Create SaaS Policy Rule Recommendations
Learn how to create SaaS policy rule recommendations on SaaS Security Inline.
This feature requires the
SaaS Securityadd-on license for your platform.
SaaS policy rule recommendations enable you to recommend Security policy rules to your Palo Alto Networks firewall administrator or Prisma Access administrator. SaaS Security Inline pushes SaaS policy rule recommendations to your firewall or Prisma Access. Your firewall administrator or Prisma Access administrator will see your policy rule recommendations in the firewall web interface or Prisma Access web interface, then can accept and commit the SaaS security policy rule. After your firewall administrator or Prisma Access administrator commits the policy rule, the policy rule becomes active. You can update your SaaS rule recommendations at any time.
Before you begin:
NGFW Only) Ask your firewall administrator to verify that all firewalls have log forwarding enabled as instructed in the ACE deployment. The SaaS Security web interface cannot display SaaS application visibility data and might not be able to enforce policy rule recommendations without logs for
- Navigate to SaaS Security Inline.
- SelectPolicy Recommendations, then clickCreate New Rule.
- Specify aRule NameandDescription. For example,Block Unsanctioned, File Sharing Apps from HR.
- Specify theApplicationsyou want to control.You can only create recommendations for enforcement on your firewall for SaaS apps that have an App-ID. You can determine if a given SaaS app in the Application Dictionary has an App-ID based on its How is this app detected? attribute.Use the filters (CategoryorRisk, orCapabilities) to help you locate the SaaS applications so that you capture all the application SaaS Applications. For example, if your intent is to only include high risk SaaS applications, filter by risk.For a rule to take action on a SaaS application, the user activities you choose must be supported by all the SaaS applications you select. User activities are unique to each SaaS application. For example, if a SaaS application does not provide a means for a user to upload a file, your rule cannot include that user activity. The SaaS Security Inline web interface returns an error when you select a user activity that the SaaS application does not support. Use theCapabilitiesmatrix to help you determine which user activities the SaaS applications support.
- Select theUser Activityyou want the firewallto detect.
- Any User Activity—User performs one or more user activity.
- Upload—User uploads an asset.
- Download—User downloads an asset.
- Share—User shares an asset.
- Delete—User deletes an asset.
- Personal Account Access—User attempts to access a personal account for a given SaaS application as opposed to a corporate account.
- (Optional) SpecifyUser & Groups.Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes. If no groups display, verify that you performed an Azure Active Directory integration.
- (Optional) SpecifyDevice Postureto enforce what devices can and cannot access specific SaaS apps, including device ownership and device compliance.Your device posture selection automatically creates a Host Information Profile (HIP) object for mobile devices after the policy recommendation is imported as a policy.
- Mobile Device Managed Status—ChooseManagedwhen the device is company-owned, whether a dedicated device or shared withUnmanagedwhen the device is employee-owned, orAnyfor both.
- Mobile Device Compliant Status—ChooseComplaintwhen the device adheres to your organization’s security compliance requirements,Non‑Compliantwhen it does not, orAnyfor both.
- Specify aResponseto instruct the firewall or Prisma Access administrator take action on the network traffic that matches the policy rule.Although your firewall or Prisma Access has other actions, SaaS policy rule recommendations support Block only. Block denies the traffic that matches the rule from entering your network.
- Allow—Allows the traffic that matches the rule to travel unrestricted on your network.
- Block—Denies the traffic that matches the rule from entering your network.
- Save New Rule.
- Enable the recommendation when you’re ready to submit the recommendation for enforcement.
Recommended For You
Recommended videos not found.