Prisma Access
Configure Secure Inbound Access for Remote Networks
Table of Contents
Configure Secure Inbound Access for Remote Networks
Where Can I Use This? | What Do I Need? |
|---|---|
|
To make internet-accessible applications available from a remote network site, you first
make a list of the applications to which you want to provide access, and assign a
private IP, port number, and protocol combination for each application. If you use the
same IP address for multiple applications, the port/protocol combination must be unique
for each application; if you use the same port/protocol combination for multiple
applications, each IP address must be unique.
To begin configuration, you choose how many public IP addresses you want to associate for
the applications. You can specify either 5 or 10 public IP addresses per remote network
site. Each public IP allocation takes bandwidth (units) from your Remote Networks
license, in addition to the bandwidth that you have allocated for the compute location associated to the
remote network. 5 IP addresses take 150 Mbps from your remote network license
allocation, and 10 IP addresses take 300 Mbps.
After you choose the number of public IP addresses, you then enter the application, along
with its associated private IP/port number/protocol combination, for which you want
secure inbound access.
You can decide how you want to map your application to the public IP addresses. By
default,
Prisma Access
assigns the public IP addresses to the applications you specify,
and multiple applications can be assigned to a single IP address. If you need to map a
single application to a single public IP address, you can select Dedicated
IP
during system configuration. You can configure up to 100 inbound
applications for each group of provisioned public IP addresses (either 5 or 10).Cloud Management
Cloud Management
Here’s how to make an application accessible from a remote network site to all
internet-connected users (not just
Prisma Access
users).- If you haven’t already, review the inbound access remote network guidelines.
- Gather the application details you’ll need to get started.Make a list of the applications to which you want to provide access, and assign a private IP, port number, and protocol combination for each application. If you use the same IP address for multiple applications, the port/protocol combination must be unique for each application; if you use the same port/protocol combination for multiple applications, each IP address must be unique.
- In Strata Cloud Manager, go to .
- Enter the required details.Choose theNumber of Public IPsyou want to use for the applications, either five or ten.Each public IP allocation takes bandwidth from your Remote Networks license, in addition to the license cost for the remote network. 5 IP addresses take 150 MB from your remote network license allocation, and 10 IP addresses take 300 MB.FromPrisma Accessversion 4.1, if you have a resource that is in a remote network site that has inbound access enabled and you want users at non-inbound access sites to have access to that resource, you canAllow inbound flows to other Remote Networks over the Prisma Access backbonewhen you configure the non-inbound access remote network.FromPrisma Accessversion 5.0, you can allow inbound flows to other remote networks over the Service Provider (SP) backbone when you configure the non-inbound access remote network.SP interconnect supports only the following:
- GCP Regions
- NewPrisma Accessdeployments
- Explicit proxy egress traffic
- Add theInbound Access Applicationsfor which you want to secure access.Add the associated private IP / port number / protocol combination for the application.
- Decide how you want to map applications to the public IP addresses.By default,Prisma Accessassigns the public IP addresses to the applications you specify, and multiple applications can be assigned to a single IP address. If you need to map a single application to a single public IP address, you canAssign Dedicated IPduring system configuration. You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10).
- Finish setting up the inbound access remote network as you would a regular remote network site.
Panorama
Panorama
Describes the procedure you use to configure secure inbound
access for a
Prisma Access
remote network connection.If you have a
Prisma Access
deployment that allocates
remote network bandwidth by compute location, configure inbound
access by completing the following steps.- Select , and selectInbound Access Remote Networks.
- Adda remote network to for inbound access.
- Specify settings for the inbound access remote network connection.
- Enter aNamefor the inbound access connection.
- Enter aLocation.Inbound access supports a subset of locations.
- Specify aBandwidthto use for the inbound access connection.You allocate bandwidth for inbound access connections on a per-location basis.
