: Update Your Security Policy Rulebase for ACE App-IDs
Focus
Focus

Update Your Security Policy Rulebase for ACE App-IDs

Table of Contents

Update Your Security Policy Rulebase for ACE App-IDs

Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to allow and block the correct app traffic.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
You have one of the following licenses at the time of renewal.
  • Prisma Access Worldwide Enterprise Mobile User license
  • Prisma Access Worldwide Enterprise Remote Branch license
Or you have an existing NGFW or Prisma Access user and are enabling one of the following licenses:
  • AI Access Security license
  • CASB-X license
  • SaaS Security Inline license
If you're an existing NGFW or Prisma Access user enabling ACE for the first time, you must explicitly add the new ACE App-IDs to your Security policy rules after you enable ACE.
If you don't explicitly add the new ACE App-IDs to your Security policy rules, the NGFW or Prisma Access tenant continues to control app traffic with the same rules that controlled apps identified by the ssl or web-browsing App-IDs before you enabled ACE. This can result in blocked access to previously allowed apps and unintentional business interruption.
Prisma Access Worldwide Enterprise Mobile User and Worldwide Enterprise Remote Branch licenses now include the SaaS Security Inline subscription by default, which also includes App-ID Cloud Engine (ACE) as part of the SaaS Security Inline subscription. SaaS Security Inline provides complete visibility and control of SaaS app usage from corporate networks and managed devices. With ACE, you gain further visibility and control into thousands of apps that previously were identified as ssl or web-browsing in Prisma Access.
For example, the NGFW or Prisma Access tenant sees an app identified as web-browsing and then receives an ACE App-ID for the traffic. However, you don't use the new ACE App-ID in a Security policy rule. In this case the NGFW or Prisma Access tenant still controls that traffic using the Security policy rule that controls web-browsing traffic — if you allow web-browsing traffic, the traffic is allowed. Conversely, this might also result in an app you allow to be unintentionally blocked.
You need to modify the App-IDs in your policy rules if:
  • Your NGFW are running PAN-OS 10.1 or later release or your Prisma Access tenants are running Prisma Access 3.0 Innovation or later release (PAN-OS 10.1 or later dataplane version) at the time of renewal.
  • You use Application Filters in any Security policy rule configured on Panorama or Strata Cloud Manager deny or block traffic to any app.
  • You use Application Filters in any Security policy rule configured on Panorama or Strata Cloud Manager to allow traffic for ssl or web-browsing App-IDs for any users.

Update Your Policy Rulebase for ACE App-IDs on Strata Cloud Manager

Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to allow and block the correct app traffic for NGFW and Prisma Access(Managed by Strata Cloud Manager).
  1. Activate SaaS Security Inline for Prisma Access.
    ACE automatically activates for your Prisma Access tenant after you successfully activate SaaS Security Inline.
  2. Log in to Strata Cloud Manager.
  3. Verify that SaaS Security Inline is activated on your Prisma Access tenant.
    You can check for an activate SaaS Security Inline using one of the following ways:
    • Hub
      The Hub now displays a Data Security tile redirecting you to SaaS Security Inline.
    • NGFW or Prisma Access (Managed by Strata Cloud Manager)
      On Strata Cloud Manager, the SaaS Security app is now available under ManageConfigurationSaaS Security.
  4. Select ManageConfigurationNGFW and Prisma Access and change the Configuration Scope as needed.
  5. Select ObjectsApplicationsApplication Filter and create an application filter that includes the App-ID Cloud Engine tag.
    An application filter allows you to dynamically group apps based on specific app attributes you define. In this case, the application filter applies to any app that includes the predefined App-ID Cloud Engine tag.
    For this example we named the application filter ace-appid-filter.
  6. Create a Security policy rule to allow traffic for the same users you allow access to apps with the ssl or web-browsing App-IDs.
    1. Select Security ServicesSecurity Policy and create a new Security policy rule.
      For this example we named the new Security policy rule ace-appid-allow.
    2. Configure the Source and Destination settings to match the existing Security policy rules allowing access to apps with the ssl or web-browsing App-IDs.
    3. For the Application in the Application/Service settings, click SelectApplication Filters and select the application filter you created in the previous step.
    4. For the Action in the Actions settings, select Allow.
    5. Configure the rest of the Security policy rule as needed.
    6. Save.
  7. Order the newly created Security policy rule at the bottom of the policy rulebase.
    By ordering this Security policy rule at the bottom of your Security policy rulebase, you block unsanctioned app traffic before allowing legitimate access to apps with App-IDs delivered through ACE.
  8. Identify and allow access to allowed apps unintentionally blocked after you enable ACE.
    In some cases, application filters associated with an existing Security policy rule might unintentionally block traffic to legitimate apps you allow access to after you enable ACE. For example, consider the unsanctioned-apps Security policy rule with the block-apps application filter. Before you enabled ACE this application filter matched 100 apps but after you enabled ACE it matches 1,000 apps. However, of the additional 900 apps there are 10 apps you need to allow. In this case, you need to create a Security policy rule allowing traffic to these apps.
    1. Contact your Palo Alto Networks representative to generate a SaaS Risk Report and to help you compile a list of ACE App-IDs that match your application filter after you enable ACE.
      Compiling a list before you enable ACE allows you to understand how many new App-IDs are going to match your existing Security policy rules. By taking proactive steps to identify allowed apps and to create a Security policy rule to explicitly allow them before you enable ACE helps minimize blocked access to allowed apps and unintentional business interruption.
    2. Review your Deny Security policy rules and identify all application filters associated with them.
    3. Select ObjectsApplicationsApplication Filter and select each application filter to review the lists of impacted apps. Make note of any legitimate apps you want to allow.
    4. Generate a SaaS Security Report to see a list of top used apps.
    5. Select ObjectsApplicationsApplication Group and create application groups to logically group the apps you want to allow.
      For this example we named the application group allowed apps.
    6. Select Security ServicesSecurity Policy and create a Security policy rule to allow traffic to the application groups you created in the previous step.
      Alternatively, you can create different Security policy rules for each application group if different users are allowed access to different apps.
    7. Order the newly created Security policy rule above your Deny Security policy rules to allow access to those apps.
  9. (Best Practices) After you enable ACE and update your Security policy rulebase, Palo Alto Networks recommends you frequently review our Traffic logs and respond to user complaints about blocked access to previously allowed apps.
    Frequently review the Traffic logs in the Log Viewer to confirm that unsanctioned apps are correctly blocked while sanctioned apps are allowed. The Application and Action columns provide you with data on which applications are blocked and allowed. As you review your logs and respond to users about access issues, you can create additional application groups and Security policy rules to restore access to these apps.

