See examples for configuring inbound access over remote networks.
Where Can I Use
This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access
license that includes Net Interconnect for Site-to-Site
and User-to-Site Access
This section provides inbound access examples, along with the IP addresses that
Prisma Access assigns in various deployments.
The following example shows a sample configuration to enable
inbound access for an application (www.example.com) at a remote
network site. You assign an IP address of 10.10.10.2, a port of
443, and a protocol of TCP to the application. You then enter these
values in Prisma Access when you configure inbound access. After
you save and commit your changes, Prisma Access assigns a public
IP address to the application you defined, in this case 52.1.1.1.
Prisma Access performs source network address translation (source
NAT) on the packets by default. If the IPSec-capable device at your
remote network site is capable of performing symmetric return (such
as a Palo Alto Networks next-generation firewall), you can disable
source NAT.
The following figure shows the traffic flow from users to applications.
Since source NAT is enabled, the source IP address in the routing
table changes from the IP of the user’s device (34.1.1.1) to the
remote network’s EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksEBGP Router).
(172.1.1.1).
The following figure shows the return path of traffic with source
NAT enabled.
If you disable source NAT, Prisma Access still performs destination
NAT, but the source IP address of the request is unchanged.
For return traffic, SNAT is disabled, and the destination address
for all routing tables is user’s IP address (34.1.1.1).
If you have a resource that is in a remote network site that
has inbound access enabled and you want users at non-inbound access
sites to have access to that resource, you can Allow
inbound flows to other Remote Networks over the Prisma Access backbone when
you configure the non-inbound access remote network.
If you allow inbound flows from other remote networks,
you must enable source NAT.