If you are tagging an App-ID delivered through
App-ID Cloud Engine (ACE), then
all
NGFW or
Prisma Access tenants associated with the
selected folder must be configured to receive App-ID updates from ACE.
ACE is enabled by default for a
NGFW or
Prisma Access
tenant when they have an active
SaaS Security Inline or
AI Access Security license. You can also
manually enable ACE for your
NGFW.
The configuration push fails if you tag an App-ID delivered from ACE and at
least one NGFW or Prisma Access tenant associated with
the selected folder isn't configured to receive App-IDs from ACE.
For this reason, Palo Alto Networks doesn't recommend selecting the
Global Configuration Scope.