Activate SaaS Security Inline for Prisma Access

Learn how to activate SaaS Security Inline on Prisma Access.
To unlock the SaaS Security Inline capabilities, simply activate SaaS Security Inline from the activation email that you received. After activation, you can log in to your SaaS Security Inline tenant to explore SaaS visibility data.
SaaS Security Inline offers capabilities such as SaaS visibility, SaaS policy rule recommendations, and ACE (App-ID Cloud Engine); however, SaaS Security Inline for Prisma Access does not support policy synchronization at this time.
SaaS Security Inline activation:
  • Creates a URL for SaaS Security Inline login.
  • Pushes the SaaS Security Inline license to the Prisma Access tenants that you select. Panorama does not require a license.
  • Enables a secure and encrypted connection and successful, mutual authentication between SaaS Security Inline, Prisma Access, Panorama, and CDL (Cortex Data Lake).
Before you activate:
  • Ensure that your environment meets all the activation requirements for the SaaS Security Inline features you want to enable. (
    SaaS administrator
    SaaS Visibility
    ACE and Policy Synchronization
    One new or existing Cortex Data Lake (CDL) license per SaaS tenant.
    SaaS policy rule recommendations are supported, but policy synchronization is not supported currently.
    Same Support Account (CSP ID) for SaaS tenant, CDL, Enterprise DLP, and Prisma Access tenants.
    One SaaS Security Inline license per CSP ID.
    SaaS Security Inline requires network traffic data for analysis. Prisma Access automatically forwards logs with that data to CDL. Your SaaS Security Inline subscription requires that you have an active CDL instance, which stores the data logs from Prisma Access.
The example activation below is for a new Prisma Access deployment. Adding a SaaS Security Inline license to an existing Prisma Access deployment is similar, but not identical. Use this example as a guide.
  1. Open your SaaS Security Inline activation email and click
    The number of Activate buttons in the email you received depends on what you purchased. Each Activate button launches the same onboarding workflow that lets you activate all your purchased products together. Click any
    button to begin. Additionally, your activation email depends on the type of activation: purchase, trial, or evaluation.
  2. Log in with your Palo Alto Networks Customer Support Portal account credentials.
  3. Select the products to activate, then
    Start Activation
    If you have multiple items to activate, leave them all selected when you
    Start Activation
  4. Select a
    Customer Support Account
    , then
    If you have more than one Support account, select the one associated with the Prisma Access tenant to subscribe to SaaS Security Inline.
  5. Choose how to manage Prisma Access, then
    • Cloud-Based Management Console
      —Use the Prisma Access app on the Palo Alto Networks hub to quickly onboard branches and mobile users.
    • Panorama
      —Use the Cloud Services plugin on Panorama to set up and manage Prisma Access. If new Panorama,
      Register New Panorama
  6. In
    Finalize Selections
    , configure SaaS Security Inline.
    • Cortex Data Lake Selection
      Region Selection
      —You must have an active CDL or activate a new one now. Do one of the following:
      • New CDL
        Activate New
        if you are activating a new data lake subscription, then choose its region.
      • Existing CDL
        —Select an existing data lake instance to use if you did not purchase a new CDL. If you have more than one Cortex Data Lake instance, choose the one to which Prisma Access will forward logs with network traffic metadata.
    • SaaS Tenant
      SaaS Region
      , and
      SaaS Subdomain
      —Do one of the following:
      • New Tenant
        Activate New
        to create a new SaaS Security Inline tenant, then type a subdomain name, which completes the URL for your SaaS Security Inline app and becomes the URL where you log in to the SaaS Security web interface.
        SaaS Subdomain
        is prepopulated with the domain name from your email address, but you can change it if you want.
      • Existing Tenant
        —Select an existing tenant if you did not purchase a new CDL or you don’t want to activate a newly purchased CDL. Each SaaS tenant requires a unique CDL. You cannot reuse CDLs. The onboarding process enforces this requirement and automatically populates
        SaaS Tenant
        with the SaaS tenant that is mapped to the existing CDL.
        SaaS Region
        defaults to CDL region.
  7. Verify your activation selections, read and agree to the terms and conditions, then
    Confirm Selections
    Depending upon what you onboard, the activation process creates a URL for your SaaS Security web interface and applies SaaS Security Inline licenses to the selected Prisma Access tenant and links them to your SaaS Security account.
  8. Verify that your CDL serial number displays on SaaS Security web interface and indicates

Recommended For You