Unsanctioned usage of SaaS applications can be a way for your users to transmit sensitive information outside of your network, usually by accessing a consumer version of an application. However, if you need to allow access to the enterprise version of these applications for specific individuals or organizations, then you can't block the SaaS application entirely.

You can use custom HTTP headers to disallow SaaS consumer accounts while allowing a specific enterprise account. Many SaaS applications allow or disallow access to applications based on information contained in specific HTTP headers. You can Create HTTP Header Insertion Entries using Predefined Types to manage access to popular SaaS applications, such as Google G Suite and Microsoft Office 365. Palo Alto Networks® uses content updates to maintain predefined rule sets specific to these applications, as well as to add new predefined rule sets.

You can also Create Custom HTTP Header Insertion Entries if you want to manage access to a SaaS application—that uses HTTP headers to limit service access—for which Palo Alto Networks has not provided a predefined set of rules.

Be aware that commercial SaaS applications always use SSL so decryption is necessary to perform HTTP header insertion. You can configure the firewall to decrypt traffic using SSL Forward Proxy decryption if traffic is not already decrypted by an upstream firewall.

To understand how to use HTTP headers to manage SaaS applications, see the following: