: Activate SaaS Security Inline for Prisma Access
Focus
Focus

Activate SaaS Security Inline for Prisma Access

Table of Contents

Activate SaaS Security Inline for Prisma Access

Learn how to activate SaaS Security Inline on Prisma Access.
To unlock the SaaS Security Inline capabilities—SaaS visibility, SaaS policy rule recommendations, and ACE (App-ID Cloud Engine), simply activate SaaS Security Inline from the activation email that you received. After activation, you can log in to your SaaS Security Inline tenant to explore SaaS visibility data.
If you are enabling SaaS Security Inline for Next-Generation CASB, activate in SASE Cloud Management Console using the activation email you received.
SaaS Security Inline activation:
  • Creates a URL for SaaS Security Inline login.
  • Adds the SaaS Security Inline license to Prisma Access so that you can unlock SaaS Security Inline features.
  • Enables a secure and encrypted connection and successful, mutual authentication between SaaS Security Inline, Prisma Access, and Strata Logging Service.
Before you activate:
  • Verify log forwarding. Because SaaS Security Inline requires network traffic data for analysis, you must enable Prisma Access to forward logs with that data to Strata Logging Service. Your SaaS Security Inline subscription requires that you also have an active Strata Logging Service instance, which stores the data logs from Prisma Access and streams them to SaaS Security Inline. Without logs, SaaS Security Inline cannot display SaaS application visibility data and might not be able to enforce SaaS policy rule recommendations. (Security administrator)
    • Panorama Manged Prisma Access—Enable log forwarding. Not enabled by default.
    • Cloud Managed Prisma Access—Verify log forwarding. Enabled by default.
  • Ensure that your environment meets all the activation requirements for the SaaS Security Inline features you want to enable for your platform. (SaaS administrator)
    Requirement
    Features
    SaaS Visibility
    SaaS Policy Recommendations Synchronization (Policy Enforcement) and ACE
    Supported Prisma Access release.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    Cloud Managed Prisma Access—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide. The Web Security feature must be enabled on the tenant.
    Panorama Managed Prisma Access—Yes, Prisma Access 3.0 Innovation or later (Dataplane 10.1.x or later) as outlined in Prisma Access Administrator’s Guide
    One new or existing Strata Logging Service license.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes, one per SaaS tenant
    Same Support Account (CSP ID) for SaaS tenant, Strata Logging Service, Enterprise DLP, and Prisma Access tenant.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    One SaaS Security Inline license per CSP ID.
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    Enterprise DLP license on Prisma Access and in the same CSP account as the SaaS tenant.
    Cloud Managed Prisma Access— Yes
    Panorama Managed Prisma Access— Yes
    Cloud Managed Prisma Access—Yes
    Panorama Managed Prisma Access—Yes
    SaaS Security Inline requires network traffic data for analysis. Prisma Access automatically forwards logs with that data to Strata Logging Service. Your SaaS Security Inline subscription requires that you have an active Strata Logging Service instance, which stores the data logs from Prisma Access.
The example activation below is for a new Panorama Managed Prisma Access deployment. Adding a SaaS Security Inline license to an existing Panorama Managed Prisma Access deployment or Cloud Managed Prisma Access deployment is similar, but not identical. Use this example as a guide.
  1. Open your SaaS Security Inline activation email and click Activate.
    The number of Activate buttons in the email you received depends on what you purchased. Each Activate button launches the same onboarding workflow that lets you activate all your purchased products together. Click any Activate button to begin. Additionally, your activation email depends on the type of activation: purchase, trial, or evaluation.
  2. Log in with your Palo Alto Networks Customer Support Portal account credentials.
  3. Select the products to activate, then Start Activation.
    If you have multiple items to activate, leave them all selected when you Start Activation.
  4. Select a Customer Support Account, then Next.
    If you have more than one Support account, select the one associated with the Prisma Access tenant to subscribe to SaaS Security Inline.
  5. Choose how to manage Prisma Access, then Next.
    • Cloud-Based Management Console—Use the Prisma Access app on the Palo Alto Networks hub to quickly onboard branches and mobile users.
    • Panorama—Use the Cloud Services plugin on Panorama to set up and manage Prisma Access. If new Panorama, Register New Panorama.
  6. In Finalize Selections, configure SaaS Security Inline.
    • Strata Logging Service Selection and Region Selection—You must have an active Strata Logging Service or activate a new one now. Do one of the following:
      • New Strata Logging Service—Select Activate New if you are activating a new Strata Logging Service subscription, then choose its region.
      • Existing Strata Logging Service—Select an existing instance to use if you did not purchase a new Strata Logging Service. If you have more than one Strata Logging Service instance, choose the one to which Prisma Access will forward logs with network traffic metadata.
    • SaaS Tenant, SaaS Region, and SaaS Subdomain—Do one of the following:
      • New Tenant—Select Activate New to create a new SaaS Security Inline tenant, then type a subdomain name, which completes the URL for your SaaS Security Inline app and becomes the URL where you log in to the SaaS Security web interface. SaaS Subdomain is prepopulated with the domain name from your email address, but you can change it if you want.
      • Existing Tenant—Select an existing tenant if you did not purchase a new Strata Logging Service or you don’t want to activate a newly purchased Strata Logging Service. Each SaaS tenant requires a unique Strata Logging Service. You cannot reuse Strata Logging Services. The onboarding process enforces this requirement and automatically populates SaaS Tenant with the SaaS tenant that is mapped to the existing Strata Logging Service. SaaS Region defaults to Strata Logging Service region.
  7. Verify your activation selections, read and agree to the terms and conditions, then Confirm Selections.
    Depending upon what you onboard, the activation process creates a URL for your SaaS Security web interface and applies SaaS Security Inline licenses to the selected Prisma Access tenant and links them to your SaaS Security account.
  8. Verify that your Strata Logging Service serial number displays on the web interface and indicates Monitoring.
  9. Navigate to SettingsLicense Info, then verify your SaaS Security Inline license.