SaaS Policy Recommendation page is unavailable with error message "no grpc connection available for policy get"

Though the users can review traffic data on SaaS Security dashboard, the management Web UI [Device > Policy Recommendation > SaaS] page is unavailable and the error message "no grpc connection available for policy get" is displayed.

• PAN-OS 10.1 or later
• SaaS Security Inline and Logging Service licenses are available
• Device Certificate is properly installed

1. In order to use SaaS App-ID Policy Recommendation, the device requires to connect with ICD Cloud server.
2. The status of connectivity with ICD Cloud server can be confirmed by CLI command show Device Security icd statistics all.

> show Device Security icd statistics all

ICD Cloud server: not configured
Cloud connection: failed  <<<<<!!!!!


Summary of ICD gRPC client:
number of connection reset:       0
number of connection failed:      0
number of connection established: 0
number of connection attempts:    0
number of connection released:    0
number of connection selected:    0
number of selections failed:      6
number of bytes sent:             0
number of bytes received:         0
Last gRPC connection Attempt:     1970-01-01 09:00:00 +0900 JST
Last successful gRPC connection:  1970-01-01 09:00:00 +0900 JST

Summary of gRPC connections [configured source IP: ]:
Device cert status: Installed
	Validity:
		Notbefore: 2022-05-01 09:00:00 +0000 UTC
		Notafter: 2022-07-30 09:00:00 +0000 UTC
EnforcerURL: enforcer.Device Security.services-edge.paloaltonetworks.com:443

max gRPC connections: 1, max alive time: 900 seconds, max bytes sent: unlimited

[Pattern A]

The activity to access the EnforcerURL can be found in mp-log > icd.log.
Here is a sample of the failed attempt and in this sample case, the connection is failed to establish due to "no route to host".

{"level":"error","time":"2022-05-19T11:32:56.320562353+09:00","message":"[ICD-EDGE-ADDRESS] enforcer client request failed err: Get https://enforcer.Device Security.services-edge.paloaltonetworks.com:443/v1/Device Security/edge-service-address: dial tcp 35.232.8.220:443: connect: no route to host"}

In such case, please check the reachability to the Enforcer URL, e.g. the accessibility from management interface, the configuration of Service Route to the host enforcer.Device Security.services-edge.paloaltonetworks.com.

It is also suggested to check whether this kind of log messages is recorded in icd.log and to find the reason of failure on connecting with Enforcer,

[Pattern B]

ICD Cloud server can be designated manually.
Therefore it is suggested to run the following CLI commands to set ICD Cloud server and check if SaaS Recommendation Policy can be synced.

> configure
# set deviceconfig setting Device Security edge address Device Security.services-edge.paloaltonetworks.com
# commit force

Note: The above steps are performed when SaaS Security is in the Americas region. 
Since it is required to set FQDN of Device Security edge address on the same region as Strata Logging Service (formerly known as Cortex Data Lake) enabled on the NGFW or Panorama, please refer the endpoint FQDN for other regions, which is introduced in STEP 6 of the document: Prepare to Deploy Device-ID