Update Your Policy Rulebase for ACE App-IDs on Panorama

Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to allow and block the correct app traffic for NGFW and Prisma Access(Managed by Panorama).
  1. Activate SaaS Security Inline for Prisma Access.
    ACE automatically activates for your Prisma Access tenant after you successfully activate SaaS Security Inline.
  2. Log in to Strata Cloud Manager and verify that SaaS Security Inline is activated on your Prisma Access tenant.
    You can check for an activate SaaS Security Inline using one of the following ways:
    • Hub
      The Hub now displays a Data Security tile redirecting you to SaaS Security Inline on Strata Cloud Manager.
    • NGFW or Prisma Access(Managed by Panorama)
      On Strata Cloud Manager, CASB displays and you can now configure SaaS Security Inline.
  3. Log in to the Panorama web interface.
  4. Select ObjectsApplications Filters and Add a new application filter that includes the App-ID Cloud Engine tag.
    An application filter allows you to dynamically group apps based on specific app attributes you define. In this case, the application filter applies to any app that includes the predefined App-ID Cloud Engine tag.
    You can create the application filter as part of the Shared device group scope to make the application filter available to all other device groups, or you can select a specific device group scope.
    For this example we named the application filter ace-appid-filter.
  5. Create a Security policy rule to allow traffic for the same users you allow access to apps with the ssl or web-browsing App-IDs.
    1. Select PoliciesSecurity and change to the appropriate Device Group scope.
    2. Add and create a new Security policy rule.
      For this example we named the new Security policy rule ace-appid-allow.
    3. Configure the Source and Destination settings to match the existing Security policy rules allowing access to apps with the ssl or web-browsing App-IDs.
    4. Select Application and Add the application filter you created in the previous step.
    5. For the Action in the Actions settings, select Allow.
    6. Configure the rest of the Security policy rule as needed.
    7. Click OK.
  6. Order the newly created Security policy rule at the bottom of the policy rulebase.
    By ordering this Security policy rule at the bottom of your Security policy rulebase, you block unsanctioned app traffic before allowing legitimate access to apps with App-IDs delivered through ACE.
  7. Identify and allow access to allowed apps unintentionally blocked after you enable ACE.
    In some cases, application filters associated with an existing Security policy rule might unintentionally block traffic to legitimate apps you allow access to after you enable ACE. For example, consider the unsanctioned-apps Security policy rule with the block-apps application filter. Before you enabled ACE this application filter matched 100 apps but after you enabled ACE it matches 1,000 apps. However, of the additional 900 apps there are 10 apps you need to allow. In this case, you need to create a Security policy rule allowing traffic to these apps.
    1. Contact your Palo Alto Networks representative to generate a SaaS Risk Report and to help you compile a list of ACE App-IDs that match your application filter after you enable ACE.
      Compiling a list before you enable ACE allows you to understand how many new App-IDs are going to match your existing Security policy rules. By taking proactive steps to identify allowed apps and to create a Security policy rule to explicitly allow them before you enable ACE helps minimize blocked access to allowed apps and unintentional business interruption.
    2. Review your Deny Security policy rules and identify all application filters associated with them.
    3. Select ObjectsApplicationsApplication Filter and select each application filter to review the lists of impacted apps. Make note of any legitimate apps you want to allow.
    4. Generate a SaaS Security Report to see a list of top used apps.
    5. Select ObjectsApplicationsApplication Group and create application groups to logically group the apps you want to allow.
      For this example we named the application group allowed apps.
    6. Select Security ServicesSecurity Policy and create a Security policy rule to allow traffic to the application groups you created in the previous step.
      Alternatively, you can create different Security policy rules for each application group if different users are allowed access to different apps.
    7. Order the newly created Security policy rule above your Deny Security policy rules to allow access to those apps.
  8. (Best Practices) After you enable ACE and update your Security policy rulebase, Palo Alto Networks recommends you frequently review our Traffic logs and respond to user complaints about blocked access to previously allowed apps.
    Frequently review the traffic logs on Panorama(MonitorLogsTraffic) to confirm that unsanctioned apps are correctly blocked while sanctioned apps are allowed. The Application and Action columns provide you with data on which applications are blocked and allowed. As you review your logs and respond to users about access issues, you can create additional application groups and Security policy rules to restore access to these apps.