SaaS App-ID Policy Recommendation

The rapid proliferation of SaaS applications makes it difficult to assign all of them specific App-IDs, gain visibility into those applications, and control them. Security policy rules that allow ssl, web-browsing, or “any” application may allow unsanctioned SaaS applications that can introduce security risks to your network. To gain visibility into those applications and control them on the firewall, SaaS Security administrators can recommend Security policy rules with specific SaaS App-IDs provided by the App-ID Cloud Engine (ACE) to PAN-OS firewall administrators. PAN-OS administrators can import those rules on firewall’s that have a SaaS Security Inline subscription.
SaaS Policy Recommendation requires a SaaS Security Inline subscription. Each appliance that uses the SaaS Policy Recommendation Engine needs to generate and install a valid device certificate or use Panorama to generate and install a valid device certificate.
A SaaS Security Inline connection to Cortex Data Lake (CDL) is required for SaaS visibility. Configure Log Forwarding to CDL and enable Log Forwarding with the correct Log Forwarding profile in Security policy rules. At a minimum, you must forward Traffic logs and URL logs to CDL for SaaS Security Inline to work properly.
All hardware platforms that support PAN-OS 10.1 or later support SaaS Policy Recommendation and all appliances on which you want to use SaaS Policy Recommendation require PAN-OS 10.1 or later. Panorama cannot push and commit SaaS Policy Recommendations to firewalls that don’t have a SaaS Security Inline license installed or to firewalls that run an earlier version of PAN-OS than 10.1.
  • The
    SaaS Security Administrator’s Guide
    describes the SaaS Security administrator’s procedure for creating Security policy rule recommendations and then pushing them to the firewall.
  • The
    PAN-OS Administrator’s Guide
    describes how the PAN-OS administrator imports and manages policy recommendations from the SaaS Security administrator.
The SaaS Security administrator creates the new rule, adds applications, users, and groups to the rule, and sets the rule action. The rule action can be allow or block; no other actions are permitted for pushed rules. The SaaS Security administrator then pushes the rule to the appropriate appliances and the rule appears in the firewall interface (
Device
Policy Recommendation
SaaS
).
The PAN-OS administrator evaluates the recommended rule and decides whether to implement it on the firewall. If the PAN-OS administrator chooses to implement the rule, the administrator imports it on the firewall and selects where to place the policy rule in the firewall rulebase. When a PAN-OS administrator imports a policy recommendation, the firewall creates the required HIP profiles, tags, and Application Groups automatically (the PAN-OS administrator doesn’t have to do it manually).
If the SaaS Security administrator pushes Security profiles with the policy recommendation and those profiles don’t exist on the firewall, the firewall import fails. If the profiles already exist on the firewall, the import succeeds.
If the SaaS Security administrator updates a policy rule recommendation, the PAN-OS administrator sees the update and imports it into the firewall. If the SaaS Security administrator deletes a policy rule recommendation, the PAN-OS administrator sees the action and deletes the rule from the firewall Security policy rulebase.
If the SaaS Security Inline license expires, the firewall no longer pulls SaaS policy recommendations, so you see no new recommendations. However, Security policy rules that you already imported continue to work.
If you disable ACE, the firewall no longer receives new cloud application signatures and App-IDs and the firewall cannot import SaaS policy recommendations based on new ACE App-IDs.
The ACE deployment process (connecting to the cloud, installing device certificates, activating the license on the SaaS Security Portal and pushing it to Panorama and firewalls, etc.) also sets up SaaS Policy Recommendation.
Update all appliances to the latest Threat content updates.
User interface additions for this new feature include:
  • Device
    Policy Recommendation
    SaaS
    displays policy recommendations from SaaS administrators and enables firewall administrators to import, update, remove, and control recommended SaaS policies. The page display includes Application Groups configured by the SaaS administrator for the policy.
  • Role-based interface access (
    Device
    Admin Roles
    ) has a new option on the
    Web UI
    tab for SaaS policy recommendation permissions:
    Device
    Policy Recommendation
    SaaS
    .
  • SaaS policy recommendations are automatically tagged
    SaaSSecurityRecommended
    , which is displayed in the
    Tags
    column in the interface.
You can import and update SaaS policy recommendations pushed by SaaS administrators and remove SaaS policy recommendations that the SaaS administrator has deleted.

Recommended For You