- Specify theNumber of Public IPsto use for the inbound access connection.Specify either 5 or 10 public IP addresses. Each public IP allocation takes bandwidth (units) from your Remote Networks license, in addition to the bandwidth that you have allocated for the compute location associated to the remote network.
- Select the IPSec tunnel to use with the inbound access connection.
- Select whether or not you want toAllow inbound flows to other Remote Networks over the.Prisma AccessBackboneIf you have a resource that is in a remote network site that has inbound access enabled and you want users at non-inbound access sites to have access to that resource, you canAllow Inbound Flows To Other Remote Networks over thewhen you configure the non-inbound access remote network. If you allow inbound flows from other remote networks, you must enable source NAT.Prisma AccessBackbone
- (Optional) If you have a secondary WAN link at this location, selectEnable Secondary WANand provide anIPSec Tunnelthat is different than the primary IPSec tunnel.
- ConfigureStatic Routes,BGP, andQoSfor your deployment.This configuration is the same as a non-inbound access remote network connection.
- Click theInbound Accesstab to configure inbound access options.
- (Optional) To disable source NAT, deselectEnable Source NAT.By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), or if you have not selectedAllow inbound flows to other Remote Networks over the, deselectPrisma AccessbackboneEnable source NAT.You mustEnable source NATin theInbound Accesstab if you select this check box. Source NAT is a requirement to allow inbound flows to other remote networks.
- Addthe applications to provide secure inbound access.You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10). Enter a uniquePrivate IPaddress,Protocol, andPortcombination for each application. It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you selectTCPfor one application andUDPfor another application.Provide the following values:
- Specify the name of theApplication.
- Specify thePrivate IPaddress to use with this application.
- Specify theProtocolto use with the application (TCPorUDP).
- Specify thePortto use with the application.
- Choose whether you want to dedicate a single public IP address to a single application; to do so, selectDedicated IP.
- ClickOKto save your changes.
- SaveandCommityour changes.
- Wait approximately 30 minutes forPrisma Accessto generate the public IP addresses; then select and make a note of thePublic Addressthat is associated with theApp Namefor application you created.If you selectedDedicated IP, find the single application that is associated with thePublic Address.
- Create security policies to allow traffic from the inbound internet users.BecausePrisma Access’ default security policy only allows untrust-to-untrust traffic, you need to configure security polices to allow untrust-to-trust traffic for your inbound access applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound applications. The following examples provide access to SSH servers, web portals, and RDP servers.
- Select andAdda policy.Be sure to create this policy under theRemote_Network_Device_Groupdevice group.
- Select theSourcetraffic asUntrust.
- Create a policy to allow SSH server traffic by selecting theDestination Zonefor destination traffic asTrustand specifying aDestination AddressofSSH-server-public. This is an Address or Address Group object you created that has a list of all the public IP addresses that are used for SSH login.
- Select anApplicationofssh.
- Select aService/URL Categoryofapplication-defaultto allow or deny applications based only their default ports as defined by Palo Alto Networks.
- InActions, selectAllow.
- ClickOKto save the policy.
- Create a policy to allow web portal access by creating a policy in the previous steps but substituting the following settings in theDestinationandApplicationtabs:
- Select aDestination Addressof an Address or Address Group ofWeb-Portal-Public, which contains all the public IP addresses of the web portal.
- Select anApplicationofweb-browsing.
- Create a security policy for RDP server access, using the same settings as you did for the other policies but creating an Address or Address Group object calledRDP-Server-Public, which contains the public IP addresses for the RDP server, as theDestination Addressandwebrdpas theApplication.When complete, you have three different policies to allow SSH server access, web portal access, and RDP server access.
- SaveandCommityour changes.
- Check that the remote network connection is operational and correctly processing inbound traffic.
- Select and hover over theStatusandConfig Statusareas to see the tunnel’s status.
- If you find issues, select , select the location of the remote network tunnel in the map, and hover over theTunnel Statusarea to determine the cause of the error.
