Understand SaaS Custom Headers

Understand the custom HTTP headers you will use before you create HTTP Header Insertion Rules for your Palo Alto Networks® firewall.
Before you begin, make sure you understand the custom HTTP headers you will use with the SaaS application you are managing. You need to understand what you can accomplish with these headers and the information you need to specify to accomplish your goals.
Be aware that SaaS applications that use custom headers do not always use them to control access to types of accounts. For example, Palo Alto Networks® provides predefined support for YouTube custom headers that determine whether network users can access restricted content.
You should also read the documentation specific to the SaaS application to which you want to control access so that you understand the headers you need to use for that application.
The following table lists the headers that you can use for the SaaS applications for which Palo Alto Networks provides predefined support; each header also includes a link to more information specific to that header.
Application
Headers
For More Information
Dropbox
X-Dropbox-allowed-Team-Ids
You can allow access to sanctioned Enterprise Dropbox accounts. This header's value is the business account's team ID, which you can obtain from the network control section of the Dropbox admin console. You must also enable this functionality from the same location.
For details on managing this header, as well as how to enable your Dropbox clients so that you can decrypt their traffic, contact your Dropbox account representative.
Google G Suite
X-GooGApps-Allowed-Domains
You can allow access to specific Google accounts from your domain. The values that you give to this header are your domain and subdomains.
Microsoft Office 365
Restrict-Access-To-Tenants
Restrict-Access-Context
You provide Restrict-Access-To-Tenants with a list of tenants you want to allow your users to access. You can use any domain that is registered with a tenant to identify the tenant in this list.
You provide Restrict-Access-Context with the directory ID that is setting the tenant restriction. You can find your directory ID in the Azure portal. Sign in as an administrator, select Azure Active Directory, then select Properties.
YouTube
YouTube-Restrict
You provide this header with information on the type of videos you want your users to be able to view. You can specify either a Strict or Moderate setting. See support.google.com/a/answer/6212415 for details on these different settings.

Related Documentation