Import SaaS Policy Recommendation

When a SaaS Security administrator pushes Security policy rule recommendations to a PAN-OS firewall, the PAN-OS firewall administrator can import those rules on the firewall to gain visibility into and control of the applications in the policy recommendation.
See the
SaaS Security Administrator’s Guide
for the SaaS administrator’s policy recommendation and push procedures. This procedure shows PAN-OS administrators how to import policy recommendations.
If the SaaS Security administrator pushes Security profiles with the policy recommendation and those profiles don’t exist on the firewall, the firewall import fails. If the profiles already exist on the firewall, the import succeeds.
  1. Device
    Policy Recommendation
    SaaS
    on the firewall and
    Panorama
    Policy Recommendation
    SaaS
    on Panorama show all of the SaaS policy recommendations pushed from the SaaS administrator. Push policy recommendations from Panorama to managed firewalls.
  2. Refresh ( )
    Device
    Policy Recommendation
    SaaS
    (or
    Panorama
    Policy Recommendation
    SaaS
    ) to ensure that the SaaS policy recommendations are up-to-date.
    Any time you push policy recommendations from Panorama to managed firewalls, refresh ( ) the page on the firewalls to ensure that the recommendations are up-to-date.
    Newly pushed policy recommendations appear at the top of the screen.
    Active Recommendations
    shows the value
    active
    and
    New Updates Available
    shows the value
    Yes
    .
  3. Select a new policy recommendation.
    You import one policy recommendation at a time. The
    Applications
    column shows an Application Group for each policy recommendation. Click the name of the group to see the applications in that group.
    The
    Device
    column shows the source device that the SaaS administrator configured for the rule. The term “SaaS” precedes the source device. The source device can be:
    • MCD—Managed Compliant Device
    • MNCD—Managed Non-compliant Device
    • UMCD—Unmanaged Compliant Device
    • UMNCD—Unmanaged Non-compliant Device
    For example,
    SaaS - MCD
    indicates a managed, compliant source device.
  4. Import Policy Rule
    .
    In the
    Import Policy Rule
    dialog:
    • Name
      —Name the imported rule using a name that describes the rule’s intent.
      If you specify a rule name that already exists in the Security policy rulebase, the imported rule overwrites the existing rule.
    • After Rule
      —Select the rule after which to place the imported SaaS rule. Think about the firewall’s rulebase and how the new rule may affect existing rules. If you do not select a rule (
      No Rule Selection
      ), then the rule is placed at the top of the Security policy rulebase. In some cases, that’s not where you want to place the rule. For example, you may want some particular block rules to always be at the top of the rulebase, such as blocking QUIC protocol. Be aware of the intent of the imported rule and be careful not to shadow existing rules.
    The
    Description
    comes from the description entered when the SaaS administrator created the rule. You can change it or leave it as-is.
    The import process automatically creates an Application Group for the applications in the policy recommendation. The name of the Application Group is derived from the Name that the SaaS Security administrator gave to the rule. The firewall also automatically creates any HIP profiles and tags that the SaaS administrator applied to the rule.
  5. Click
    OK
    to import the rule and add it to the Security policy rulebase in the position selected in
    After Rule
    .
  6. When you see the status message “You’ve successfully updated your Security policy rules”, click
    OK
    .
    The
    Location
    column now shows the rule’s location (vsys) on the firewall, which corresponds to the vsys to which the SaaS administrator pushed the rule.
  7. Confirm that the imported policy rule is in the Security policy rulebase (
    Security
    Policies
    ) at the specified location and that the firewall created the associated objects.
    For example, check the Security policy rule for:
    • The rule’s
      Source Device
      is populated and shows the source device for the rule on the
      Source
      tab.
    • The Application Group populates the rule’s
      Application
      tab.
    • Associated profiles are attached to the rule (
      Actions
      tab).
    Also check that:
    • Objects
      Applications Group
      shows the imported Application Group.
    • Objects
      GlobalProtect
      HIP Objects
      and
      Objects
      GlobalProtect
      HIP Profiles
      show the HIP information pushed from the SaaS Security administrator with the rule.

Recommended For You