Tenant-level detection and control within SaaS Security Inline is limited to only select applications. For these applications, SaaS Security Inline can detect the specific application tenants that users are accessing. SaaS Security Inline displays these tenant details, and you can submit policy rule recommendations at the tenant level.

To support tenant-level detection and control for more applications, PAN-OS® 11.2.1 introduces a new setting to enable additional HTTP header logging. When additional HTTP header logging is enabled, the firewall logs more information about the applications to Strata Logging Service. This additional information enables SaaS Security Inline to detect the individual application tenants for the following applications:

Because SaaS Security Inline is the only consumer of this information, and because you might not require tenant-level policies for these applications, the additional header logging is disabled by default. Administrators can easily enable this setting, as described in submitting tenant-level policy recommendations in SaaS Security Inline. Within 24 hours after the additional logs are available in Strata Logging Service, SaaS Security Inline will be able to detect the individual tenants for these applications, allowing you to submit tenant-level policy recommendations.