Learn about the guidelines you use to provide secure
inbound access for remote sites.
Where Can I Use
This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access
license that includes Net Interconnect for Site-to-Site
and User-to-Site Access
Use the following guidelines and restrictions when you configure a remote
network to use secure inbound access:
When you configure a remote network for inbound access,
you add units (Mbps) from your license for the IP addresses you
allocate (150 Mbps for 5 IP addresses and 300 Mbps for 10 IP addresses).
For this reason, make sure that you have enough remaining licensed
bandwidth to onboard the inbound access remote networks before you
start. To check your available bandwidth, select PanoramaCloud ServicesConfigurationRemote Networks and
view your licensed Bandwidth Allocation.
This area shows the bandwidth you have already allocated, along
with the total licensed bandwidth.
The following locations are supported:
Australia
Southeast
Belgium
Brazil South
Canada East
Finland
Germany Central
Hong Kong
India West
Japan Central
Japan South
Netherlands Central
Singapore
Switzerland
Taiwan
UK
US Central
US East
US Northwest
US Southeast
US Southwest
You cannot modify an existing remote network to provide secure
inbound access; instead, create a new remote network.
The inbound access feature is not available on remote networks
that use ECMP load balancing.
Application port translation is not supported.
The bulk import feature
to onboard remote networks does not support inbound access. Use
Panorama to onboard new inbound access remote networks.
Do not use remote network inbound access with traffic forwarding rules with service
connections.
Outbound traffic originating at the branch is not allowed
on the inbound remote network.
User-ID and application authentication are not supported.
Prisma Access enforces the following rate limiting thresholds
to provide flood protection, and measures the rate in connections
per second (CPS):
Remote networks that are configured for secure inbound access
can only be used for that purpose. If you require outbound access
as well as inbound access for a remote network site, create two
remote network sites in the same location—one for inbound access
and one for outbound access—as shown in the following figure. In
this example, User 1 uses Remote Network 1 for inbound access to
www.example.com, while User 2 uses Remote Network 2 for outbound
internet access from the remote network location.
If you have a custom Prisma Access deployment where one of
the cloud providers is excluded, inbound access might not be supported;
in this case, you cannot choose the location during remote network
onboarding.
Secure inbound access is not supported with evaluation licenses.