PAN-OS 7.1 SaaS Visibility and Control

Software as a Service (SaaS) providers enable users to access services in the cloud. Prior to PAN-OS 7.1, administrators could report only on general aspects with respect to SaaS.

SaaS applications are all initially 'unsanctioned,' in that there is no tag on the application. A predefined tag, 'Sanctioned,' is configured and can be selected in SaaS applications. While any application can be tagged, only SaaS applications will be included in the SaaS report. There is very little configuration needed, and the report will run on upgrade to PAN-OS 7.1. Everything in the report will show as Unsanctioned. Adding the Sanctioned tag (or removing it) after the fact will alter the report, as it is run in real-time against the current list of tagged applications.

The applications list can be filtered to display only applications that were tagged or by selecting Characteristic SaaS as a filter.

An application can also be tagged on the spot by selecting its checkbox and selecting the tag operation from the bottom options.

 Applications can also be tagged from the CLI

> configure
# set application-tag dropbox tag Sanctioned
# commit

Usage reports can be created from

• Monitor > SaaS Application Usage Report

A few caveats to consider:

• Tags do not propagate to other virtual systems: If an application is Sanctioned on vsys2, it will not automatically become Sanctioned on vsys1.
• Running a report on an individual vsys will narrow the report results to that vsys.
• Running a report on “all” virtual systems will run, but will produce a warning:
  • 'There are virtual systems configured on this device. Please note that running the SaaS Application Usage report for All Vsys with mixed application tagging will produce overlapping results.'
  • Example: Box is sanctioned on vsys1 while Google Drive is sanctioned on vsys2. When this report is run against All Vsys, users in vsys1 using Google Drive will count toward 'Unsanctioned.' Both applications will appear in both sections.
  • On the Report, "Partially Sanctioned" applications can be one of 2 things
    1. On a firewall - App is sanctioned in Vsys A but not sanctioned in Vsys B.
    2. On Panaroma – The App is sanctioned on firewall A, but not on firewall B.

• Panorama
  • If Panorama is managing a device earlier than PAN-OS 7.1, it will not be included in the aggregate report.
  • If pushing a SaaS report to a device earlier than PAN-OS 7.1, that part of the configuration will be ignored.
  • When running a report on Panorama, the only the applications tagged on Panorama are used (as each firewall may have different sets of applications tagged).
• Commit Changes
  • The lists of sanctioned apps needs to be synced to all log collectors on commit.
  • Changing an application’s tag requires a commit to become effective.
• Migration
  • The predefined SaaS report is new and will be removed by the downgrade script.
  • Tags added to applications will be removed on downgrade.