Create SaaS Policy Rule Recommendations
Table of Contents
Expand all | Collapse all
-
-
- What’s Data Security?
- Navigate To Data Security in Cloud Management Console
- Activate Data Security on the Hub
- Access Data Security for Standalone SaaS Security
-
- Allowed List of IP Addresses
-
- Begin Scanning an Amazon Web Services App
- Begin Scanning a Bitbucket Cloud App
- Begin Scanning a Box App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Citrix ShareFile App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a GitHub V2 App
- Begin Scanning a Gmail App
- Begin Scanning a Google Cloud Storage App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira Cloud App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Azure Storage App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Microsoft Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a Slack for Enterprise Grid App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App (Beta)
- Begin Scanning a Yammer App
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Stop Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
-
-
-
- SaaS Security with Enterprise DLP
- Predefined Data Patterns on Data Security
- Proximity Keywords
- Confidence Levels
- Shared Data Profiles and Data Patterns
- Modify a Predefined Data Pattern
- Create a Custom Data Profile
- Add a File Property Data Pattern
- Create a Custom Data Pattern
- Use Exact Data Matching (EDM)
- Enable or Disable a Machine Learning Data Pattern
- Configure WildFire Analysis
- Configure Regular Expressions
- Enable or Disable a Data Pattern
- View and Filter Data Pattern Match Results
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- View Asset Details
- Filter Incidents
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Track Down Threats with AutoFocus
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
- What is a Data Violation?
- Assess New Data Violations on Data Security
- Configure Data Violation Alerts on Data Security
- Filter Data Violations on Data Security
- View Asset Snippets for Data Violations on Data Security
- View Data Violation Metrics on Data Security
- Modify Data Violation Status on Data Security
-
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Cortex Data Lake
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard a Dropbox Business App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitHub Enterprise App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Exchange App to SSPM
- Onboard a Microsoft OneDrive App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Microsoft SharePoint App to SSPM
- Onboard a Microsoft Teams App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard Office 365 Productivity Apps to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Delete SaaS Apps Managed by SSPM
Create SaaS Policy Rule Recommendations
Learn how to create SaaS policy rule recommendations
on SaaS Security Inline.
This feature requires the SaaS Security add-on license for
your platform. |
You can create a SaaS policy rule
recommendation from scratch, or, alternatively, apply a predefined policy rule
recommendation or copy an existing recommendation. Before you create any
recommendations, consider a few collaboration and authoring guidelines.
SaaS policy rule recommendations enable you to recommend Security policy rules to
your Palo Alto Networks firewall administrator or Prisma Access administrator. SaaS
Security Inline pushes SaaS policy rule recommendations to your firewall or Prisma
Access. Your firewall administrator or Prisma Access administrator will see your
policy rule recommendations in the firewall web interface or Prisma Access web
interface, then can accept and commit the SaaS Security policy rule. After your
firewall administrator or Prisma Access administrator commits the policy rule, the
policy rule becomes active. You can update your SaaS rule
recommendations at any time.
Before you begin
:Ask your firewall administrator to verify that SSL decryption is enabled on the
firewall. SSL decryption is required for PAN-OS to detect specific user activities,
such as upload or download activities, in the network traffic. SSL decryption is
also required for PAN-OS to identify individual application tenants in the network
traffic.
(
NGFW Only
) Ask your firewall administrator to verify that all firewalls
have log forwarding enabled as instructed in
the ACE deployment. The SaaS Security web
interface cannot display SaaS application visibility data and might not be able to
enforce policy rule recommendations without logs for all
firewalls.- Navigate to SaaS Security Inline.
- To navigate to the Policy Recommendations view, select.Discovered AppsPolicy Recommendations
- Add Policy.
