| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by Panorama or Strata Cloud Manager)
- Prisma Access (Managed by Panorama or Strata Cloud Manager)
|
One of the following:
- AI Access Security license
- CASB-PA license
- CASB-X license
|
Application filters dynamically group
applications based on the application attributes you define. You can use application
filters in your
Security policy rules to control
access to GenAI apps based on the application attributes rather than explicitly
defining GenAI apps or application groups in your Security policy rule.
(
Strata Cloud Manager only)
AI Access Security includes the
following predefined GenAI application filters. The predefined application filters
are based on the supported
AI Access Security
use cases.
Use Application Filters for GenAI Apps on Strata Cloud Manager
Create Application Filters to use in your Security policy rules in Strata Cloud Manager to control GenAI app usage in your organization.
- Log in to
Strata Cloud Manager.
- Select and Add Application Filter.
- Enter a descriptive Name.
- For the Tag select Generative
AI.
All GenAI apps inspected by NGFW or Prisma Access are
tagged with genai when inspected. When creating
a custom application filter for GenAI apps, Palo Alto Networks recommends
selecting the Generative AI tag to ensure the
Security policy rule the application filter is added to applies to GenAI app
traffic.
- Configure additional Category Filters to narrow
down the scope of impacted GenAI apps. Consider the following tags when creating
your GenAI application filter.
-
Risk—Specify the Risk
score so the Security policy rule action only applies to GenAI apps
with the selected risk score.
For example, you want to write a Security policy rule to block access
to all risky GenAI apps regardless of its use. In this case, you can
create an application filter for GenAI apps 4
and 5 so the Security policy rule only
applies to GenAI apps with these risk scores.
-
Tag—Specify whether the Security policy rule
action applies to GenAI apps
tagged as
Sanctioned,
Tolerated, or
Unsanctioned. Additionally, you can apply
tags based on the GenAI app use case.
For example, you want to write a Security policy rule to allow access
to sanctioned Code Assistant & Generator GenAI apps. In this
case, you can create an application filter that includes both the
Sanctioned and Code Asistant
& Generator tags so the Security policy rule
only applies to GenAI apps with this application tag and that fall
within the use case.
- Review the list of Matching Applications.
- Save.
- Push Config and Push.
- Create Custom Security Policy Rules to Control GenAI Access.
Use Application Filters for GenAI Apps on Panorama
Create Application Filters to use in your Security policy rules on the Panorama™ management server to control GenAI app usage in your organization.
- Log in to the Panorama™ management server
web interface.
- Select and Add a new application filter.
- Enter a descriptive Name.
- For the Tag select Generative
AI.
All GenAI apps inspected by NGFW or Prisma Access are
tagged with genai when inspected. When creating
a custom application filter for GenAI apps, Palo Alto Networks recommends
selecting the Generative AI tag to ensure the
Security policy rule the application filter is added to applies to GenAI app
traffic.
- Configure additional Category Filters to narrow
down the scope of impacted GenAI apps. Consider the following tags when creating
your GenAI application filter.
-
Risk—Specify the Risk
score so the Security policy rule action only applies to GenAI apps
with the selected risk score.
For example, you want to write a Security policy rule to block access
to all risky GenAI apps regardless of its use. In this case, you can
create an application filter for GenAI apps 4
and 5 so the Security policy rule only
applies to GenAI apps with these risk scores.
- Review the list of matching applications.
- Click OK.
- Select Commit and Commit and Push
your configuration changes.
- Create Custom Security Policy Rules to Control GenAI Access.
