>
    Prisma Access Zones
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Setup
    4. Prisma Access Zones
    Download PDF
    Prisma Access

    Prisma Access Zones

    Table of Contents

    Prisma Access
     Zones

    Learn how
    Prisma Access
     maps the zones in your security policy for use in the cloud.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       license
    On a firewall, zones are associated with interfaces. But within
    Prisma Access
    , the networking infrastructure is automatically set up for you. This means that you no longer need to worry about configuring interfaces and associating them with the zones your create. However, to enable consistent security policy enforcement, you must create zone mappings so that
    Prisma Access
     will know whether to associate a zone with an internal (trust) interface or an external (untrust) interface. This will ensure that your security policy rules are enforced properly. By default, all of the zones you push to Prisma Access are set to untrust. You should leave any zones associated with internet-bound traffic, including your sanctioned SaaS applications, set to untrust. However, for all zones that enable access to applications on your internal network or in your data center, you must map them to trust. Notice in the example below, all sanctioned SaaS applications—Office 365 and Salesforce in this case—are segmented into the sanctioned-saas zone to enable visibility and policy enforcement over the use of these applications. To enable
    Prisma Access
     to associate the sanctioned-saas zone with an external-facing interface, you must map this zone to untrust. Similarly, the eng-tools and dc-apps zones provide access to applications in the corporate office and you must therefore designate them as trusted zones.
    Prisma Access
     supports three zones (trust, untrust, and Clientless VPN) and simplifies policy creating by setting them up for you.
    Zone
    Description
    Trust
    Zone containing all trusted and on-boarded IP addresses, service connections, or mobile users within the corporate network.
    Untrust
    All untrusted IP addresses, service connections, or mobile users outside of the corporate network. By default, any IP address or mobile user that is not trusted is inherently untrusted.
    Clientless VPN
    Secure remote access to common enterprise web applications that use HTML, HTML5, and Javascript technologies. Users have the advantage of secure access from SSL-enabled web browsers without installing client software. This is useful when you need to enable partner or contractor access to applications, and to safely enable unmanaged assets, including personal devices.
    The zone for Clientless VPN is mapped to the trust zone by default; this setting cannot be changed.
    Prisma Access
     logs that display a zone of
    inter-fw
     are logs used for communication within the
    Prisma Access
     infrastructure.
    When creating zones, do not use any of the following names for the zones, because these are names used for internal zones:
    • trust
    • untrust
    • inter-fw
    • Any name you use for the remote networks (remote network names are used as the source zone in Cortex Data Lake logs)
    Prisma Access
     logs that display a zone of inter-fw are logs used for communication within the
    Prisma Access
     infrastructure.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.