How to troubleshoot App based enhanced SaaS tenant control

The customer is using App based Enhanced SaaS Tenants Control and reporting a problem that the tenant controls are not working as expected.

• Prisma Access
• SaaS inline

• The App based enhanced SaaS tenant control is not the same as Http header insertion method.
• This is a functionality based on SaaS Inline license. 
• The SaaS inline discovers the tenants for supported applications. 
• The administrator needs to create tenant control rules from SaaS inline policy recommendation and then sync them across panorama or SCM and push.
• The workflow using Internet Access rule is also supported provided the SCM version is greater then 2025.r4.4

• The rules on the end firewalls will show custom created apps (Unique to that tenant) which will have specific application level signatures.
• For example, a rule for sharepoint app will have custom apps created for that tenant 

  Sanctioned-rule_Mobile_Users_Container xxxxxxxxxxxxx {
              source any;
              negate-source no;
              destination any;
              to untrust;
              from any;
              service application-default;
              category any;
              action allow;
              destination-hip any;
              source-hip any;
              source-user any
              log-end yes;
              log-setting "Cortex Data Lake";
              application [sharepoint-create-1755485523717 sharepoint-delete-1755485523717 sharepoint-download-1755485523 sharepoint-online sharepoint-post-1755485523717 sharepoint-share-1755485523717 sharepoint-upload-1755485523717];
              profile-setting {
                group best-practice;
              }

• These custom apps will have tenant level signature which are unique to that customer. 

  sharepoint-create-1755485523717 {
          subcategory analytics;
          category saas;
          technology browser-based;
          risk 1;
          parent-app sharepoint-online-uploading;
          default {
            port [ tcp/80 tcp/443];
          }
          signature {
            create1-g0 {
              and-condition {
                "And Condition 1" {
                  or-condition {
                    "Or Condition 0" {
                      operator {
                        pattern-match {
                          qualifier {
                            http-method {
                              value POST;
                            }
                          }
                          pattern "^( |)customer\.sharepoint\.com";
                          context http-req-host-header;
  

• Once this part is validated that the correct app signatures are there, Continue with regular PanOS based troubleshooting for application match for troubleshooting the issue further.
• If the app based signatures are not available on the firewall rules, Troubleshoot SaaS inline first.