Create SaaS Policy Rule Recommendations

Learn how to create SaaS policy rule recommendations on SaaS Security Inline.
This feature requires the
SaaS Security
add-on license for your platform.
You can create a SaaS policy rule recommendation from scratch, or, alternatively, apply a predefined policy rule recommendation or copy an existing recommendation. Before you create any recommendations, consider a few collaboration and authoring guidelines.
SaaS policy rule recommendations enable you to recommend Security policy rules to your Palo Alto Networks firewall administrator or Prisma Access administrator. SaaS Security Inline pushes SaaS policy rule recommendations to your firewall or Prisma Access. Your firewall administrator or Prisma Access administrator will see your policy rule recommendations in the firewall web interface or Prisma Access web interface, then can accept and commit the SaaS security policy rule. After your firewall administrator or Prisma Access administrator commits the policy rule, the policy rule becomes active. You can update your SaaS rule recommendations at any time.
Before you begin
) Ask your firewall administrator to verify that all firewalls have log forwarding enabled as instructed in the ACE deployment. The SaaS Security web interface cannot display SaaS application visibility data and might not be able to enforce policy rule recommendations without logs for
  1. Navigate to SaaS Security Inline.
  2. Select
    Policy Recommendations
    , then click
    Create New Rule
  3. Specify a
    Rule Name
    . For example,
    Block Unsanctioned, File Sharing Apps from HR
  4. Specify the
    you want to control.
    You can only create recommendations for enforcement on your firewall for SaaS apps that have an App-ID. You can determine if a given SaaS app in the Application Dictionary has an App-ID based on its How is this app detected? attribute.
    Use the filters (
    , or
    ) to help you locate the SaaS applications so that you capture all the application SaaS Applications. For example, if your intent is to only include high risk SaaS applications, filter by risk.
    For a rule to take action on a SaaS application, the user activities you choose must be supported by all the SaaS applications you select. User activities are unique to each SaaS application. For example, if a SaaS application does not provide a means for a user to upload a file, your rule cannot include that user activity. The SaaS Security Inline web interface returns an error when you select a user activity that the SaaS application does not support. Use the
    matrix to help you determine which user activities the SaaS applications support.
  5. Select the
    User Activity
    you want the firewallto detect.
    • Any User Activity
      —User performs one or more user activity.
    • Upload
      —User uploads an asset.
    • Download
      —User downloads an asset.
    • Share
      —User shares an asset.
    • Delete
      —User deletes an asset.
    • Personal Account Access
      —User attempts to access a personal account for a given SaaS application as opposed to a corporate account.
  6. (
    ) Specify
    User & Groups
    Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes. If no groups display, verify that you performed an Azure Active Directory integration.
  7. (
    ) Specify
    Device Posture
    to enforce what devices can and cannot access specific SaaS apps, including device ownership and device compliance.
    Your device posture selection automatically creates a Host Information Profile (HIP) object for mobile devices after the policy recommendation is imported as a policy.
    • Mobile Device Managed Status
      when the device is company-owned, whether a dedicated device or shared with
      when the device is employee-owned, or
      for both.
    • Mobile Device Compliant Status
      when the device adheres to your organization’s security compliance requirements,
      when it does not, or
      for both.
  8. (
    ) Specify
    Data Profiles
    If you do not have an Enterprise DLP license on any platform (for example, SaaS Security API), this section does not display at all. Additionally, you must have an Enterprise DLP license on your platform (NGFW or Prisma Access) to avoid policy failure.
  9. Specify a
    to instruct the firewall or Prisma Access administrator take action on the network traffic that matches the policy rule.
    Although your firewall or Prisma Access has other actions, SaaS policy rule recommendations support Block only. Block denies the traffic that matches the rule from entering your network.
    • Allow
      —Allows the traffic that matches the rule to travel unrestricted on your network.
    • Block
      —Denies the traffic that matches the rule from entering your network.
  10. Save New Rule
  11. Enable the recommendation when you’re ready to submit the recommendation for enforcement.

Recommended For You