Import Updated SaaS Policy Recommendation

When a SaaS Security administrator pushes Security policy rule recommendations to a PAN-OS firewall (or Panorama), the PAN-OS administrator can import those rules to gain visibility into and control of the applications in the policy recommendation. However, if the SaaS administrator updates the rule, for example by adding or removing applications, the rule also needs to be updated on the firewall.
If the SaaS Security administrator pushes new or updated Application Groups, HIP profiles, or tags, the firewall automatically creates or updates those objects. If the SaaS Security administrator pushes Security profiles with the policy recommendation update and those profiles don’t exist on the firewall, the firewall import fails. If the profiles already exist on the firewall, the import succeeds.
  1. Refresh ( )
    Policy Recommendation
    Policy Recommendation
    ) to ensure that you see all of the latest SaaS policy recommendations that the SaaS administrator pushed to the firewall.
  2. Check
    New Updates Available
    If the value in the
    New Updates Available
    column is
    , then there are no updates to the rule. If the value is
    , then the SaaS administrator has pushed an update to the rule to the firewall. In addition,
    Active Recommendations
    shows the value
  3. Click the Application Group name in the
    column to see the updated list of applications that the rule controls.
  4. Select a policy recommendation to update.
    You update only one policy recommendation at a time.
  5. Click
    Import Policy Rule
    to import the policy (if there are no updates to the rule, this option is grayed out and you can’t select it).
    Import Policy Rule
    dialog appears. The
    is already populated and cannot be changed because the rule has already been imported.
    After Rule
    also cannot be changed in the dialog, but if you want to change the rule’s location in the Security policy rulebase, you can do that on
    in the same way that you change the position of any Security policy rule. You can change the
    or leave it as-is.
  6. Click
  7. Click
    Confirm Change
    to import the updated rule (or click
    if you don’t want to import the changed rule).
    The firewall automatically makes any changes to the Application Group, HIP profiles, and tags associated with the rule.

Recommended For You