Tenant-level detection and control within SaaS Security Inline is limited to only
select applications. For these applications, SaaS Security Inline can detect the
specific application tenants that users are accessing. SaaS Security Inline displays
these tenant details, and you can
submit policy rule recommendations at the tenant
level.
To support tenant-level detection and control for more applications, we now support
even greater granularity through session tracking. We introduced session tracking to
enable SaaS Security Inline to create policy recommendations for individual user
accounts on an application tenant. This capability enables you to allow some
application traffic for a tenant, while blocking traffic from specific user accounts
on that tenant. For example, for a trusted vendor, you might allow traffic only for
your organization's accounts for a particular application, while blocking traffic
for the vendor's accounts or personal accounts for the application.
Session tracking is available only if your license includes SaaS Security Inline, and
you must explicitly enable session tracking in PAN-OS®.
After you enable session tracking, PAN-OS logs additional user and tenant information
to Strata Logging Service. This feature also introduces new custom objects types
(SaaS Users and SaaS Tenants) for identifying user accounts and tenants in a policy
rule.
Because SaaS Security Inline is the only consumer of the session tracking information,
and because you might not need to block traffic at the granularity of user accounts,
session tracking is disabled by default. Administrators can easily enable this
setting, as described in the instructions for
creating SaaS policy rule
recommendations.
