>
    Strata Copilot
    New Features Introduced in February 2025
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Features Introduced in 2025
    4. New Features Introduced in February 2025
    Download PDF
    SaaS Security

    New Features Introduced in February 2025

    Table of Contents

    New Features Introduced in February 2025

    Learn about the new features that became available in SaaS Security in February 2025.

    Simplified Security Policy Recommendations for SaaS Security Inline

    The Simplified Security Policy Recommendations for SaaS Security Inline enhances your ability to manage and enforce SaaS app Security policy rules efficiently for NGFW and Prisma Access managed by Strata Cloud Manager. You can now create, manage, and enforce SaaS Security Inline policy rules using the predefined SAAS-Inline-Pol-Recommendations snippet to enforce consistent SaaS app security.
    Alternatively, you can now create an Internet Access rule instead of going through the typical SaaS Security Inline policy rule recommendation workflow. As a SaaS Security administrator, creating an Internet Access rule allows you to gain full control over policy rule enforcement and rule ordering. The unified policy framework simplifies your policy rule creation experience, allowing you to enforce consistent SaaS app security regardless of the enforcement point, eliminate policy implementation delay, and reduce the risk of misconfigurations. This streamlined workflow enables you to fully utilize the SaaS Security Inline capabilities, achieving a stronger security posture for your SaaS environment. Simplified Security Policy Recommendations for SaaS Security Inline allows you to more effectively secure your SaaS apps, reduce administrative overhead, and gain clearer visibility into your SaaS Security posture. The Simplified Security Policy Recommendations for SaaS Security Inline is valuable if you manage complex SaaS environments, require granular control over Security policy rules , or need to rapidly respond to evolving security requirements in your cloud infrastructure.

    User Session Tracking for SaaS Security Inline

    For certain discovered applications, SaaS Security Inline can submit policy recommendations at the tenant level. For a subset of these applications, we now support even greater granularity through session tracking. We introduced session tracking to enable SaaS Security Inline to create policy recommendations for individual user accounts on an application tenant. This capability enables you to allow some application traffic for a tenant, while blocking traffic from specific user accounts on that tenant. For example, for a trusted vendor, you might allow traffic only for your organization's accounts for a particular application, while blocking traffic for the vendor's accounts or personal accounts for the application.
    Session tracking is available only if your license includes SaaS Security Inline, and you must explicitly enable session tracking in PAN-OS.
    After you enable session tracking, PAN-OS logs additional user and tenant information to Strata Logging Service. This feature also introduces new custom objects types (SaaS Users and SaaS Tenants) for identifying user accounts and tenants in a policy rule.
    Within 24 hours after the session tracking information is available in Strata Logging Service, SaaS Security Inline can detect the individual user accounts for the supported applications. SaaS Security Inline administrators can then submit policy recommendations that affect only certain user accounts for these applications. When you import the policy recommendation on the firewall, PAN-OS creates the policy rule for the recommendation, including the custom SaaS Users and SaaS Tenant objects. These custom objects are referenced by the policy rule. For information on the applications that we support for session tracking, refer to the information about creating SaaS policy rule recommendations in the SaaS Inline documentation.
    Because SaaS Security Inline is the only consumer of the session tracking information, and because you might not need to block traffic at the granularity of user accounts, session tracking is disabled by default. You can enable session tracking from the ACE settings page (DEVICESetupACE).

    © 2025 Palo Alto Networks, Inc. All rights reserved.