Web Security: Security Settings (Cloud Management)

You may customize your own security settings for additional protection from threats, vulnerabilities, and data leaks. Unless explicitly disabled, security settings apply globally to all allowed web traffic. This means there’s no need to apply security settings to individual policies.
To go to the Web Security
Security Settings
screen, select
Web Security
Security Settings

Threat Management

Automatically inspect and prevent threats at multiple attack vectors.
Vulnerability Protection
Detect system flaws that attackers can exploit.
Protect against never-before-seen, file-based threats.
Remote Browser Isolation Setting
Configure the required settings for each Remote Browser Isolation (RBI) vendor. Then, select the vendor you want to enable for RBI. Here’s how it works.
Country Block Setting
Add regions you want to block for each Source and Destination. You can editing predefined external dynamic lists, for example, to allow specific domains or URLs within a blocked region when necessary. To do this, go to
External Dynamic Lists
and make the appropriate changes.
Credential Theft Prevention
Stop phishing sites from stealing your users’ corporate credentials.
Detect command-and-control (C2) activity
Detect command-and-control (C2) activity.
Malware Protection
Prevent viruses from entering your network.
Application Exceptions
Exclude these applications from threat inspection.

DNS Security

Analyze DNS requests in real-time, to protect against malware using DNS for C2 and data theft.
Domain Categories
Specify the DNS action for each threat category.
DNS Sinkhole Settings
Specify IPv4 and IPv6 sinkhole addresses for endpoints.


Stop hidden threats by getting visibility into encrypted traffic.
Global Decryption Exclusions
Bypass certain URL categories and add custom exclusions from SSL decryption.
Handshake Settings
Specify the lowest and highest supported versions of SSL and TLS to be used for SSL connections. Also, specify algorithms to be used for key exchange, encryption, and authentication.
Logging Options
Choose whether to log successful and unsuccessful TLS Handshakes.
Certificate Settings
Export your RSA and ECDSA certificates.
Actions Options
Choose to allow or block the sessions when decryption fails or other conditions are met.

File Control

Block unapproved files types from entering your network.
File Types
Choose to allow, block, or be alerted when certain file types are uploaded or downloaded.

Data Loss Prevention

Enforce your organization’s data security standards and stop the loss of sensitive data across mobile users and remote networks.
Data Profiles
Add and search data profiles.
DLP Rules
Add and search DLP rules.
Detection Methods
  • Data Patterns
  • Exact Data Matching
  • Optical Character Recognition
  • Search data patterns.
  • Leverage advanced detection technology that uses exact data values for detection.
  • Enable scanning of files with images.
Configure the way sensitive data such as credit card numbers are stored and reported.Configure the web page displayed to your users when content has been matched and blocked from a data filtering profile. Customize the settings for end user alerts.
  • DLP Incidents
Enforce your organization’s data security standards and stop the loss of sensitive data across mobile users and remote networks.

SaaS Security

Manage your organization’s shadow IT risks, secure SaaS applications from cloud threats, and ensure compliance across all SaaS applications.
Discovered Applications
See an inventory of discovered applications.
Discovered Users
See an inventory of discovered users.
Application Dictionary
See an inventory of applications SaaS Security supports.
Policy Recommendations
See policy recommendations from SaaS Risk Assessment to be incorporated into Prisma Access security policy.
Configure applications risk score weights and directory services. Also, view admin audit logs, license info, and more.
  • SaaS Security Console
Open the SaaS Security Console.

SaaS Tenant Restrictions

Centrally manage your SaaS applications for each SaaS app listed here, you’ll find features you can use to safely enable the app for your enterprise.
Microsoft 365
Enable Microsoft 365 for enterprise accounts only.
Google Apps
Enable Google apps for enterprise accounts only.
Enable Dropbox for enterprise accounts only.
Enforce Safe Search for YouTube.

Recommended For You