Update Your Policy Rulebase for ACE App-IDs on Panorama
Table of Contents
Expand all | Collapse all
-
-
- Allowed List of IP Addresses
-
- Begin Scanning a Bitbucket App
- Begin Scanning a Box App
- Begin Scanning ChatGPT Enterprise App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a Gmail App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a ShareFile App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App (Beta)
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
- Google Drive Labeling
- Configure Phishing Analysis
- Configure WildFire Analysis
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- Filter Incidents
- Configure Slack Notification Alerts on Data Security
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Strata Logging Service
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitHub Enterprise App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Register an Azure AD Client Application
- View the Health Status of Application Scans
- Delete SaaS Apps Managed by SSPM
Update Your Policy Rulebase for ACE App-IDs on Panorama
Update your Security policy rulebase after enabling App-ID Cloud Engine (ACE) to
allow and block the correct app traffic for NGFW and Prisma Access(Managed by Panorama).
- Activate SaaS Security Inline for Prisma Access.ACE automatically activates for your Prisma Access tenant after you successfully activate SaaS Security Inline.Log in to Strata Cloud Manager and verify that SaaS Security Inline is activated on your Prisma Access tenant.You can check for an activate SaaS Security Inline using one of the following ways:
- HubThe Hub now displays a Data Security tile redirecting you to SaaS Security Inline on Strata Cloud Manager.
- NGFW or Prisma Access(Managed by Panorama)On Strata Cloud Manager, CASB displays and you can now configure SaaS Security Inline.
Log in to the Panorama web interface.Select ObjectsApplications Filters and Add a new application filter that includes the App-ID Cloud Engine tag.An application filter allows you to dynamically group apps based on specific app attributes you define. In this case, the application filter applies to any app that includes the predefined App-ID Cloud Engine tag.You can create the application filter as part of the Shared device group scope to make the application filter available to all other device groups, or you can select a specific device group scope.For this example we named the application filter ace-appid-filter.Create a Security policy rule to allow traffic for the same users you allow access to apps with the ssl or web-browsing App-IDs.- Select PoliciesSecurity and change to the appropriate Device Group scope.Add and create a new Security policy rule.For this example we named the new Security policy rule ace-appid-allow.Configure the Source and Destination settings to match the existing Security policy rules allowing access to apps with the ssl or web-browsing App-IDs.Select Application and Add the application filter you created in the previous step.For the Action in the Actions settings, select Allow.Configure the rest of the Security policy rule as needed.Click OK.Order the newly created Security policy rule at the bottom of the policy rulebase.By ordering this Security policy rule at the bottom of your Security policy rulebase, you block unsanctioned app traffic before allowing legitimate access to apps with App-IDs delivered through ACE.Identify and allow access to allowed apps unintentionally blocked after you enable ACE.In some cases, application filters associated with an existing Security policy rule might unintentionally block traffic to legitimate apps you allow access to after you enable ACE. For example, consider the unsanctioned-apps Security policy rule with the block-apps application filter. Before you enabled ACE this application filter matched 100 apps but after you enabled ACE it matches 1,000 apps. However, of the additional 900 apps there are 10 apps you need to allow. In this case, you need to create a Security policy rule allowing traffic to these apps.
- Contact your Palo Alto Networks representative to generate a SaaS Risk Report and to help you compile a list of ACE App-IDs that match your application filter after you enable ACE.Compiling a list before you enable ACE allows you to understand how many new App-IDs are going to match your existing Security policy rules. By taking proactive steps to identify allowed apps and to create a Security policy rule to explicitly allow them before you enable ACE helps minimize blocked access to allowed apps and unintentional business interruption.Review your Deny Security policy rules and identify all application filters associated with them.Select ObjectsApplicationsApplication Filter and select each application filter to review the lists of impacted apps. Make note of any legitimate apps you want to allow.Generate a SaaS Security Report to see a list of top used apps.Select ObjectsApplicationsApplication Group and create application groups to logically group the apps you want to allow.For this example we named the application group allowed apps.Select Security ServicesSecurity Policy and create a Security policy rule to allow traffic to the application groups you created in the previous step.Alternatively, you can create different Security policy rules for each application group if different users are allowed access to different apps.Order the newly created Security policy rule above your Deny Security policy rules to allow access to those apps.(Best Practices) After you enable ACE and update your Security policy rulebase, Palo Alto Networks recommends you frequently review our Traffic logs and respond to user complaints about blocked access to previously allowed apps.Frequently review the traffic logs on Panorama(MonitorLogsTraffic) to confirm that unsanctioned apps are correctly blocked while sanctioned apps are allowed. The Application and Action columns provide you with data on which applications are blocked and allowed. As you review your logs and respond to users about access issues, you can create additional application groups and Security policy rules to restore access to these apps.