Guidelines for Using Secure Inbound Access
Focus
Focus
Prisma Access

Guidelines for Using Secure Inbound Access

Table of Contents

Guidelines for Using Secure Inbound Access

Learn about the guidelines you use to provide secure inbound access for remote sites.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license that includes Net Interconnect for Site-to-Site and User-to-Site Access
Use the following guidelines and restrictions when you configure a remote network to use secure inbound access:
  • When you configure a remote network for inbound access, you add units (Mbps) from your license for the IP addresses you allocate (150 Mbps for 5 IP addresses and 300 Mbps for 10 IP addresses). For this reason, make sure that you have enough remaining licensed bandwidth to onboard the inbound access remote networks before you start. To check your available bandwidth, select PanoramaCloud ServicesConfigurationRemote Networks and view your licensed Bandwidth Allocation. This area shows the bandwidth you have already allocated, along with the total licensed bandwidth.
  • The following locations are supported:
    • Australia Southeast
    • Belgium
    • Brazil South
    • Canada East
    • Finland
    • Germany Central
    • Hong Kong
    • India West
    • Japan Central
    • Japan South
    • Netherlands Central
    • Singapore
    • Switzerland
    • Taiwan
    • UK
    • US Central
    • US East
    • US Northwest
    • US Southeast
    • US Southwest
  • You cannot modify an existing remote network to provide secure inbound access; instead, create a new remote network.
  • The inbound access feature is not available on remote networks that use ECMP load balancing.
  • Application port translation is not supported.
  • The bulk import feature to onboard remote networks does not support inbound access. Use Panorama to onboard new inbound access remote networks.
  • Do not use remote network inbound access with traffic forwarding rules with service connections.
  • Outbound traffic originating at the branch is not allowed on the inbound remote network.
  • User-ID and application authentication are not supported.
  • Prisma Access enforces the following rate limiting thresholds to provide flood protection, and measures the rate in connections per second (CPS):
    Flood Protection TypeAlarm Rate in CPSActivate Rate in CPS
    SYN Flood1000015000
    ICMP Flood2020
    If you require greater protection against flooding of new sessions, contact your Palo Alto Networks team.
  • Remote networks that are configured for secure inbound access can only be used for that purpose. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access—as shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote network location.
  • If you have a custom Prisma Access deployment where one of the cloud providers is excluded, inbound access might not be supported; in this case, you cannot choose the location during remote network onboarding.
  • Secure inbound access is not supported with evaluation licenses.