Create HTTP Header Insertion Entries using Predefined Types

You can create HTTP Header Insertion rules based on types that are predefined by Palo Alto Networks® for popular SaaS applications.
  1. If there are no upstream devices already decrypting HTTPS traffic, configure Decryption using Configure SSL Forward Proxy.
    If you are configuring SSL decryption for Dropbox, then you must also configure your Dropbox clients to allow SSL traffic. These procedures are specific and private to Dropbox — to obtain these procedures, contact your Dropbox account representative.
    1. Add a Custom URL Category for the SaaS application you are managing (ObjectsCustom ObjectsURL Category).
    2. Specify a Name for the category.
    3. Add the domains specific to the SaaS application you are managing. See Domains used by the Predefined SaaS Application Types for a list of the domains that you use for each of the predefined SaaS applications.
    4. Create a Decryption Policy Rule and, as you follow this procedure, configure the following:
      • In the Service/URL Category tab, Add the URL Category that you created in the previous step.
      • In the Options tab, make sure the Action is set to Decrypt and that the Type is set to SSL Forward Proxy.
  2. Edit or add a URL filtering profile.
  3. Select HTTP Header Insertion in the URL Filtering Profile dialog.
  4. Add an entry.
    1. Specify a Name for this entry.
    2. Select a predefined application Type.
      This populates the Domains and Headers lists.
    3. For each Header, enter a Value.
    4. (Optional) Select Log to enable logging of insertion activity for the headers.
    5. Click OK to save your changes.
  5. Add or edit a Security Policy rule (PoliciesSecurity) that allows users to access the SaaS application for which you are configuring this header insertion rule.
    1. Choose the URL filtering profile (ActionsURL Filtering) that you edited or created in Step 2.
    2. Click OK to save and then Commit your changes.
  6. Verify that access to the SaaS application is working in the way you expect. From an endpoint:
    1. Try to access an account or content that you expect to be able to access. If you cannot access the SaaS account or content, then the configuration is not working.
    2. Try to access an account or content that you expect will be blocked. If you can access the SaaS account or content, then the configuration is not working.
    3. If both of the previous steps work as expected, then you can View Logs (if you configured logging in step 4.4) and you should see the recorded HTTP header insertion activity.

Related Documentation