Create SaaS Policy Rule Recommendations

Learn how to create policy rule recommendations on SaaS Security Inline.
SaaS policy rule recommendations enable you to recommend Security policy rules to your Palo Alto Networks firewall administrator. Security policy rules detect and take action on specific application traffic on your network. SaaS policy rule recommendations are based on a combination of applications, users and groups, categories, activities, device posture, and data profiles. For example, you might consider a policy rule recommendation that blocks all HR and Finance employees from uploading assets to risky file sharing applications such as 4Shared and WeTransfer. Before you create any recommendations, consider a few collaboration and authoring guidelines.
SaaS Security Inline pushes SaaS policy rule recommendations to your Palo Alto Networks firewall. Your firewall administrator will see your policy rule recommendations in the firewall web interface, then can accept and commit the SaaS security policy rule. After your firewall administrator commits the policy rule, the policy rule becomes active. You can update your SaaS rule recommendations at any time.
You can create a SaaS policy rule recommendation from scratch, or, alternatively, apply a predefined SaaS policy rule recommendation or copy an existing recommendation.
Before you begin
Ask your firewall administrator to verify that all firewalls have log forwarding enabled as instructed in the ACE deployment. The SaaS Security web interface cannot display SaaS application visibility data and might not be able to enforce policy rule recommendations without logs for
  1. Select
    Security Rules
    , then click
    Create New Rule
  2. Specify a
    Rule Name
    . For example,
    Block Unsanctioned, File Sharing Apps from HR
  3. Specify the
    you want to control.
    You can only create recommendations for enforcement on your firewall for SaaS apps that have an App-ID. You can determine if a given SaaS app in the Application Dictionary has an App-ID based on its How is this app detected? attribute.
    Use the filters (
    , or
    ) to help you locate the SaaS applications so that you capture all the application SaaS Applications. For example, if your intent is to only include high risk SaaS applications, filter by risk.
    For a rule to take action on a SaaS application, the user activities you choose must be supported by all the SaaS applications you select. User activities are unique to each SaaS application. For example, if a SaaS application does not provide a means for a user to upload a file, your rule cannot include that user activity. The SaaS Security Inline web interface returns an error when you select a user activity that the SaaS application does not support. Use the
    matrix to help you determine which user activities the SaaS applications support.
  4. Select the
    User Activity
    you want the firewall to detect.
    • Any User Activity
      —User performs one or more user activity.
    • Upload
      —User uploads an asset.
    • Download
      —User downloads an asset.
    • Share
      —User shares an asset.
    • Delete
      —User deletes an asset.
    • Personal Account Access
      —User attempts to access a personal account for a given SaaS application as opposed to a corporate account.
  5. (
    ) Specify
    User & Groups
    Creating policy rule recommendations based on user group membership rather than individual users simplifies administration because you don’t need to update the recommendation whenever group membership changes. If no groups display, verify that you performed an Azure Active Directory integration.
  6. (
    ) Specify
    Device Posture
    to enforce what devices can and cannot access specific SaaS apps, including device ownership and device compliance.
    A device’s posture is predefined in HIP profiles that your firewall administrator creates from HIP objects, which define what constitutes ownership (company or employee) or compliance (for example, version of virus detection software running on the device). Although you cannot modify these HIP profiles, you can apply them for more granular enforcement of SaaS application usage.
    • Mobile Device Managed Status
      when the device is company-owned, whether a dedicated device or shared with
      when the device is employee-owned, or
      for both.
    • Mobile Device Compliant Status
      when the device adheres to your organization’s security compliance requirements,
      when it does not, or
      for both.
  7. (
    ) Specify
    Data Profiles
    If you do not have an Enterprise DLP license on any platform (for example, SaaS Security API), this section does not display at all. Additionally, you must have an Enterprise DLP license on NGFW to avoid policy failure.
  8. Specify a
    to instruct the firewall to take action on the network traffic that matches the policy rule.
    Although your firewall has other actions, SaaS policy rule recommendations support
  9. Save New Rule
  10. Enable the recommendation when you’re ready to submit the recommendation for enforcement.

Recommended For You