SaaS Policy Rule Recommendation

The rapid proliferation of SaaS applications makes it difficult to assign all of them specific App-IDs, gain visibility into those applications, and control them, which may introduce security risks to your network. To gain visibility into those applications and control them on the firewall, SaaS Security administrators can recommend Security policy rules with specific SaaS App-IDs provided by the App-ID Cloud Engine (ACE) to PAN-OS firewall administrators. PAN-OS administrators can import those rules on firewall’s that have a SaaS Security Inline subscription.
SaaS Security Inline for PAN-OS describes the procedure for pushing Security policy rule recommendations to the firewall and Import SaaS Policy Recommendation describes how the PAN-OS administrator imports policy recommendations from the SaaS administrator. The high-level process is:
  1. The SaaS Security administrator creates the new rule, adds applications, users, and groups to the rule, and sets the rule action. The rule action can be allow or block; no other actions are permitted for pushed rules.
  2. The SaaS Security administrator pushes the rule to the appropriate appliances and the rule appears in the firewall interface (
    Policy Recommendation
  3. The PAN-OS administrator evaluates the recommended rule and decides whether to implement it on the firewall.
  4. If the PAN-OS administrator chooses to implement the rule, the administrator imports it on the firewall and selects where to place the policy rule in the firewall rulebase. When a PAN-OS administrator imports a policy recommendation, the firewall creates the required HIP profiles, tags, and Application Groups automatically so the PAN-OS administrator doesn’t have to do it.
If the SaaS Security administrator pushes Security profiles with the policy recommendation and those profiles don’t exist on the firewall, the firewall import fails. If the profiles already exist on the firewall, the import succeeds.
If the SaaS Security administrator updates a policy rule recommendation, the PAN-OS administrator sees the update and imports it into the firewall. If the SaaS Security administrator deletes a policy rule recommendation, the PAN-OS administrator sees the action and deletes the rule from the firewall Security policy rulebase.

Recommended For You