For certain discovered applications, SaaS Security Inline can
submit policy recommendations at the tenant
level. For a subset of these applications, we now support even greater
granularity through session tracking. We introduced session tracking to enable SaaS
Security Inline to create policy recommendations for individual user accounts on an
application tenant. This capability enables you to allow some application traffic
for a tenant, while blocking traffic from specific user accounts on that tenant. For
example, for a trusted vendor, you might allow traffic only for your organization's
accounts for a particular application, while blocking traffic for the vendor's
accounts or personal accounts for the application.
Session tracking is available only if your license includes SaaS Security Inline, and
you must explicitly enable session tracking in PAN-OS.
After you enable session tracking, PAN-OS logs additional user and tenant information
to Strata Logging Service. This feature also introduces new custom objects types
(SaaS Users and SaaS Tenants) for identifying user accounts and tenants in a policy
rule.
Within 24 hours after the session tracking information is available in Strata Logging
Service, SaaS Security Inline can detect the individual user accounts for the
supported applications. SaaS Security Inline administrators can then submit policy
recommendations that affect only certain user accounts for these applications. When
you import the policy recommendation on the firewall, PAN-OS creates the policy rule
for the recommendation, including the custom SaaS Users and SaaS Tenant objects.
These custom objects are referenced by the policy rule. For information on the
applications that we support for session tracking, refer to the information about
creating SaaS policy rule recommendations
in the SaaS Inline documentation.
Because SaaS Security Inline is the only consumer of the session tracking
information, and because you might not need to block traffic at the granularity of
user accounts, session tracking is disabled by default. You can enable session
tracking from the ACE settings page ().