SaaS App-ID Policy Recommendation
The rapid proliferation of SaaS applications
makes it difficult to assign all of them specific App-IDs, gain
visibility into those applications, and control them. Security policy
rules that allow ssl, web-browsing, or “any” application may allow
unsanctioned SaaS applications that can introduce security risks
to your network. To gain visibility into those applications and
control them on the firewall, SaaS Security administrators can recommend
Security policy rules with specific SaaS App-IDs provided by the
App-ID Cloud Engine (ACE) to
PAN-OS firewall administrators. PAN-OS administrators can import
those rules on firewall’s that have a SaaS Security Inline subscription.
SaaS Policy Recommendation requires a
SaaS Security Inline subscription.
Each appliance that uses the SaaS Policy Recommendation Engine needs
to
generate and install a
valid device certificate or
use Panorama to generate
and install a valid device certificate.
A
SaaS Security Inline connection to
Cortex Data Lake (
CDL) is required for SaaS
visibility.
Configure Log Forwarding to
CDL and enable Log Forwarding with the correct Log Forwarding profile
in Security policy rules. At a minimum, you must forward Traffic logs
and URL logs to CDL for SaaS Security Inline to work properly.
All
hardware platforms that support PAN-OS 10.1 or later support SaaS
Policy Recommendation and all appliances on which you want to use
SaaS Policy Recommendation require PAN-OS 10.1 or later. Panorama
cannot push and commit SaaS Policy Recommendations to firewalls
that don’t have a SaaS Security Inline license installed or to firewalls
that run an earlier version of PAN-OS than 10.1.
The SaaS Security Administrator’s Guide describes
the SaaS Security administrator’s procedure for creating Security
policy rule recommendations and then pushing them to the firewall.
The PAN-OS Administrator’s Guide describes how the PAN-OS
administrator imports and manages policy recommendations from the SaaS
Security administrator.
The SaaS Security administrator creates the new rule, adds applications,
users, and groups to the rule, and sets the rule action. The rule
action can be allow or block; no other actions are permitted for
pushed rules. The SaaS Security administrator then pushes the rule
to the appropriate appliances and the rule appears in the firewall
interface ().
The PAN-OS administrator evaluates the recommended rule and decides whether
to implement it on the firewall. If the PAN-OS administrator chooses
to implement the rule, the administrator imports it on the firewall
and selects where to place the policy rule in the firewall rulebase.
When a PAN-OS administrator imports a policy recommendation, the
firewall creates the required HIP profiles, tags, and Application
Groups automatically (the PAN-OS administrator doesn’t have to do
it manually).
If the SaaS Security administrator pushes Security profiles
with the policy recommendation and those profiles don’t exist on
the firewall, the firewall import fails. If the profiles already
exist on the firewall, the import succeeds.
If the SaaS Security administrator updates a policy rule recommendation,
the PAN-OS administrator sees the update and imports it into the
firewall. If the SaaS Security administrator deletes a policy rule
recommendation, the PAN-OS administrator sees the action and deletes
the rule from the firewall Security policy rulebase.
If the SaaS Security Inline license expires, the firewall
no longer pulls SaaS policy recommendations, so you see no new recommendations.
However, Security policy rules that you already imported continue
to work.
If you disable ACE, the firewall no longer receives
new cloud application signatures and App-IDs and the firewall cannot
import SaaS policy recommendations based on new ACE App-IDs.
The
ACE deployment process (connecting
to the cloud, installing device certificates, activating the license
on the SaaS Security Portal and pushing it to Panorama and firewalls,
etc.) also sets up SaaS Policy Recommendation.
User interface additions for this new feature include:
displays policy recommendations
from SaaS administrators and enables firewall administrators to
import, update, remove, and control recommended SaaS policies. The
page display includes Application Groups configured by the SaaS administrator
for the policy.
SaaS policy recommendations are automatically tagged SaaSSecurityRecommended,
which is displayed in the Tags column in
the interface.
You can import and update SaaS policy recommendations pushed
by SaaS administrators and remove SaaS policy recommendations that
the SaaS administrator has deleted.