Activate SaaS Security Inline for Prisma Access

Table of Contents

Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits

Activate SaaS Security Posture Management

Learn how to activate SaaS Security Inline on Prisma Access (Managed by Panorama or Strata Cloud Manager).

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager)	SaaS Security Inline license Prisma Access license Or any of the following licenses that include the SaaS Security Inline license: CASB-X CASB-PA

To unlock the SaaS Security Inline capabilities—SaaS visibility, SaaS policy rule recommendations, and ACE (App-ID Cloud Engine), simply activate SaaS Security Inline from the activation email that you received. After activation, you can log in to your SaaS Security Inline tenant to explore SaaS visibility data.

If you're enabling SaaS Security Inline for Next-Generation CASB, activate in SASE Cloud Management Console using the activation email you received.

SaaS Security Inline activation:

Creates a URL for SaaS Security Inline login.
Adds the SaaS Security Inline license to Prisma Access (Managed by Panorama or Strata Cloud Manager) so that you can unlock SaaS Security Inline features.
Enables a secure and encrypted connection and successful, mutual authentication between SaaS Security Inline, Prisma Access (Managed by Panorama or Strata Cloud Manager), and Strata Logging Service.

Before you activate:

Verify log forwarding. Because SaaS Security Inline requires network traffic data for analysis, you must enable Prisma Access to forward logs with that data to Strata Logging Service. Your SaaS Security Inline subscription requires that you also have an active Strata Logging Service instance, which stores the data logs from Prisma Access and streams them to SaaS Security Inline. Without logs, SaaS Security Inline can’t display SaaS application visibility data and might not be able to enforce SaaS policy rule recommendations. (Security administrator)
- Prisma Access (Managed by Panorama)—Enable log forwarding. Not enabled by default.
- Prisma Access (Managed by Strata Cloud Manager)—Verify log forwarding. Enabled by default.

Ensure that your environment meets all the activation requirements for the SaaS Security Inline features you want to enable for your platform. (SaaS administrator)

Requirement	Features
Requirement	SaaS Visibility	SaaS Policy Recommendations Synchronization (Policy Enforcement) and ACE
Supported Prisma Access release.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes	Prisma Access (Managed by Strata Cloud Manager)—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide. The Web Security feature must be enabled on the tenant. Prisma Access (Managed by Panorama)—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide
One new or existing Strata Logging Service license.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes, one per SaaS tenant
Same Customer Support Account for SaaS tenant, Strata Logging Service, Enterprise DLP, and Prisma Access tenant.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes
One SaaS Security Inline license per Customer Support Account.	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes
Enterprise DLP license on Prisma Access and in the same Customer Support Account account as the SaaS tenant.	Prisma Access (Managed by Strata Cloud Manager)— Yes Prisma Access (Managed by Panorama)— Yes	Prisma Access (Managed by Strata Cloud Manager)—Yes Prisma Access (Managed by Panorama)—Yes

SaaS Security Inline requires network traffic data for analysis. Prisma Access automatically forwards logs with that data to Strata Logging Service. Your SaaS Security Inline subscription requires that you have an active Strata Logging Service instance, which stores the data logs from Prisma Access.

The example activation below is for a new Prisma Access (Managed by Panorama) deployment. Adding a SaaS Security Inline license to an existing Prisma Access (Managed by Panorama) deployment or Prisma Access (Managed by Strata Cloud Manager) deployment is similar, but not identical. Use this example as a guide.

Open your SaaS Security Inline activation email and click Activate.

The number of Activate buttons in the email you received depends on what you purchased. Each Activate button launches the same onboarding workflow that lets you activate all your purchased products together. Click any Activate button to begin. Additionally, your activation email depends on the type of activation: purchase, trial, or evaluation.
Log in with your Palo Alto Networks Customer Support Portal account credentials.
Select the products to activate, then Start Activation.
If you have multiple items to activate, leave them all selected when you Start Activation.
Select a Customer Support Account, then Next.
If you have more than one Support account, select the one associated with the Prisma Access tenant to subscribe to SaaS Security Inline.
Choose how to manage Prisma Access, then Next.
- Cloud-Based Management Console—Use the Prisma Access app on the Palo Alto Networks hub to quickly onboard branches and mobile users.
- Panorama—Use the Cloud Services plugin on Panorama to set up and manage Prisma Access. If new Panorama, Register New Panorama.
In Finalize Selections, configure SaaS Security Inline.
- Strata Logging Service Selection and Region Selection—You must have an active Strata Logging Service or activate a new one now. Do one of the following:
  - New Strata Logging Service—Select Activate New if you're activating a new Strata Logging Service subscription, then choose its region.
  - Existing Strata Logging Service—Select an existing instance to use if you did not purchase a new Strata Logging Service. If you have more than one Strata Logging Service instance, choose the one to which Prisma Access will forward logs with network traffic metadata.
- SaaS Tenant, SaaS Region, and SaaS Subdomain—Do one of the following:
  - New Tenant—Select Activate New to create a new SaaS Security Inline tenant, then type a subdomain name, which completes the URL for your SaaS Security Inline app and becomes the URL where you log in to the SaaS Security web interface. SaaS Subdomain is prepopulated with the domain name from your email address, but you can change it if you want.
  - Existing Tenant—Select an existing tenant if you did not purchase a new Strata Logging Service or you don’t want to activate a newly purchased Strata Logging Service. Each SaaS tenant requires a unique Strata Logging Service. You can’t reuse Strata Logging Service tenants. The onboarding process enforces this requirement and automatically populates the SaaS Tenant with the SaaS tenant who is mapped to the existing Strata Logging Service. SaaS Region defaults to Strata Logging Service region.
Verify your activation selections, read and agree to the terms and conditions, then Confirm Selections.
Depending upon what you onboard, the activation process creates a URL for your SaaS Security web interface and applies SaaS Security Inline licenses to the selected Prisma Access tenant and links them to your SaaS Security account.
Verify that your Strata Logging Service serial number displays on the web interface and indicates Monitoring.
Navigate to SettingsLicense Info, then verify your SaaS Security Inline license.

Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits

Activate SaaS Security Posture Management

SaaS Security Docs

Activate SaaS Security Inline for Prisma Access

SaaS Security Docs

Activate SaaS Security Inline for Prisma Access

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Visibility & Monitoring

Best Practices

Experts Corner

Technical Documentation

Company

Legal Notices