5 (or a later 10.2 release) or PAN-OS 11.1.0 or later.
    • Prisma Access
      : Tenant-level policy recommendations require Prisma Access running a 10.2.8 / PA 5.0 or later data plane.
  5. Specify a
    Rule Name
    and
    Description
    . For example,
    Block Unsanctioned, File Sharing Apps from HR
    .
  6. Specify the network traffic to detect and the action to take.
    If you are defining a policy at the application level, complete the following steps:
    1. Specify the applications that you want to control.
      You can only create recommendations for enforcement on your firewall for SaaS apps that have an App-ID. You can determine if a given SaaS app in the Application Dictionary has an App-ID based on its How is this app detected? attribute.
      Use the filters (such as the
      Category
      and
      Risk
      filters) to help you locate the SaaS applications so that you capture all the application SaaS Applications. For example, if your intent is to only include high risk SaaS applications, filter by risk.
      For a rule to take action on a SaaS application, the user activities you choose must be supported by all the SaaS applications you select. User activities are unique to each SaaS application. For example, if a SaaS application does not provide a means for a user to upload a file, your rule cannot include that user activity. The SaaS Security Inline web interface returns an error when you select a user activity that the SaaS application does not support. Use the
      Capabilities
      matrix to help you determine which user activities the SaaS applications support.
    2. Select the
      User Activity
      you want the firewall to detect.
    3. Specify a
      Response
      to instruct the firewall or Prisma Access administrator take action on the network traffic that matches the policy rule.
      Although your firewall or Prisma Access has other actions, SaaS policy rule recommendations support Block only. Block denies the traffic that matches the rule from entering your network.
    If you are defining a policy at the tenant level, complete the following steps:
    1. Select the application that you want to control at the tenant level.
      If the application that you want to control does not appear in the selection list, then SaaS Security Inline does not support tenant-level detection for that application. Cancel this policy rule recommendation, and start again to
      Add Policy
      . This time, select the option to define the policy recommendation at the
      Application Level
      .
      Currently, tenant-level detection is available for the following applications. Some applications use different constructs, such as workspaces, that are similar or analogous to tenants. For the purpose of tenant-level control, SaaS Security Inline treats these constructs as tenants. The traffic that SaaS Security Inline can monitor to detect application tenants also differs from application to application.
      Application
      Category
      Detected Tenant Type
      Supported Traffic
      Aha! (Aha.io)
      Development
      Tenant
      Browser
      Atlassian Confluence
      Collaboration & Productivity
      Tenant
      Browser
      Azure OpenAI
      Artificial Intelligence
      Endpoint Name
      Browser
      Bitbucket
      Development
      Workspace
      Browser, Mac and Windows CLI (For Https Config)
      Box
      Content Management
      Tenant
      Browser
      Egnyte
      Content Management
      Tenant
      Browser, Mac Native and Windows Native
      Frontify
      Content Management
      Tenant
      Browser
      Github
      Development
      Organization
      Browser, Mac and Windows CLI (For Https Config)
      Microsoft OneDrive for Business
      Collaboration & Productivity
      Tenant
      Browser
      Microsoft Sharepoint
      Collaboration & Productivity
      Tenant
      Browser, Mac Native and Windows Native
      Okta
      Security
      Tenant
      Browser
      Salesforce Sales Cloud
      Sales
      Tenant
      Browser
      Sharefile
      IT Infrastructure
      Tenant
      Browser
      Slack
      Collaboration & Productivity
      Workspace
      Browser, Mac Native and Windows Native
      Webex App
      Collaboration & Productivity
      Tenant
      Browser
      Workday HCM
      HR
      Tenant
      Browser
      Workplace From Meta
      Collaboration & Productivity
      Tenant
      Browser
      Zendesk
      Customer Service
      Tenant
      Browser
      Zoom
      Collaboration & Productivity
      Tenant
      Browser
      To enable SaaS Security Inline to detect Box and Zendesk tenants, HTTP header logging must be enabled on the firewall for the referrer component. HTTP header logging of referring web pages provides added visibility into the web traffic on your network, which SaaS Security Inline uses to detect the individual tenants.
