When a SaaS Security administrator pushes
Security policy rule recommendations to a PAN-OS firewall, the PAN-OS
firewall administrator can import those rules on the firewall to
gain visibility into and control of the applications in the policy
SaaS Security Administrator’s Guide
the SaaS administrator’s policy recommendation and push procedures.
This procedure shows PAN-OS administrators how to import policy
If the SaaS Security administrator
pushes Security profiles with the policy recommendation and those
profiles don’t exist on the firewall, the firewall import fails.
If the profiles already exist on the firewall, the import succeeds.
the firewall and
Panorama show all of the SaaS policy recommendations pushed from
the SaaS administrator. Push policy recommendations from Panorama
to managed firewalls.
to ensure that the SaaS policy recommendations are up-to-date.
Any time you push policy recommendations from Panorama
to managed firewalls, refresh (
) the page on the
firewalls to ensure that the recommendations are up-to-date.
Newly pushed policy recommendations appear at the top of
shows the value
Select a new policy recommendation.
You import one policy recommendation at a time. The
shows an Application Group for each policy recommendation. Click
the name of the group to see the applications in that group.
shows the source device that the SaaS administrator configured for
the rule. The term “SaaS” precedes the source device. The source
device can be:
MCD—Managed Compliant Device
MNCD—Managed Non-compliant Device
UMCD—Unmanaged Compliant Device
UMNCD—Unmanaged Non-compliant Device
SaaS - MCD
indicates a managed,
compliant source device.
Import Policy Rule
Import Policy Rule
—Name the imported rule using
a name that describes the rule’s intent.
If you specify
a rule name that already exists in the Security policy rulebase,
the imported rule overwrites the existing rule.
—Select the rule after which
to place the imported SaaS rule. Think about the firewall’s rulebase
and how the new rule may affect existing rules. If you do not select
a rule (
No Rule Selection
), then the rule
is placed at the top of the Security policy rulebase. In some cases,
that’s not where you want to place the rule. For example, you may
want some particular block rules to always be at the top of the rulebase,
such as blocking QUIC protocol. Be aware of the intent of the imported
rule and be careful not to shadow existing rules.
from the description entered when the SaaS administrator created
the rule. You can change it or leave it as-is.
process automatically creates an Application Group for the applications
in the policy recommendation. The name of the Application Group
is derived from the Name that the SaaS Security administrator gave
to the rule. The firewall also automatically creates any HIP profiles and
tags that the SaaS administrator applied to the rule.
to import the rule and
add it to the Security policy rulebase in the position selected
When you see the status message “You’ve successfully
updated your Security policy rules”, click
column now shows the
rule’s location (vsys) on the firewall, which corresponds to the
vsys to which the SaaS administrator pushed the rule.
Confirm that the imported policy rule is in the Security
policy rulebase (
) at the specified
location and that the firewall created the associated objects.
For example, check the Security policy rule for:
is populated and shows
the source device for the rule on the
The Application Group populates the rule’s
Associated profiles are attached to the rule (
imported Application Group.
show the HIP information
pushed from the SaaS Security administrator with the rule.