Web Security: Security Settings (Cloud Management)

Learn how Security Settings work.
You may customize your own security settings for protection from specific threats and vulnerabilities. Unless explicitly disabled, security settings apply globally to all allowed web traffic. This means there’s no need to apply security settings to individual policies.
To go to the Web Security
Security Settings
screen, select
Web Security
Security Settings

Threat Management

Automatically inspect and prevent threats at multiple attack vectors.
Vulnerability Protection
Detect system flaws that attackers can exploit.
Protect against never-before-seen, file-based threats.
Remote Browser Isolation Setting
Configure the required settings for each Remote Browser Isolation (RBI) vendor. Then, select the vendor you want to enable for RBI. Here’s how it works.
Country Block Setting
Add regions you want to block for each Source and Destination. You can editing predefined external dynamic lists, for example, to allow specific domains or URLs within a blocked region when necessary. To do this, go to
External Dynamic Lists
and make the appropriate changes.
Credential Theft Prevention
Stop phishing sites from stealing your users’ corporate credentials.
Detect command-and-control (C2) activity
Detect command-and-control (C2) activity.
Malware Protection
Prevent viruses from entering your network.
Application Exceptions
Exclude these applications from threat inspection.
Inline Machine Learning Options
Enable the following inline machine learning options to analyze and manage URL exceptions in real-time:
  • Advanced URL inline Categorization
  • Command-and-Control Inline Cloud Analysis

DNS Security

Analyze DNS requests in real-time, to protect against malware using DNS for C2 and data theft.
Domain Categories
Specify the DNS action for each threat category.
DNS Sinkhole Settings
Specify IPv4 and IPv6 sinkhole addresses for endpoints.


Stop hidden threats by getting visibility into encrypted traffic.
Global Decryption Exclusions
Bypass certain URL categories and add custom exclusions from SSL decryption.
Handshake Settings
Specify the lowest and highest supported versions of SSL and TLS to be used for SSL connections. Also, specify algorithms to be used for key exchange, encryption, and authentication.
Logging Options
Choose whether to log successful and unsuccessful TLS Handshakes.
Certificate Settings
Export your RSA and ECDSA certificates.
Actions Options
Choose to allow or block the sessions when decryption fails or other conditions are met.
Choose to allow the following to by default global decryption:
  • Mobile Users
  • Explicit Proxy
  • Remote Networks

File Control

Take action when certain types of files enter your network.
File Types
Block or allow uploads or downloads of certain file types, or choose to be alerted when certain file types are uploaded or downloaded. Actions available uploads and downloads are:
  • Block all file types
  • Allow all file types
  • Best practice
  • Custom
File Control Profiles
Create and manage custom file control profiles that you can use in your web access policies.

Data Loss Prevention

Enforce your organization’s data security standards and stop the loss of sensitive data across mobile users and remote networks.
Data Profiles
Add and search data profiles.
DLP Rules
Add and search DLP rules.
Detection Methods
  • Data Patterns
  • Exact Data Matching
  • Optical Character Recognition
  • Search data patterns.
  • Leverage advanced detection technology that uses exact data values for detection.
  • Enable scanning of files with images.
Configure the way sensitive data such as credit card numbers are stored and reported. Configure the web page displayed to your users when content has been matched and blocked from a data filtering profile. Customize the settings for end user alerts.
  • DLP Incidents
Enforce your organization’s data security standards and stop the loss of sensitive data across mobile users and remote networks.

SaaS Security

Manage your organization’s shadow IT risks, secure SaaS applications from cloud threats, and ensure compliance across all SaaS applications.
Discovered Applications
See an inventory of discovered applications.
Discovered Users
See an inventory of discovered users.
Application Dictionary
See an inventory of applications SaaS Security supports.
Policy Recommendations
See policy recommendations from SaaS Risk Assessment to be incorporated into Prisma Access security policy.
Configure applications risk score weights and directory services. Also, view admin audit logs, license info, and more.
  • SaaS Security Console
Open the SaaS Security Console.

SaaS Tenant Restrictions

Centrally manage your SaaS applications for each SaaS app listed here, you’ll find features you can use to safely enable the app for your enterprise.
Microsoft 365
Enable Microsoft 365 for enterprise accounts only.
Google Apps
Enable Google apps for enterprise accounts only.
Enable Dropbox for enterprise accounts only.
Enforce Safe Search for YouTube.

Recommended For You