SaaS Visibility and Controls for NGFW

Use this workflow to onboard both SaaS visibility and policy enforcement on SaaS Security Inline on NGFW.
With PAN‑OS 10.1 or later, SaaS Security Inline protects against cloud‑based threats by blocking traffic for unsanctioned SaaS apps and risky user activity using Security policy. Use the following workflow if you want to use all the features of SaaS Security Inline, including App-ID Cloud Engine (ACE), SaaS policy rule recommendations, and SaaS visibility. If you only want SaaS visibility, use the SaaS Visibility for NGFW workflow instead.
SaaS security is a team effort. The following workflow is designed to facilitate collaboration between you and your firewall administrator. Follow the tasks below in the order that they are listed.
Step 1: Activation
Because SaaS Security Inline is tightly integrated with your firewalls, you and your firewall administrator will perform a few handoffs throughout the activation process.
  • Learn about App-ID Cloud Engine (ACE) and SaaS Security Inline. (SaaS administrator and Firewall administrator)
  • Start the ACE deployment on your unmanaged firewalls or use Panorama to deploy ACE on managed firewalls. (Firewall administrator)
  • Activate SaaS Security Inline on the Hub to push the SaaS Security Inline license to your firewall(s). (SaaS administrator)
  • Complete the ACE deployment on your firewalls. (Firewall administrator)
Step 2: System configuration
  • Configure basic settings on SaaS Security, including language and time zone, if you haven’t already (SaaS administrator)
  • Integrate with Azure Active Directory so that SaaS Inline can identify your AD groups. (SaaS administrator)
  • Add administrators to manage Security policy. (SaaS administrator)
Step 3: Security policy configuration
  • Review the guidelines for effective collaboration and rulebase management. (SaaS administrator and Firewall administrator)
  • Verify log forwarding on
    firewalls. (Firewall administrator)
    As part of your ACE deployment, you enabled log forwarding. The SaaS Security web interface cannot display SaaS application visibility data and might not be able to enforce policy rule recommendations without logs for
  • Author and submit SaaS policy rule recommendations to your firewall administrator, after adhering to prerequisites. (SaaS administrator)
  • Import new SaaS rule recommendations. (Firewall administrator)
Step 4: Security policy maintenance
  • Continuously monitor the SaaS policy rule recommendations to ensure they’re in sync. (SaaS administrator)
  • Continuously monitor the SaaS policy rule recommendations for changes. (Firewall administrator)
    • For updates, reimport changes to active SaaS policy rule recommendations.
    • For deletions, remove recommendation mapping, then delete the policy rule.
  • Use Policy Optimizer to determine when and how many times traffic matches the Security policy rule to determine its effectiveness. (Firewall administrator)

Recommended For You