Understand the custom HTTP headers you will use before
you create HTTP Header Insertion Rules for your Palo Alto Networks®
Before you begin, make sure you understand the custom
HTTP headers you will use with the SaaS application you are managing.
You need to understand what you can accomplish with these headers
and the information you need to specify to accomplish your goals.
Be aware that SaaS applications that use custom headers do not
always use them to control access to types of accounts. For example,
Palo Alto Networks® provides predefined support for YouTube custom
headers that determine whether network users can access restricted
You should also read the documentation for the SaaS application
to which you want to control access so that you understand what
headers you need to use for that application.
The following limits apply to HTTP header insertion:
Header name character length: 100.
Header value character length: 512.
that some SaaS applications might define custom header names, or
assign values to their custom headers, that exceed these limits.
These situations should be rare, but if a SaaS application does
exceed one or both of these character length limits, then your next-generation
firewall can not successfully manage access to that SaaS application.
The following table lists the headers that you can use for the
SaaS applications for which Palo Alto Networks provides predefined
support; each header also includes a link to more information specific
to that header.
can allow access to sanctioned Enterprise Dropbox accounts. This
header's value is the business account's team ID, which you can
obtain from the network control section of the Dropbox admin console.
You must also enable this functionality from the same location.
details on managing this header, as well as how to enable your Dropbox
clients so that you can decrypt their traffic, contact your Dropbox
Create rules to block the
Quick UDP Internet Connections (QUIC) App-ID and place them at the
top of your security policy because the firewall does not support
header insertion for this protocol. When you do, the app reverts
to using HTTP/2 over TLS, which the firewall handles in the previous