Focus

Prisma Access

ZTNA Connector Diagnostic Tools

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Upgrade ZTNA Connectors

Set Up Auto Discovery of Applications Using Cloud Identity Engine

ZTNA Connector Diagnostic Tools

Diagnostic tools used with ZTNA Connector and how to use them (ping, traceroute, nslookup).

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access 4.0 `Prisma Access` 5.0 supports wildcards and IP subnet-based app targets. Prisma Access 5.0.1 supports associating multiple connector groups with FQDN Targets and Wildcard Targets and introduces proximity-based application routing. ZTNA Connector add-on license The Business license with the add-on license includes eight ZTNA Connectors, 100 FQDN, and four IP subnet functionality. The Business Premium license with the add-on license includes 40 ZTNA Connectors, 300 FQDN, and unlimited IP subnet functionality. The Advanced license with the add-on license has unlimited ZTNA Connectors, FQDN, and IP subnet functionality. If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include 20 apps, two connectors, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.

Where Can I Use This?

What Do I Need?

Prisma Access (Managed by Strata Cloud Manager)

Prisma Access (Managed by Panorama)

Prisma Access

4.0

Prisma Access 5.0 supports wildcards and IP subnet-based app targets.

Prisma Access

5.0.1 supports associating multiple connector groups with FQDN Targets and Wildcard Targets and introduces proximity-based application routing.

ZTNA Connector add-on license

The Business license with the add-on license includes eight ZTNA Connectors, 100 FQDN, and four IP subnet functionality.

The Business Premium license with the add-on license includes 40 ZTNA Connectors, 300 FQDN, and unlimited IP subnet functionality.

The Advanced license with the add-on license has unlimited ZTNA Connectors, FQDN, and IP subnet functionality.

If you don't purchase the ZTNA Connector add-on license,

Prisma Access

licenses include 20 apps, two connectors, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.

If you encounter issues with accessing private apps using ZTNA Connector, you can run tests from the ZTNA Connector UI to help you find the issue, using the following networking tools:

ping

traceroute

nslookup

dump overview

You can also take packet captures to help determine the cause of any issues with ZTNA Connector.

Be sure that ICMP is allowed in your network before using the ping and traceroute tools. Some cloud environments have ICMP disallowed for security concerns and these tools do not display any activity.

Go to

Settings

ZTNA Connector

Connectors

If you're using Strata Cloud Manager, go to

Workflows

ZTNA Connector

Connectors

Select

Actions

Diagnostics

for the connector.

Run the ping, traceroute, or nslookup diagnostic tools.

ping

Select the

IP or FQDN

of the application you are trying to reach.

Select the

interface

from which you are testing the ping.

If you have configured your VM with a two-arm deployment, select

internal

to check the LAN side (port 2) of the VM and select

external

to check the WAN side (port 1).

For a one-arm deployment, choose either

internal

external

, as both the WAN and LAN side map to port 1.

Select

ping

The ping output displays.

To finish the test,

Stop

traceroute

Select the

IP or FQDN

of the application you are trying to reach.

Select the

interface

from which you are testing the ping.

If you have configured your VM with a two-arm deployment, select

internal

to check the LAN side (port 2) of the VM and select

external

to check the WAN side (port 1).

Select

traceroute

To finish the test,

Stop

nslookup

Select the

IP or FQDN

of the application you are trying to reach.

Select

nslookup

To finish the test,

Stop

dump overview

Click

Start

to download a system dump click

Stop

to stop it.

The dump overview provides the software version, interface and connection status, and connector identification information required for PANW troubleshooting.

Take Packet Captures

If you require packet captures for network-level troubleshooting, you can take packet captures that capture network data from specific connectors. You can also capture packets based on specific IP addresses or protocols (for example, TCP).

Taking packet captures is useful in the following use cases:

If you tunnel is not coming up. Capturing the IKE negotiation between the connector and ZTT would help to determine the problem. In this case, select the

internet

interface and use the IP address of the service connection as the source or destination interface.

If your app goes down, you can check the probing of the apps by getting a tcpdump using the server IP address and port and port on the data center interface.

If the end-to-end data plane is not working, but the tunnel is app and the app is up. In this use case, getting a tcpdump of the user traffic on the IPSec tunnel destined to the app's fabric IP address would be beneficial.

Go to

Settings

ZTNA Connector

Connectors

If you're using Strata Cloud Manager, go to

Workflows

ZTNA Connector

Connectors

Select

packet capture

(the magnifying glass) for the connector you want to troubleshoot.

Select the interface where the packets will be captured (

internal

external

, or

tunnel

(Optional) Specify the

Source or Destination IPv4

address from which packets are captured.

If you specify this option, only packets from this IP address are captured.

(Optional) Select the type of packets to capture.

You can select packets of a specific protocol to be captured (

tcp

udp

icmp

, or

arp

), or select

all

to capture all packets.

(Optional) Select a

Port

from which packets will be captured.

If you specify this option, only packets from this port are captured.

Start

the packet captures.

To stop the packet captures, click

Stop

The maximum file size for packet captures is 5 MB. If you do not stop the captures before the maximum size is reached, the file is overwritten.

A maximum of three packet captures are allowed on a connector at the same time. If a fourth session is initiated, the first running session is terminated.

Collect Tech Support Files

The Tech Support file contains your device configuration, system information and some logs (not traffic). Palo Alto Networks can request that you upload a tech support file to help assist with troubleshooting issues with ZTNA Connector.

Go to

Settings

ZTNA Connector

Connectors

If you're using Strata Cloud Manager, go to

Workflows

ZTNA Connector

Connectors

Select

tech support

(the hand) for the connector you want to troubleshoot.

Generate new Tech Support File

Select

Complete

to download the tech support file locally.

Upgrade ZTNA Connectors

Set Up Auto Discovery of Applications Using Cloud Identity Engine

Prisma Access Docs

ZTNA Connector Diagnostic Tools

Prisma Access Docs

ZTNA Connector Diagnostic Tools

Take Packet Captures

Collect Tech Support Files

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner