>
    Strata Copilot
    Manage Enforcement of Rule Recommendations on Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Manage Policy for Unsanctioned SaaS Apps
    4. Manage Enforcement of Rule Recommendations on Strata Cloud Manager
    Download PDF
    SaaS Security

    Manage Enforcement of Rule Recommendations on Strata Cloud Manager

    Table of Contents

    Manage Enforcement of Rule Recommendations on Strata Cloud Manager

    Learn how to import, update, and remove policy rule recommendations on NGFW and Prisma Access (Managed by Strata Cloud Manager).
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security Inline license
    • NGFW or Prisma Access license
    Or any of the following licenses that include the SaaS Security Inline license:
    • CASB-X
    • CASB-PA
    When a SaaS Security administrator authors and submits SaaS policy rule recommendations, the Web Security or Data Security administrator imports those new rule recommendations and updates or removes those same rule recommendations as the SaaS Security administrator makes changes to them. Before you begin, review the SaaS Security access privileges for your Web Security or Data Security administrator to ensure they can successfully manage enforcement of rule recommendations. You can also troubleshoot issues after implementing new policy rules or modifying existing ones.
    SaaS policy rule recommendations are based on a combination of apps, users and groups, categories, activities, device posture, and data profiles. The import process automatically creates the necessary objects, including an Application Group for the apps in the SaaS policy rule recommendation. The name of the Application Group is derived from the Rule Name that the SaaS Security administrator assigned to the SaaS policy rule recommendation.
    As guidelines outline, if the SaaS Security administrator updates a rule recommendation, for example by adding or removing apps, you also need to update the rule recommendation. If the SaaS Security administrator submits new or updated Application Groups, HIP Profiles, or tags, Prisma Access (Managed by Strata Cloud Manager) automatically creates or updates those objects. You can manually apply the updates as outlined below or bypass such updates by enabling automatic updates.
    For audit purposes, all imports and updates and deletions of existing SaaS policy rules recommendations are logged along with the administrator who took the action. When an import fails, the log indicates the reason for the failure. Web Security Administrators and Security Administrators can view such logs.
    Alternatively, SaaS Security administrators can create Internet Access rules instead of policy rule recommendations to simplify policy rule creation for SaaS app security using snippets and folder configurations. This allows you to enforce consistent SaaS app security regardless of the enforcement point, eliminate policy implementation delay, and reduce the risk of misconfigurations. This streamlined workflow enables you to fully utilize the SaaS Security Inline capabilities, achieve a stronger security posture for your SaaS environment all while reducing the managerial overhead of implementing new Security policy rules for your SaaS apps.

    Import New SaaS Policy Rule Recommendations on Strata Cloud Manager

    Learn how to import new SaaS policy rule recommendations on Strata Cloud Manager to gain visibility into and control of the apps in the rule.
    1. Log in to Strata Cloud Manager.
    2. If you have not already, associate the predefined SAAS-Inline-Pol-Recommendations snippet with one or more folders, NGFW, and Prisma Access tenants.
      Use snippets to standardize a common base configuration for a set of NGFW, and Prisma Access tenants. This allows you to quickly onboard new devices with a known good configuration and reduces the time required to onboard a new device. Additionally, this also allows you to quickly apply the same SaaS app security enforcement to multiple NGFW, and Prisma Access tenants.
      Use the predefined SAAS-Inline-Pol-Recommendations snippet to simplify management of your SaaS Security Inline Policy Recommendations.
    3. Create a new SaaS policy rule recommendation or enable a predefined SaaS policy rule recommendation.
    4. Click the Configuration Scope and select SnippetsSAAS-Inline-Pol-Recommendations.
    5. Select ConfigurationNGFW and Prisma AccessSecurity ServicesInternet SecurityPolicy Recommendations.
    6. In New SaaS Rule Recommendations, locate the policy recommendation that you want to import, then select ActionsImport.
    7. In the Import dialog and select the Rule Order to indicate where to position the new policy in the rulebase, then Import.
      If you specify a policy rule name that already exists in the rulebase, the imported rule overwrites the existing rule.
      The policy recommendation that you imported displays as an Imported policy in Imported SaaS Rule Recommendations. If your import fails, click the Last import failed link to understand why the import failed, then resolve the failure.
    8. Click Push Config.
    9. (Optional) Enable automatic updates.

    Enable Automatic Updates for SaaS Policy Rule Recommendations on Strata Cloud Manager

