The rapid proliferation of SaaS applications
makes it difficult to assign all of them specific App-IDs, gain
visibility into those applications, and control them, which may
introduce security risks to your network. To gain visibility into
those applications and control them on the firewall, SaaS Security administrators
can recommend Security policy rules with
specific SaaS App-IDs provided by the App-ID Cloud Engine (ACE)
to PAN-OS firewall administrators. PAN-OS administrators can import
those rules on firewall’s that have a SaaS Security Inline subscription.
The SaaS Security administrator creates the new rule,
adds applications, users, and groups to the rule, and sets the rule
action. The rule action can be allow or block; no other actions
are permitted for pushed rules.
The SaaS Security administrator pushes the rule to the appropriate
appliances and the rule appears in the firewall interface (
The PAN-OS administrator evaluates the recommended rule and
decides whether to implement it on the firewall.
If the PAN-OS administrator chooses to implement the rule,
the administrator imports it on the firewall and selects where to
place the policy rule in the firewall rulebase. When a PAN-OS administrator
imports a policy recommendation, the firewall creates the required
HIP profiles, tags, and Application Groups automatically so the
PAN-OS administrator doesn’t have to do it.
If the SaaS Security administrator pushes Security profiles
with the policy recommendation and those profiles don’t exist on
the firewall, the firewall import fails. If the profiles already
exist on the firewall, the import succeeds.
If the SaaS Security administrator updates a policy rule recommendation,
the PAN-OS administrator sees the update and imports it into the
firewall. If the SaaS Security administrator deletes a policy rule
recommendation, the PAN-OS administrator sees the action and deletes
the rule from the firewall Security policy rulebase.