>
    Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Access Security
    3. Create Custom Security Policy Rules to Control GenAI Access
    4. Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)
    Download PDF
    AI Access Security

    Create Custom Policies to Control GenAI App Usage (Strata Cloud Manager)

    Table of Contents

    Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)

    Create custom policy rules in Strata Cloud Manager to control GenAI App usage in your organization.
    Your Web Security policy rules are evaluated and enforced ahead of your Security policy rules. In the event a Web Security and Security policy rule both apply to the same traffic, the Web Security policy rule Action and Enterprise DLP inspection configuration take precedence over the Security policy rule. After a successful match to a Web Security policy rule, no further policy rule evaluation is performed.
    For example, you create Web Security policy rule and Security policy rule that apply to User Group A and multiple GenAI apps.
    • Web Security Policy Rule A allows User Group A access to the specified GenAI apps and has an Enterprise DLP Data Profile A associated with the GenAI apps to prevent exfiltration of sensitive data.
    • Security Policy Rule B blocks User Group A's access to the same specified GenAI apps.
    In this case, when any user in User Group A accesses a GenAI app specified in the Web Security and Security policy rules they are allowed and Enterprise DLP inspection and verdict rendering is performed because Web Security Policy Rule A is higher in the policy rulebase evaluation order.
    1. Use the AI Access Security Insights dashboard to discover risks posed by GenAI apps.
      The AI Access Security Insights dashboard provides detailed and comprehensive visibility into GenAI app usage across your organization. You can discover risky GenAI app use cases, individual risky GenAI apps, as well as risky users accessing GenAI apps.
    2. Perform the initial AI Access Security configuration.
      This includes creating an Enterprise Data Loss Prevention (E-DLP) data profile to define the sensitive data match criteria and the Vulnerability Protection profile used to stop attempts to exploit system flaws or gain unauthorized access to systems.
      For NGFW, this also includes creating an internal trust zone and an outbound untrusted zone.
    3. Log in to Strata Cloud Manager.
    4. Select ManageConfigurationNGFW & Prisma AccessSecurity ServicesWeb Security and select your target Configure Scope.
    5. Select Security SettingsThreat Management and Customize Vulnerability Protection for your Web Security policy rules.
      The Vulnerability Protection settings you configure here are applied to Web Security policy rules.
      1. Select the Vulnerability Protection Profile you created during the initial configuration.
      2. Configure the remaining Vulnerability Protection settings as needed.
      3. Save.
    6. Select Policies to continue creating policy rules to control GenAI app usage.
    7. Modify the predefined Sanctioned GenAI Access policy rule.
      1. Select the predefined Sanctioned GenAI Access policy rule and Enable.
      2. Click the predefined Sanctioned GenAI Access policy rule to modify it.
      3. Make the required changes for the predefined Sanctioned GenAI Access policy rule.
      4. Save.
    8. Create a custom Web Access policy rule.
      • In Strata Cloud Manager, even though you can create custom policy rules through Security Policies for GenAI Apps, it's recommended that you use Web Security to create policy rules efficiently.
      • It's not recommended to have both GenAI and non-GenAI apps in the same policy if the Enterprise Data Loss Prevention (E-DLP) license isn't active.
      1. Add Policy.
      2. Enter a descriptive Name.
      3. Enable the Web Access policy rule.
      4. (Optional) Add a Description for the Web Access policy rule, and add a predefined Tag or create a new one.
      5. (Optional) Configure a Schedule to specify the times the Web Access policy rule is active.
      6. Define traffic to enforce based on the traffic Source (where it originates).
        For example, based on your risk discovery investigation you determine unauthorized users associated with User Group A access a GenAI app sanctioned for use by User Group B. In this case you can create a Web Access policy rule to block access to the GenAI and add User Group A as the user group Source.
      7. Configure Blocked Web Applications and Allowed Web Applications to define which GenAI apps you want to block or allow access to.
        (Allowed Web Applications) Only add supported GenAI apps to the list of allowed apps.
        • Application—Add one or more GenAI apps.
        • Application Category—An application category, otherwise referred to as an application filter, dynamically groups applications based on application filters you define.
          For example, you can use a predefined or custom GenAI app filter to dynamically control access to GenAI apps in your organization rather than adding individual GenAI apps or creating an application group that must be updated manually each time a change is required.
        • Application Group—An application group is a static grouping of individual apps that you create.
        (Allowed Web Applications) When adding your allowed application, click the DLP column and add a DLP Rule. Enterprise Data Loss Prevention (E-DLP) is required to prevent exfiltration of sensitive data and to generate Sensitive Assets data when discovering risks posed by GenAI apps.
      8. Configure the rest of the Custom Web Access policy rule as needed.
      9. Save.
    9. Push Config and Push.

    © 2024 Palo Alto Networks, Inc. All rights reserved.