- Select the application granularity for your policy recommendation.You can define policy recommendations that are effective at theApplication Levelor at the applicationTenant Level. Application-level policies, if committed on the firewall, will affect all instances of the application identified in the policy recommendation. Tenant-level policies, if committed on the firewall, will affect only the application tenants identified in the policy recommendation. Before you select the application granularity for your policy recommendation, consider some common scenarios for defining application-level and tenant-level policy recommendations.The option to create tenant-level policy recommendations appears only in SaaS Security Inline for NGFW, or on tenants that have a Next Generation Cloud Access Security Broker (CASB-X) license.Tenant-level policy recommendations have the following requirements for NGFW and Prisma Access. Although you can submit policy recommendations without meeting these requirements, firewall and Prisma Access administrators can view and import the recommendations only if these requirements are met:
- NGFW: Tenant-level policy recommendations require a firewall running PAN-OS 10.2.5 (or a later 10.2 release) or PAN-OS 11.1.0 or later.
- Prisma Access: Tenant-level policy recommendations require Prisma Access running a 10.2.8 / PA 5.0 or later data plane.
- Specify aRule NameandDescription. For example,Block Unsanctioned, File Sharing Apps from HR.
- Specify the network traffic to detect and the action to take.If you are defining a policy at the application level, complete the following steps:
- Specify the applications that you want to control.You can only create recommendations for enforcement on your firewall for SaaS apps that have an App-ID. You can determine if a given SaaS app in the Application Dictionary has an App-ID based on its How is this app detected? attribute.Use the filters (such as theCategoryandRiskfilters) to help you locate the SaaS applications so that you capture all the application SaaS Applications. For example, if your intent is to only include high risk SaaS applications, filter by risk.For a rule to take action on a SaaS application, the user activities you choose must be supported by all the SaaS applications you select. User activities are unique to each SaaS application. For example, if a SaaS application does not provide a means for a user to upload a file, your rule cannot include that user activity. The SaaS Security Inline web interface returns an error when you select a user activity that the SaaS application does not support. Use theCapabilitiesmatrix to help you determine which user activities the SaaS applications support.
- Select theUser Activityyou want the firewall to detect.
- Specify aResponseto instruct the firewall or Prisma Access administrator take action on the network traffic that matches the policy rule.Although your firewall or Prisma Access has other actions, SaaS policy rule recommendations support Block only. Block denies the traffic that matches the rule from entering your network.
If you are defining a policy at the tenant level, complete the following steps:- Select the application that you want to control at the tenant level.If the application that you want to control does not appear in the selection list, then SaaS Security Inline does not support tenant-level detection for that application. Cancel this policy rule recommendation, and start again toAdd Policy. This time, select the option to define the policy recommendation at theApplication Level.Currently, tenant-level detection is available for the following applications. Some applications use different constructs, such as workspaces, that are similar or analogous to tenants. For the purpose of tenant-level control, SaaS Security Inline treats these constructs as tenants. The traffic that SaaS Security Inline can monitor to detect application tenants also differs from application to application.ApplicationCategoryDetected Tenant TypeSupported TrafficAha! (Aha.io)DevelopmentTenantBrowserAtlassian ConfluenceCollaboration & ProductivityTenantBrowserAzure OpenAIArtificial IntelligenceEndpoint NameBrowserBitbucketDevelopmentWorkspaceBrowser, Mac and Windows CLI (For Https Config)BoxContent ManagementTenantBrowserEgnyteContent ManagementTenantBrowser, Mac Native and Windows NativeFrontifyContent ManagementTenantBrowserGithubDevelopmentOrganizationBrowser, Mac and Windows CLI (For Https Config)Microsoft OneDrive for BusinessCollaboration & ProductivityTenantBrowserMicrosoft SharepointCollaboration & ProductivityTenantBrowser, Mac Native and Windows NativeOktaSecurityTenantBrowserSalesforce Sales CloudSalesTenantBrowserSharefileIT InfrastructureTenantBrowserSlackCollaboration & ProductivityWorkspaceBrowser, Mac Native and Windows NativeWebex AppCollaboration & ProductivityTenantBrowserWorkday HCMHRTenantBrowserWorkplace From MetaCollaboration & ProductivityTenantBrowserZendeskCustomer ServiceTenantBrowserZoomCollaboration & ProductivityTenantBrowserTo enable SaaS Security Inline to detect Box and Zendesk tenants, HTTP header logging must be enabled on the firewall for the referrer component. HTTP header logging of referring web pages provides added visibility into the web traffic on your network, which SaaS Security Inline uses to detect the individual tenants.Tenant detection for Microsoft OneDrive for Business does not include personal tenants. To block personal use of Microsoft OneDrive, create an application-level policy to block the Microsoft OneDrive Personal application.
