Use HTTP Headers to Manage SaaS Application Access
Use Palo Alto Networks® firewall URL profiles to insert
custom headers into HTTP requests so that you can control access
to differing versions of web applications.
Unsanctioned usage of SaaS applications can be a way
for your users to transmit sensitive information outside of your
network, usually by accessing a consumer version of an application.
However, if you need to allow access to the enterprise version of
these applications for specific individuals or organizations, then
you can't block the SaaS application entirely.
You can use custom HTTP headers to disallow SaaS consumer accounts
while allowing a specific enterprise account. Many SaaS applications
allow or disallow access to applications based on information contained
in specific HTTP headers. You can Create
HTTP Header Insertion Entries using Predefined Types to manage
access to popular SaaS applications, such as Google G Suite and
Microsoft Office 365. Palo Alto Networks® uses content updates to
maintain predefined rule sets specific to these applications, as
well as to add new predefined rule sets.
You can also Create
Custom HTTP Header Insertion Entries if you want to manage
access to a SaaS application—that uses HTTP headers to limit service access—for
which Palo Alto Networks has not provided a predefined set of rules.
Be aware that commercial SaaS applications always use SSL so
decryption is necessary to perform HTTP header insertion. You can
configure the firewall to decrypt traffic using SSL Forward Proxy
decryption if traffic is not already decrypted by an upstream firewall.
You don't need a URL Filtering license to use this feature.
To understand how to use HTTP headers to manage SaaS applications,
see the following: