Generate the SaaS Application Usage Report
The SaaS Application Usage PDF report is a two-part report that is based on the notion of sanctioned and unsanctioned applications. A sanctioned application is an application that you formally approve for use on your network; a SaaS application is an application that has the characteristic SaaS=yes in the applications details page in Objects > Applications, all other applications are considered as non-SaaS. To indicate that you have sanctioned a SaaS or non-SaaS application, you must tag it with the new predefined tag named Sanctioned. The firewall and Panorama consider any application without this predefined tag as unsanctioned for use on the network.
The first part of the report (8 pages) focuses on the SaaS applications used on your network during the reporting period. It presents a comparison of sanctioned versus unsanctioned SaaS applications by total number of applications used on your network, bandwidth consumed by these applications, and the number of users using these applications. This first part of the report also highlights the top SaaS application subcategories listed in order by maximum number of applications used, the number of users, and the amount of data (bytes) transferred in each application subcategory. The second part of the report focuses on the detailed browsing information for SaaS and non-SaaS applications for each application subcategory listed in the first-part of the report. For each application in a subcategory, it also includes information about the top users who transferred data, the top blocked or alerted file types, and the top threats for each application. In addition, this section of the report tallies samples for each application that the firewall submitted for WildFire analysis, and the number of samples determined to be benign and malicious.
Use the insights from this report to consolidate the list of business-critical and approved SaaS applications and to enforce policies for controlling unsanctioned applications that pose an unnecessary risk for malware propagation and data leaks.
The predefined SaaS application usage report introduced in PAN-OS 7.0 is still available as a daily report that lists the top 100 SaaS applications (with the SaaS application characteristic, SaaS=yes) running on your network on a given day.
Generate the SaaS Application Usage Report
Tag applications that you approve for use on your network as Sanctioned. The accuracy of the report depends on whether you have tagged an application as Sanctioned. You can tag both SaaS and non-SaaS applications as Sanctioned; the detailed browsing section of the SaaS Application Usage report displays whether the application is SaaS and whether it is sanctioned. Select Object > Applications. Click the application Name to edit an application and select Edit in the Tag section. Select Sanctioned from the Tags drop-down. You must use the predefined Sanctioned tag (with the azure colored background). If you use any other tag to indicate that you sanctioned an application, the firewall will fail to recognize the tag and the report will be inaccurate.
Click OK and Close to exit all open dialogs.
Configure the SaaS Application Usage report. Select Monitor > PDF Reports > SaaS Application Usage. Click Add, enter a Name, and select a Time Period for the report (default is Last 7 Days). By default, the report includes detailed information on the top SaaS and non-SaaS application subcategories, which can make the report large by page count and file size. Clear the Include detailed application category information in report check box if you want to reduce the file size and restrict the page count to eight pages.
To generate the report on-demand, click Run Now. Make sure that the pop-up blocker is disabled on your browser because the report opens in a new tab. Click OK to save your changes.
Schedule Reports for Email Delivery. On the PA-200, PA-500, and PA-2000 Series firewalls, the SaaS Application Usage report is not sent as a PDF attachment in the email. Instead, the email includes a link that you must click to open the report in a web browser.

Related Documentation