- Specify anActionto be applied to the firewall for the network traffic that matches the policy rule.Although your firewall or Prisma Access has other actions, SaaS policy rule recommendations supportBlockandAllowonly. TheBlockaction is supported for all applications that support tenant-level detection. A subset of these applications also support theAllowaction. Support for theAllowaction is provided for Box, and will be extended to more applications.TheBlockaction denies the traffic that matches the rule. TheAllowaction, if supported for the selected application, is used to permit exceptions to aBlockaction. For example, you might create a policy recommendation toAllowaccess to Box on certain tenants, and then create a separate policy recommendation toBlockaccess for all other tenants. Because allowing application network traffic is the default, a policy recommendation to explicitlyAllowcertain traffic is unnecessary unless it is paired with a policy recommendation toBlocktraffic for other tenants.When you defineAllowandBlockpolicy recommendations, the order in which these policies are evaluated on the firewall is important. On the firewall, when traffic matches a policy rule, the defined action is triggered and all subsequent policies are disregarded. For this reason, a more specific policy recommendation toAllowtraffic for certain applications must be placed before a more general policy toBlocktraffic for all other tenants.If you are defining a policy recommendation that uses theAllowaction for a Box tenant, the firewall must already allow traffic for the App-ID boxnet-base. If the App-ID boxnet-base is blocked on the firewall, then theAllowaction will not be effective.
- Select theUser Activitythat you want the firewall to detect. You can select one or more activities, such as file Create, Delete, and Share activities.
- Select at least oneTenantthat you want to control. You can select up to 30 tenants.When theAllowaction is supported for an application, you can specify that the policy recommendation applies toAnytenant. TheAnyspecification acts as a wildcard to match all current and future tenants. On the firewall, when an imported policy specifiesAnytenant, the policy will apply to all tenants unless an earlier policy in the firewall's evaluation order specifies a different action for a tenant. In this way, you can define one policy recommendation toAllowthe actions for selected tenants and another toBlockthe actions forAnyother tenants.To filter the list of tenants, select aTenant Type.
- SpecifyUser & Groups.Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes.
- If no groups display, verify that you performed an Azure Active Directory integration.
- (NGFW Only) If you want to use a different group name to match your group attribute on the firewall, change your Azure Active Directory integration () on SaaS Security to include that group attribute.SettingsDirectory Services
- (Optional) SpecifyDevice Postureto enforce what devices can and cannot access specific SaaS apps, including device ownership and device compliance.Your device posture selection automatically creates a Host Information Profile (HIP) object for mobile devices after the policy recommendation is imported as a policy.
- Mobile Device Managed Status—ChooseManagedwhen the device is company-owned, whether a dedicated device or shared withUnmanagedwhen the device is employee-owned, orAnyfor both.
- Mobile Device Compliant Status—ChooseComplaintwhen the device adheres to your organization’s security compliance requirements,Non‑Compliantwhen it does not, orAnyfor both.
- (Optional) Specify aData Profile.
- Save the new rule.
- Enable the recommendation when you’re ready to submit the recommendation for enforcement.If you create separate tenant-levelAllowandBlockpolicy recommendations to achieve particular results, remember that your desired results will depend on the order in which the policies are evaluated on the firewall. Make sure that the firewall administrator places a more specificAllowpolicy before a generalBlockAnypolicy. If a generalBlockAnypolicy is evaluated first, the firewall will ignore the more specificAllowpolicy.