Understand SaaS Custom Headers
Focus
Focus

Understand SaaS Custom Headers

Table of Contents
End-of-Life (EoL)

Understand SaaS Custom Headers

Understand the custom HTTP headers you will use before you create HTTP Header Insertion Rules for your Palo Alto Networks® firewall.
Before you begin, make sure you understand the custom HTTP headers you will use with the SaaS application you are managing. You need to understand what you can accomplish with these headers and the information you need to specify to accomplish your goals.
Be aware that SaaS applications that use custom headers do not always use them to control access to types of accounts. For example, Palo Alto Networks® provides predefined support for YouTube custom headers that determine whether network users can access restricted content.
You should also read the documentation for the SaaS application to which you want to control access so that you understand what headers you need to use for that application.
The following limits apply to HTTP header insertion:
  • Header name character length: 100.
  • Header value character length: 16K.
Be aware that some SaaS applications might define custom header names, or assign values to their custom headers, that exceed these limits. These situations should be rare, but if a SaaS application does exceed one or both of these character length limits, then your next-generation firewall can not successfully manage access to that SaaS application.
The following table lists the headers that you can use for the SaaS applications for which Palo Alto Networks provides predefined support; each header also includes a link to more information specific to that header.
Application
Headers
For More Information
Dropbox
X-Dropbox-allowed-Team-Ids
You can allow access to sanctioned Enterprise Dropbox accounts. This header's value is the business account's team ID, which you can obtain from the network control section of the Dropbox admin console. You must also enable this functionality from the same location.
For details on managing this header, as well as how to enable your Dropbox clients so that you can decrypt their traffic, contact your Dropbox account representative.
Google G Suite
X-GooGApps-Allowed-Domains
You can allow access to specific Google accounts from your domain. The values that you give to this header are your domain and subdomains.
To successfully insert headers for Google applications, you must also:
  1. Create an SSL decryption profile that includes the following categories and URLs:
    • business-and-economy
    • computer-and-internet-info
    • content-delivery-networks
    • internet-communications-and-telephony
    • low-risk
    • online-storage-and-backup
    • search-engine
    • web-based-email
    • drive.google.com
    • *.google.com
    • *.googleusercontent.com
    • *.gstatic.com
  2. HTTP header insertion is not currently supported for HTTP/2. To insert headers, downgrade HTTP/2 connections to HTTP/1.1 using the Strip ALPN feature in the appropriate decryption profile. For more information, see App-ID and HTTP/2 Inspection.
  3. Create rules to block the Quick UDP Internet Connections (QUIC) App-ID and place them at the top of your security policy because the firewall does not support header insertion for this protocol. When you do, the app reverts to using HTTP/2 over TLS, which the firewall handles in the previous step.
Microsoft Office 365
Restrict-Access-To-Tenants
Restrict-Access-Context
You provide Restrict-Access-To-Tenants with a list of tenants you want to allow your users to access. You can use any domain that is registered with a tenant to identify the tenant in this list.
You provide Restrict-Access-Context with the directory ID that is setting the tenant restriction. You can find your directory ID in the Azure portal. Sign in as an administrator, select Azure Active Directory, then select Properties.
YouTube
YouTube-Restrict
You provide this header with information on the type of videos you want your users to be able to view. You can specify either a Strict or Moderate setting. See support.google.com/a/answer/6212415 for details on these different settings.