If the SaaS Security administrator
pushes new or updated Application Groups, HIP profiles, or tags,
the firewall automatically creates or updates those objects. If
the SaaS Security administrator pushes Security profiles with the
policy recommendation update and those profiles don’t exist on the
firewall, the firewall import fails. If the profiles already exist
on the firewall, the import succeeds.