Import Updated SaaS Policy Recommendation
Focus
Focus

Import Updated SaaS Policy Recommendation

Table of Contents
End-of-Life (EoL)

Import Updated SaaS Policy Recommendation

When a SaaS Security administrator pushes Security policy rule recommendations to a PAN-OS firewall (or Panorama), the PAN-OS administrator can import those rules to gain visibility into and control of the applications in the policy recommendation. However, if the SaaS administrator updates the rule, for example by adding or removing applications, the rule also needs to be updated on the firewall.
If the SaaS Security administrator pushes new or updated Application Groups, HIP profiles, or tags, the firewall automatically creates or updates those objects. If the SaaS Security administrator pushes Security profiles with the policy recommendation update and those profiles don’t exist on the firewall, the firewall import fails. If the profiles already exist on the firewall, the import succeeds.
  1. Refresh (
    ) DevicePolicy RecommendationSaaS (or PanoramaPolicy RecommendationSaaS) to ensure that you see all of the latest SaaS policy recommendations that the SaaS administrator pushed to the firewall.
  2. Check New Updates Available.
    If the value in the New Updates Available column is No, then there are no updates to the rule. If the value is Yes, then the SaaS administrator has pushed an update to the rule to the firewall. In addition, Active Recommendations shows the value active.
  3. Click the Application Group name in the Applications column to see the updated list of applications that the rule controls.
  4. Select a policy recommendation to update.
    You update only one policy recommendation at a time.
  5. Click Import Policy Rule to import the policy (if there are no updates to the rule, this option is grayed out and you can’t select it).
    The Import Policy Rule dialog appears. The Name is already populated and cannot be changed because the rule has already been imported. After Rule also cannot be changed in the dialog, but if you want to change the rule’s location in the Security policy rulebase, you can do that on PoliciesSecurity in the same way that you change the position of any Security policy rule. You can change the Description or leave it as-is.
  6. Click OK.
  7. Click Yes in Confirm Change to import the updated rule (or click No if you don’t want to import the changed rule).
    The firewall automatically makes any changes to the Application Group, HIP profiles, and tags associated with the rule.