    Learn how to enable automatic updates to rule recommendations on Strata Cloud Manager.
    Enable automatic updates to automatically apply rule recommendation changes that the SaaS Security administrator requests to the rulebase. Doing so ensures that you don’t need to continuously monitor changes to existing rule recommendations. If you don’t enable automatic updates, Prisma Access (Managed by Strata Cloud Manager) continues to automatically pull the updates for you to review and manually import.
    When you have automatic updates enabled, updates to existing rule recommendations display as Updates imported in Imported SaaS Rule Recommendations. Use the Last update failed link to help you resolve any failures.
    1. Log in to Strata Cloud Manager.
    2. If you have not already, associate the predefined SAAS-Inline-Pol-Recommendations snippet with one or more folders, NGFW, and Prisma Access tenants.
      Use snippets to standardize a common base configuration for a set of NGFW, and Prisma Access tenants. This allows you to quickly onboard new devices with a known good configuration and reduces the time required to onboard a new device. Additionally, this also allows you to quickly apply the same SaaS app security enforcement to multiple NGFW, and Prisma Access tenants.
      Use the predefined SAAS-Inline-Pol-Recommendations snippet to simplify management of your SaaS Security Inline Policy Recommendations.
    3. Select ConfigurationNGFW and Prisma AccessSecurity ServicesInternet SecurityPolicy Recommendations.
    4. Click the Configuration Scope and select SnippetsSAAS-Inline-Pol-Recommendations.
    5. In Imported SaaS Rule Recommendations, toggle Enable Automatic Updates to the on position.
      If you’ve already imported the rule recommendation, the SaaS admin’s update to the policy rule recommendation is automatically loaded into Imported SaaS Rule Recommendations and is pending approval.

    Update Imported SaaS Policy Rule Recommendations on Strata Cloud Manager

    Learn how to update imported SaaS policy rule recommendations on Strata Cloud Manager.
    You can monitor the availability of updates to rule recommendations from OverviewPolicy Recommendations.
    1. Log in to Strata Cloud Manager.
    2. If you have not already, associate the predefined SAAS-Inline-Pol-Recommendations snippet with one or more folders, NGFW, and Prisma Access tenants.
      Use snippets to standardize a common base configuration for a set of NGFW, and Prisma Access tenants. This allows you to quickly onboard new devices with a known good configuration and reduces the time required to onboard a new device. Additionally, this also allows you to quickly apply the same SaaS app security enforcement to multiple NGFW, and Prisma Access tenants.
      Use the predefined SAAS-Inline-Pol-Recommendations snippet to simplify management of your SaaS Security Inline Policy Recommendations.
    3. Select ConfigurationNGFW and Prisma AccessSecurity ServicesInternet SecurityPolicy Recommendations.
    4. Click the Configuration Scope and select SnippetsSAAS-Inline-Pol-Recommendations.
    5. In Imported SaaS Rule Recommendations, locate the rule recommendations that have updates as indicated by the Status, then click ActionsUpdate icon.
      • Update available—SaaS administrator updated the rule recommendation and is pending your approval.
      • Update available (This rule will be removed)—SaaS administrator deleted the rule recommendation and is pending your approval.
      The policy recommendation that you updated displays as an Imported policy in Imported SaaS Rule Recommendations. Use the Last update failed link to help you resolve any failures.
      If you want to import all updates for all existing rule recommendations, click Sync instead.
    6. Click Push Config.

    Remove Deleted SaaS Policy Rule Recommendations on Strata Cloud Manager

    Manage your rulebase on Strata Cloud Manager by removing deleted SaaS policy rule recommendations.
    When a SaaS Security administrator authors and submits SaaS policy rule recommendations, the Web Security or Data Security administrator imports those rule recommendations and the Security administrator pushes those rule recommendations to gain visibility into and control of the applications in the SaaS policy recommendation. Before you begin, learn about the Hub roles that enable administrators to collaborate on SaaS Security.
    As the guidelines outline, if the SaaS Security administrator deletes the rule recommendation, you also need to delete that rule recommendation. When you delete an imported rule recommendation:
    • The policy is deleted from the rulebase.
    • The HIP Profile and all associated objects are deleted from the configuration if you'ren’t using them in other policy rules.
    • Application Group is deleted from the configuration.
    1. Log in to Strata Cloud Manager.
    2. If you have not already, associate the predefined SAAS-Inline-Pol-Recommendations snippet with one or more folders, NGFW, and Prisma Access tenants.
      Use snippets to standardize a common base configuration for a set of NGFW, and Prisma Access tenants. This allows you to quickly onboard new devices with a known good configuration and reduces the time required to onboard a new device. Additionally, this also allows you to quickly apply the same SaaS app security enforcement to multiple NGFW, and Prisma Access tenants.
      Use the predefined SAAS-Inline-Pol-Recommendations snippet to simplify management of your SaaS Security Inline Policy Recommendations.
    3. Select ConfigurationNGFW and Prisma AccessSecurity ServicesInternet SecurityPolicy Recommendations.
    4. Click the Configuration Scope and select SnippetsSAAS-Inline-Pol-Recommendations.
    5. In Imported SaaS Rule Recommendations, locate the rule recommendations that the SaaS administrator deleted as indicated by the Removed Status, then click ActionsDelete icon.
      • Update available—SaaS administrator updated the rule recommendation and is pending your approval.
      • Update available (This rule will be removed)—SaaS administrator deleted the rule recommendation and is pending your approval.
      The policy recommendation that you deleted no longer displays in Imported SaaS Rule Recommendations. If your deletion fails, click the Last import failed link to understand why the import failed, then resolve the failure.
    6. Click Push Config.

    © 2026 Palo Alto Networks, Inc. All rights reserved.