: Troubleshoot Issues on SaaS Security Inline for NGFW
Focus
Focus

Troubleshoot Issues on SaaS Security Inline for NGFW

Table of Contents

Troubleshoot Issues on SaaS Security Inline for NGFW

Learn how to troubleshoot issues on SaaS Security Inline for NGFW, including onboarding and licensing failures.
As you use SaaS Security Inline, you or your firewall administrator might encounter errors if you inadvertently missed a step during SaaS Security Inline onboarding or ACE deployment. The most common errors are related to a missing license. Deployment is a team effort: to avoid these errors, it’s imperative that you work with your firewall administrator to verify licensing before using SaaS Security Inline. In addition to the errors outlined below, there are other errors that display on the firewall itself.
Symptom
Explanation
Solution
New recommendations aren’t displaying in the firewall web interface.
If the SaaS Security Inline license expires, the firewall no longer pulls SaaS policy recommendations, so you cannot see new recommendations. However, SaaS policy recommendations that you already imported and applied as Security policy continue to work.
Renew your SaaS Security Inline license.
Cannot import recommendations that define specific SaaS apps.
If you disable ACE, the firewall no longer receives new cloud application signatures and App-IDs and the firewall cannot import SaaS policy recommendations based on new ACE App-IDs.
Re-enable ACE.
When you log in to your firewall web interface, SaaS Security license is required for feature to function message displays in the footer.
The firewall is missing the required SaaS Security Inline license.
After you activate, your firewall administrator must retrieve the license keys from the license server.
When your firewall administrator attempts to import and commit a recommendation that uses a data profile, the operation fails with Unknown data-filtering profile name message.
The firewall must have an Enterprise DLP license to have a valid SaaS policy rule recommendation that uses data profiles—even if you have an Enterprise DLP license on another platform.
The SaaS Security Team recommends one of the following options:
  • Buy an Enterprise DLP license.
  • Remove the data profile from the SaaS policy rule recommendation.
.