Focus

Prisma Access

Private App Security Visibility and Logging

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

Configure Private App Security Policies

Prisma Access Mobile Users

Private App Security Visibility and Logging

Monitor and filter Private App Security data

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license Minimum dataplane PAN-OS 11.2.7 or later Private App Security add-on license

Private App Security admins have many ways to monitor and filter the data depending on the particular use case:

The Apps Security page in the Strata Cloud Manager Command Center offers a comprehensive overview of Private App Security detections. This includes insights into the sources of private application traffic and a ranking of the top applications by the number of attacks. The page also emphasizes high-priority policies that require administrative action. For instance, Previewed policies with a high hit count may indicate detected but unblocked attacks due to their current policy status.
Policy in Action pages offer a policy-centric view of Private App Security detections, crucial for administrators to assess if a policy's impact aligns with expectations or requires further refinement. They also present a sorted list of rules with the highest number of hits, organized by policy.
The App Security dashboard offers an app-centric view of all App Security detections. Administrators can use these pages to quickly identify which applications are experiencing the most attacks and to filter data for an app-specific view.

App Security in Command Center

The Command CenterApps Security page provides an overview of the private app security detections, allowing admins to easily understand the status of their environment (for example, they can view which applications are targeted the most, attacks on the rise) and the key areas that require action (for example, newly discovered apps that have no App Security, recommended policies accounting for the most anomalies).

As well as the overall visibility in Private App Security, admins can start important app security workflows from the Command Center page. For instance:

Discovered Apps provides a list of the top applications by traffic that Private App Security is discovering. Often, these are applications that admins might not be even aware exist in their environment and have no Private App Security protection.

Remediating this risk by enabling, at a minimum, the Private App Security OWASP Best Practices policy for these apps is very straightforward. The View All link redirects the admin to the app Discovery page, where the applications could be defined and added to an app group that is already associated with the OWASP Best Practices policies.
Previewed Policies provides a list of the top App Sec policies in Preview state, sorted by the number of hits in the selected time interval. A policy in Preview state only detects requests matching the described criteria, but eventual attacks still go through because the policy is not enforced. This is why highlighting Previewed Policies with the highest number of hits gives the admin an idea of where to focus their attention.

Admins can review the impact of previewed policies by clicking on the policy count number. This redirects the admin to the Policy in Action screen, where each policy has a detailed report, including the list of affected applications, impacted sources, ego distribution, and so on. From here the admin can decide if the policy can be enforced or it needs further tuning to obtain a different outcome.

Policy in Action

From the Policy in Action page (ConfigurationApplication ServicesApp SecurityRecommendedPreviewedEnforced tabs), admins can define different policy types and assign them different priorities. There are many scenarios where admins may need to evaluate the impact of such policies: for instance, the admin needs to impose some new app controls but is unsure if the crafted policy has any unintended effects, such as blocking the wrong users or impacting other apps. The admin can set the policy status to Preview, and inspect the eventual outcome of that policy without any impact to the current traffic.

For each policy state, the page has three different tabs listing the Recommended, Previewed, and Enforced policies sorted by the number of hits within the selected time interval. For instance, for the Previewed policies, the selection is set on the top policy by number of hits and the admin can observe:

Creation Date—Time the policy was authored.
Late update—Time the policy was last changed.
Impacted users—Sources of policy hits in the selected time interval.
Impacted apps—Targeted apps for the policy hits in the selected time interval.
Map—Geographic distribution of the impacted users.
Alerted requests—Represent the actual app requests that were matched against this policy. The admin can click on the View details of one of the requests and see all the critical request fields, including IP, headers, and request method.

For all three tabs corresponding to policy status:

If the admin observers an unintended outcome, the admin can choose to edit the policy further.

If the admin considers that the observed policy impact is the expected one, he can make a data-driven decision and enforce the policy with one click directly in the policy page.
If the admin observers an unintended outcome, the admin can choose to edit the policy further.

App Security Dashboard

Very often, admins require an app-centric view to understand which apps are heavily used in the enterprise and experiencing the most attack attempts, or which apps have the lowest usage but the highest number of attacks detected.

The InsightsApplication Security dashboard provides a holistic view of all applications that are experiencing traffic in the selected time interval. In the following image, each dot represents an app, with the X axis position given by the amount of traffic each app generated, and the Y axis position driven by the number of policy hits encountered (counting the requests targeting the particular app).

The drag-and-drop function in the top graph can easily select the type of apps that the admin intends to analyze (for example, apps with low traffic and many attacks):

After the admin sets the context, they get a detailed view of:

The traffic variation in time destined for the selected application
Policy hits split by policy status
Outstanding policy recommendations for the selected apps
The policies associated with the selected apps that got any hits in the selected interval
Sources of the policy hits along with direct links to the actual Private App Security log

If the admin requires a very app specific view (for example, they intend to evaluate the attacks and policies attempted against a critical app in the enterprise), a similar App Specific dashboard is available when the admin clicks on any application name.

Configure Private App Security Policies

Prisma Access Mobile Users

Prisma Access Docs

Private App Security Visibility and Logging

Prisma Access Docs

Private App Security Visibility and Logging

App Security in Command Center

Policy in Action

App Security Dashboard

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner