Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
Focus
Focus
Prisma Access

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Table of Contents

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure zone mapping and create security policies for dedicated connections for
Prisma Access
traffic steering.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
If you create a target that uses a dedicated service connection, the zone for the dedicated service connection changes from
Trust
to
Untrust
(non-dedicated service connection targets do not change their zones). Since you cannot create zones or configure zone mapping for service connections, you make zone mapping and security policy changes for dedicated service connections to the mobile users and device groups instead. Complete the following steps to configure zone mapping for dedicated connections.
These steps show a sample configuration; you can tailor this example to suit your deployment.
  1. Select
    Network
    Zones
    .
  2. Select the correct
    Template
    from the drop-down list (either
    Mobile_User_Template
    for mobile users or
    Remote_Network_Template
    for remote networks).
    If you have a mobile user and a remote network deployment, you need to perform these steps twice; once in the
    Mobile_User_Template
    and once in the
    Remote_Network_Template
    .
  3. Add
    two zones for your trusted and untrusted zones.
    This example creates two zones called
    Trust
    and
    Untrust
    .
  4. Create default policies for the zones you created.
    1. Select
      Policies
      Security
      Post Rules
      .
    2. Select the correct
      Device Group
      from the drop-down list (either
      Mobile_User_Device_Group
      for remote networks or
      Remote_Network_Device_Group
      for mobile users).
      If you have a mobile user and remote network deployment, you need to perform these steps twice; once in the
      Mobile_User_Device_Group
      and once in the
      Remote_Network_Device_Group
      .
    3. Add
      a default policy to use for Trust zone-to-Trust zone traffic.
      This policy allows
      Any
      traffic to pass for all
      Source
      ,
      User
      ,
      Destination
      ,
      Application
      , and
      Service/URL Category
      traffic.
    4. Add
      a default policy to use for Trust zone-to-Untrust zone traffic, using the same parameters you used for the Trust-to-Trust policy.
      When complete, you have two security policies, one for Trust-to-Trust traffic and one for Trust-to-Untrust traffic.
  5. Define zone mapping for the remote networks, mobile users, or both, as required for your deployment.
    1. Set the zone mapping for the remote networks, mobile users, or both.
      • For mobile users, select
        Panorama
        Cloud Services
        Configuration
        Mobile Users
        .
      • For remote networks, select
        Panorama
        Cloud Services
        Configuration
        Remote Networks
        .
    2. Click the gear icon next to
      Zone Mapping
      to edit the settings.
    3. Set the
      Zone Mapping
      for your deployment, moving the zone for trusted traffic to the
      Trusted Zones
      and the zone for untrusted traffic to the
      Untrusted Zones
      ; then, click
      OK
      .

Recommended For You