>
    App-ID Features
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Features Introduced in PAN-OS 11.2
    4. App-ID Features
    Download PDF

    App-ID Features

    Table of Contents

    App-ID Features

    What new App-ID features are in PAN-OS 11.2?
    The following section describes new App-ID features introduced in PAN-OS 11.2.

    User Session Tracking for SaaS Security Inline

    February 2025
    • Introduced in PAN-OS 11.2.5.
    For certain discovered applications, SaaS Security Inline can submit policy recommendations at the tenant level. For a subset of these applications, we now support even greater granularity through session tracking. We introduced session tracking to enable SaaS Security Inline to create policy recommendations for individual user accounts on an application tenant. This capability enables you to allow some application traffic for a tenant, while blocking traffic from specific user accounts on that tenant. For example, for a trusted vendor, you might allow traffic only for your organization's accounts for a particular application, while blocking traffic for the vendor's accounts or personal accounts for the application.
    Session tracking is available only if your license includes SaaS Security Inline, and you must explicitly enable session tracking in PAN-OS.
    After you enable session tracking, PAN-OS logs additional user and tenant information to Strata Logging Service. This feature also introduces new custom objects types (SaaS Users and SaaS Tenants) for identifying user accounts and tenants in a policy rule.
    Within 24 hours after the session tracking information is available in Strata Logging Service, SaaS Security Inline can detect the individual user accounts for the supported applications. SaaS Security Inline administrators can then submit policy recommendations that affect only certain user accounts for these applications. When you import the policy recommendation on the firewall, PAN-OS creates the policy rule for the recommendation, including the custom SaaS Users and SaaS Tenant objects. These custom objects are referenced by the policy rule. For information on the applications that we support for session tracking, refer to the information about creating SaaS policy rule recommendations in the SaaS Inline documentation.
    Because SaaS Security Inline is the only consumer of the session tracking information, and because you might not need to block traffic at the granularity of user accounts, session tracking is disabled by default. You can enable session tracking from the ACE settings page (DEVICESetupACE).

    Additional HTTP Header Logging for More Tenant-Level Detection

    July 2024
    • Introduced in PAN-OS 11.2.1.
    For certain discovered applications, SaaS Security Inline can detect the specific application tenants that users are accessing. SaaS Security Inline displays these tenant details, and you can submit policy rule recommendations at the tenant level. This tenant-level detection and control is available only for select applications.
    To support tenant-level detection and control for more applications, PAN-OS 11.2.1 introduces a new setting to enable additional HTTP header logging. When additional HTTP header logging is enabled, the firewall logs more information about the applications to Strata Logging Service. This additional information enables SaaS Security Inline to detect the individual application tenants for the following applications:
    • Microsoft Outlook
    • Microsoft OneNote
    • Dropbox
    • MS Powerapps
    • Microsoft Teams
    • Windows Azure
    Because SaaS Security Inline is the only consumer of this information, and because you might not require tenant-level policies for these applications, the additional header logging is disabled by default. To enable the additional HTTP header logging on the firewall:
    1. Select DEVICESetupACE.
    2. Under SaaS Inline Settings, Enable Additional HTTP Header Logging.
    Within 24 hours after the additional logs are available in Strata Logging Service, SaaS Security Inline will be able to detect the individual tenants for the applications, and you will be able to submit tenant-level policy recommendations in SaaS Security Inline for the applications.

    Explicit Proxy Support for Advanced Services

    September 2024
    • Introduced in PAN-OS 11.2.3.
    Palo Alto Networks now provides support for Advanced cloud-based features (including, but not limited to Precision AI™ optimized features such as Advanced WildFire: Inline Cloud Analysis, Advanced Threat Prevention: Inline Cloud Analysis, Inline Deep Learning Analysis for Advanced URL Filtering; as well as App-ID Cloud Engine, and Enterprise DLP) when using an explicit proxy as part of a customer's network security infrastructure. Previously, access to various components of advanced security subscriptions required direct internet connectivity, preventing users from maximizing the feature set of their advanced cloud services when internet traffic is handled by an explicit proxy server, which could leave them vulnerable to certain security threats. When Explicit Proxy Support for Advanced Services is enabled, the firewall initiates and completes a proxy handshake and authentication procedures to establish connection to the specified proxy server, which subsequently forwards traffic to the Palo Alto Networks Advanced cloud service servers via the proxy.
    For more information about enabling explicit proxy support for advanced services, refer to the configuration documentation for enabling the specific advanced subscription service.

    © 2025 Palo Alto Networks, Inc. All rights reserved.