Create SaaS Policy Rule Recommendations
Learn how to create policy rule recommendations on SaaS Security Inline.
SaaS policy rule recommendations enable you to recommend Security policy rules to your Palo Alto Networks firewall administrator. Security policy rules detect and take action on specific application traffic on your network. SaaS policy rule recommendations are based on a combination of applications, users and groups, categories, activities, device posture, and data profiles. For example, you might consider a policy rule recommendation that blocks all HR and Finance employees from uploading assets to risky file sharing applications such as 4Shared and WeTransfer. Before you create any recommendations, consider a few collaboration and authoring guidelines.
SaaS Security Inline pushes SaaS policy rule recommendations to your Palo Alto Networks firewall. Your firewall administrator will see your policy rule recommendations in the firewall web interface, then can accept and commit the SaaS security policy rule. After your firewall administrator commits the policy rule, the policy rule becomes active. You can update your SaaS rule recommendations at any time.
You can create a SaaS policy rule recommendation from scratch, or, alternatively, apply a predefined SaaS policy rule recommendation or copy an existing recommendation.
Before you begin:
- Select, then clickVisibilitySecurity RulesCreate New Rule.
- Specify aRule NameandDescription. For example,Block Unsanctioned, File Sharing Apps from HR.
- Specify theApplicationsyou want to control.You can only create recommendations for enforcement on your firewall for SaaS apps that have an App-ID. You can determine if a given SaaS app in the Application Dictionary has an App-ID based on its How is this app detected? attribute.Use the filters (CategoryorRisk, orCapabilities) to help you locate the SaaS applications so that you capture all the application SaaS Applications. For example, if your intent is to only include high risk SaaS applications, filter by risk.For a rule to take action on a SaaS application, the user activities you choose must be supported by all the SaaS applications you select. User activities are unique to each SaaS application. For example, if a SaaS application does not provide a means for a user to upload a file, your rule cannot include that user activity. The SaaS Security Inline web interface returns an error when you select a user activity that the SaaS application does not support. Use theCapabilitiesmatrix to help you determine which user activities the SaaS applications support.
- Select theUser Activityyou want the firewall to detect.
- Any User Activity—User performs one or more user activity.
- Upload—User uploads an asset.
- Download—User downloads an asset.
- Share—User shares an asset.
- Delete—User deletes an asset.
- Personal Account Access—User attempts to access a personal account for a given SaaS application as opposed to a corporate account.
- (Optional) SpecifyUser & Groups.Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes. If no groups display, verify that you performed an Azure Active Directory integration.
- (Optional) SpecifyDevice Postureto enforce what devices can and cannot access specific SaaS apps, including device ownership and device compliance.A device’s posture is predefined in HIP profiles that your firewall administrator creates from HIP objects, which define what constitutes ownership (company or employee) or compliance (for example, version of virus detection software running on the device). Although you cannot modify these HIP profiles, you can apply them for more granular enforcement of SaaS application usage.
- Mobile Device Managed Status—ChooseManagedwhen the device is company-owned, whether a dedicated device or shared withUnmanagedwhen the device is employee-owned, orAnyfor both.
- Mobile Device Compliant Status—ChooseComplaintwhen the device adheres to your organization’s security compliance requirements,Non‑Compliantwhen it does not, orAnyfor both.
- Specify aResponseto instruct the firewall to take action on the network traffic that matches the policy rule.Although your firewall has other actions, SaaS policy rule recommendations supportBlockonly.
- Save New Rule.
- Enable the recommendation when you’re ready to submit the recommendation for enforcement.
Recommended For You
Recommended videos not found.