      Tenant detection for Microsoft OneDrive for Business does not include personal tenants. To block personal use of Microsoft OneDrive, create an application-level policy to block the Microsoft OneDrive Personal application.
    2. Specify an
      Action
      to be applied to the firewall for the network traffic that matches the policy rule.
      Although your firewall or Prisma Access has other actions, SaaS policy rule recommendations support
      Block
      and
      Allow
      only. The
      Block
      action is supported for all applications that support tenant-level detection. A subset of these applications also support the
      Allow
      action. Support for the
      Allow
      action is provided for Box, and will be extended to more applications.
      The
      Block
      action denies the traffic that matches the rule. The
      Allow
      action, if supported for the selected application, is used to permit exceptions to a
      Block
      action. For example, you might create a policy recommendation to
      Allow
      access to Box on certain tenants, and then create a separate policy recommendation to
      Block
      access for all other tenants. Because allowing application network traffic is the default, a policy recommendation to explicitly
      Allow
      certain traffic is unnecessary unless it is paired with a policy recommendation to
      Block
      traffic for other tenants.
      When you define
      Allow
      and
      Block
      policy recommendations, the order in which these policies are evaluated on the firewall is important. On the firewall, when traffic matches a policy rule, the defined action is triggered and all subsequent policies are disregarded. For this reason, a more specific policy recommendation to
      Allow
      traffic for certain applications must be placed before a more general policy to
      Block
      traffic for all other tenants.
      If you are defining a policy recommendation that uses the
      Allow
      action for a Box tenant, the firewall must already allow traffic for the App-ID boxnet-base. If the App-ID boxnet-base is blocked on the firewall, then the
      Allow
      action will not be effective.
    3. Select the
      User Activity
      that you want the firewall to detect. You can select one or more activities, such as file Create, Delete, and Share activities.
    4. Select at least one
      Tenant
      that you want to control. You can select up to 30 tenants.
      When the
      Allow
      action is supported for an application, you can specify that the policy recommendation applies to
      Any
      tenant. The
      Any
      specification acts as a wildcard to match all current and future tenants. On the firewall, when an imported policy specifies
      Any
      tenant, the policy will apply to all tenants unless an earlier policy in the firewall's evaluation order specifies a different action for a tenant. In this way, you can define one policy recommendation to
      Allow
      the actions for selected tenants and another to
      Block
      the actions for
      Any
      other tenants.
      To filter the list of tenants, select a
      Tenant Type
      .
  7. Specify
    User & Groups
    .
    Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes.
  8. (
    Optional
    ) Specify
    Device Posture
    to enforce what devices can and cannot access specific SaaS apps, including device ownership and device compliance.
    Your device posture selection automatically creates a Host Information Profile (HIP) object for mobile devices after the policy recommendation is imported as a policy.
    • Mobile Device Managed Status
      —Choose
      Managed
      when the device is company-owned, whether a dedicated device or shared with
      Unmanaged
      when the device is employee-owned, or
      Any
      for both.
    • Mobile Device Compliant Status
      —Choose
      Complaint
      when the device adheres to your organization’s security compliance requirements,
      Non‑Compliant
      when it does not, or
      Any
      for both.
  9. (
    Optional
    ) Specify a
    Data Profile
    .
  10. Save the new rule.
  11. Enable the recommendation when you’re ready to submit the recommendation for enforcement.
    If you create separate tenant-level
    Allow
    and
    Block
    policy recommendations to achieve particular results, remember that your desired results will depend on the order in which the policies are evaluated on the firewall. Make sure that the firewall administrator places a more specific
    Allow
    policy before a general
    Block
    Any
    policy. If a general
    Block
    Any
    policy is evaluated first, the firewall will ignore the more specific
    Allow
    policy.

Recommended For You