Import SaaS Policy Recommendation
When a SaaS Security administrator pushes Security policy rule recommendations to a PAN-OS firewall, the PAN-OS firewall administrator can import those rules on the firewall to gain visibility into and control of the applications in the policy recommendation.
SaaS Security Administrator’s Guidefor the SaaS administrator’s policy recommendation and push procedures. This procedure shows PAN-OS administrators how to import policy recommendations.
If the SaaS Security administrator pushes Security profiles with the policy recommendation and those profiles don’t exist on the firewall, the firewall import fails. If the profiles already exist on the firewall, the import succeeds.
- on the firewall andDevicePolicy RecommendationSaaSon Panorama show all of the SaaS policy recommendations pushed from the SaaS administrator. Push policy recommendations from Panorama to managed firewalls.PanoramaPolicy RecommendationSaaS
- Refresh ( )(orDevicePolicy RecommendationSaaS) to ensure that the SaaS policy recommendations are up-to-date.PanoramaPolicy RecommendationSaaSAny time you push policy recommendations from Panorama to managed firewalls, refresh ( ) the page on the firewalls to ensure that the recommendations are up-to-date.Newly pushed policy recommendations appear at the top of the screen.Active Recommendationsshows the valueactiveandNew Updates Availableshows the valueYes.
- Select a new policy recommendation.You import one policy recommendation at a time. TheApplicationscolumn shows an Application Group for each policy recommendation. Click the name of the group to see the applications in that group.TheDevicecolumn shows the source device that the SaaS administrator configured for the rule. The term “SaaS” precedes the source device. The source device can be:
For example,SaaS - MCDindicates a managed, compliant source device.
- MCD—Managed Compliant Device
- MNCD—Managed Non-compliant Device
- UMCD—Unmanaged Compliant Device
- UMNCD—Unmanaged Non-compliant Device
- Import Policy Rule.In theImport Policy Ruledialog:
TheDescriptioncomes from the description entered when the SaaS administrator created the rule. You can change it or leave it as-is.The import process automatically creates an Application Group for the applications in the policy recommendation. The name of the Application Group is derived from the Name that the SaaS Security administrator gave to the rule. The firewall also automatically creates any HIP profiles and tags that the SaaS administrator applied to the rule.
- Name—Name the imported rule using a name that describes the rule’s intent.If you specify a rule name that already exists in the Security policy rulebase, the imported rule overwrites the existing rule.
- After Rule—Select the rule after which to place the imported SaaS rule. Think about the firewall’s rulebase and how the new rule may affect existing rules. If you do not select a rule (No Rule Selection), then the rule is placed at the top of the Security policy rulebase. In some cases, that’s not where you want to place the rule. For example, you may want some particular block rules to always be at the top of the rulebase, such as blocking QUIC protocol. Be aware of the intent of the imported rule and be careful not to shadow existing rules.
- ClickOKto import the rule and add it to the Security policy rulebase in the position selected inAfter Rule.
- When you see the status message “You’ve successfully updated your Security policy rules”, clickOK.TheLocationcolumn now shows the rule’s location (vsys) on the firewall, which corresponds to the vsys to which the SaaS administrator pushed the rule.
- Confirm that the imported policy rule is in the Security policy rulebase () at the specified location and that the firewall created the associated objects.SecurityPoliciesFor example, check the Security policy rule for:
Also check that:
- The rule’sSource Deviceis populated and shows the source device for the rule on theSourcetab.
- The Application Group populates the rule’sApplicationtab.
- Associated profiles are attached to the rule (Actionstab).
- shows the imported Application Group.ObjectsApplications Group
- andObjectsGlobalProtectHIP Objectsshow the HIP information pushed from the SaaS Security administrator with the rule.ObjectsGlobalProtectHIP Profiles
Recommended For You
Recommended videos not found.