When a SaaS Security administrator pushes
Security policy rule recommendations to a PAN-OS firewall (or Panorama),
the PAN-OS administrator can import those rules to gain visibility
into and control of the applications in the policy recommendation.
However, if the SaaS administrator updates the rule, for example
by adding or removing applications, the rule also needs to be updated
on the firewall.
If the SaaS Security administrator
pushes new or updated Application Groups, HIP profiles, or tags,
the firewall automatically creates or updates those objects. If
the SaaS Security administrator pushes Security profiles with the
policy recommendation update and those profiles don’t exist on the
firewall, the firewall import fails. If the profiles already exist
on the firewall, the import succeeds.