Use this workflow to onboard SaaS Security Inline.
With PAN‑OS 10.1 or later, SaaS Security Inline
protects against cloud‑based threats by blocking traffic for unsanctioned
SaaS apps and risky user activity using Security policy. Use the
following workflow if you want to use all the features of SaaS Security
Inline, including App-ID Cloud Engine (ACE),
policy rule recommendations, and SaaS visibility. If you only want
SaaS visibility, use the SaaS Security Inline for SaaS Visibility workflow instead.
security is a team effort. The following workflow is designed to
facilitate collaboration between you and your firewall administrator.
Follow the tasks below in the order that they are listed.
Because SaaS Security Inline is tightly
integrated with your firewalls, you and your firewall administrator
will perform a few handoffs throughout the activation process.
Start the ACE deployment
on your unmanaged firewalls or use Panorama to deploy ACE on managed
firewalls. (Firewall administrator)
Security Inline on the Hub to push the SaaS Security Inline license
to your firewall(s). (SaaS administrator)
Completethe ACE deployment
on your firewalls. (Firewall administrator)
2: System configuration
settings on SaaS Security, including language and time zone, if
you haven’t already (SaaS administrator)
Azure Active Directory so that SaaS Inline can identify your AD
groups. (SaaS administrator)
to manage Security policy. (SaaS administrator)
3: Security policy configuration
guidelines for effective collaboration and rulebase management.
(SaaS administrator and Firewall administrator)
Verify log forwarding on
As part of your ACE deployment, you enabled log forwarding. The SaaS
Security web interface cannot display SaaS application visibility data
and might not be able to enforce policy rule recommendations without
Author and submit SaaS policy rule recommendations to your
firewall administrator, after adhering to prerequisites. (SaaS administrator)