Understand SaaS Custom Headers
Understand the custom HTTP headers you will use before
you create HTTP Header Insertion Rules for your Palo Alto Networks®
firewall.
Before you begin, make sure you understand the custom
HTTP headers you will use with the SaaS application you are managing.
You need to understand what you can accomplish with these headers
and the information you need to specify to accomplish your goals.
Be aware that SaaS applications that use custom headers do not
always use them to control access to types of accounts. For example,
Palo Alto Networks® provides predefined support for YouTube custom
headers that determine whether network users can access restricted
content.
You should also read the documentation for the SaaS application
to which you want to control access so that you understand what
headers you need to use for that application.
The following limits apply to HTTP header insertion:
Header name character length: 100.
Header value character length: 512.
Be aware
that some SaaS applications might define custom header names, or
assign values to their custom headers, that exceed these limits.
These situations should be rare, but if a SaaS application does
exceed one or both of these character length limits, then your next-generation
firewall can not successfully manage access to that SaaS application.
The following table lists the headers that you can use for the
SaaS applications for which Palo Alto Networks provides predefined
support; each header also includes a link to more information specific
to that header.
| X-Dropbox-allowed-Team-Ids | You
can allow access to sanctioned Enterprise Dropbox accounts. This
header's value is the business account's team ID, which you can
obtain from the network control section of the Dropbox admin console.
You must also enable this functionality from the same location. For
details on managing this header, as well as how to enable your Dropbox
clients so that you can decrypt their traffic, contact your Dropbox
account representative. |
| X-GooGApps-Allowed-Domains | You
can allow access to specific Google accounts from your domain. The
values that you give to this header are your domain and subdomains. To
successfully insert headers for Google applications, you must also: Create an SSL decryption profile that
includes the following categories and URLs: business-and-economy computer-and-internet-info content-delivery-networks internet-communications-and-telephony low-risk online-storage-and-backup search-engine web-based-email drive.google.com *.google.com *.googleusercontent.com *.gstatic.com
HTTP header insertion is not currently supported for HTTP/2.
To insert headers, downgrade HTTP/2 connections to HTTP/1.1 using
the Strip ALPN feature in the appropriate decryption
profile. For more information, see App-ID and HTTP/2 Inspection. Create rules to block the
Quick UDP Internet Connections (QUIC) App-ID and place them at the
top of your security policy because the firewall does not support
header insertion for this protocol. When you do, the app reverts
to using HTTP/2 over TLS, which the firewall handles in the previous
step.
|
| Restrict-Access-To-Tenants | You
provide Restrict-Access-To-Tenants with
a list of tenants you want to allow your users to access. You can
use any domain that is registered with a tenant to identify the
tenant in this list. You provide Restrict-Access-Context with
the directory ID that is setting the tenant restriction. You can
find your directory ID in the Azure portal. Sign in as an administrator,
select Azure Active Directory , then select Properties . |
| | You
provide this header with information on the type of videos you want
your users to be able to view. You can specify either a Strict or Moderate setting. See support.google.com/a/answer/6212415 for
details on these different settings. |