Discovery of private applications by ZTNA Connector.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access 4.0
ZTNA Connector add-on license
The Essential license with the add-on license
includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet
functionality.
The Advanced license with the add-on license
includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet
functionality.
The Premium license with the add-on license
includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet
functionality.
If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include four connectors, 40
FQDNs, and four IP subnets. This functionality is provided
for the purpose of trying out ZTNA Connectors in your
environment.
In a modern networking infrastructure, thousands of private applications
are deployed across on-premises and in multicloud data centers. The networking
teams are not aware of the applications running in their network or within a
particular subnet in the network leading to a lack of application visibility.
To provide a secure access to applications, you have to manually enter the
FQDN, port, application, and be aware of the dependency this application has on the
other applications.
Private application target discovery provides a way to discover the
applications hosted in the cloud environment and allows those applications to be
onboarded on the ZTNA Connector solution. It also connects to the cloud provider
network, does the discovery, and stores it in the database. It also provides APIs to
the different services to get the discovered applications. If the user has only a
service connection instead of a ZTNA Connector, only application targets are
discovered.
The private application target discovery identifies:
FQDN
Port of the application
Protocol of the application
Make sure you activate cloud identity engine (CIE) before you
enable the private application discovery feature.
Complete the following steps to add a cloud account, an IAM role in AWS, and discover
the target applications.
Get the CloudFormation template (CFT) to add a cloud account.
Navigate to Application Targets(WorkflowsZTNA ConnectorApplication Targets).
On the Application Targets page, select
Discovered Targets, and then select
Manage Target Discovery Accounts.
Select Enable Target Discovery, and then select
Enable.
On the Manage Target Discovery Accounts page,
select Add Cloud Account.
Add the Account Name, and click the check box
under Cloud Account Enabled. Add the AWS
Account ID , and click Download
IAM Role CFT to download the file.
Create the IAM role in AWS.
Navigate to the AWS application, select your account, and
Sign in.
Navigate to CloudFormationStacksCreate stackWith new resources (standard) to create the stack.
On the Create stack page, under
Prerequisite-Prepare template, select
Choose an existing template. Under
Specify template, select Upload a
template file. Upload the previously downloaded file in
Step 1, and select Next.
Add Stack name,
AppDisRoleName, and select
Next.
On the Configure stack options page, don't make
any updates, and select Next.
Review the changes. Select the check box under
Capabilities to acknowledge the creation of
IAM resources with custom names, and then select
Submit.
Navigate to IAMRoles and search for the role name you defined. Select the role
name and copy the ARN for the role.
Paste the ARN in the IAM Role ARN text field, and then
select Verify. When the ARN is verified, select
Save.
If you add a wrong ARN in the IAM Role ARN text
field, the verification fails and an error message appears.
After you add the account, you can see the status, account ID, and other
details. The refresh period for the discovery is 24 hours. You can also add
multiple accounts to the same tenant.
To identify the discovered apps, select Discovered
Targets. You can find the list of identified applications under
Discovered Application Targets.
(Optional) Delete the cloud account.
To delete your cloud account and add a new one without disabling target
discovery, follow this procedure. However, these steps are mandatory if you
want to disable target discovery functionality.
Under Manage Target Discovery Accounts, click
the Account Name that you want to delete.
Disable Cloud Account Enabled, and select
Update. When the account is updated, select
Delete. The account is deleted.
(Optional) Disable target discovery.
Make sure all the cloud accounts are deleted before you disable the target
discovery.
Select Disable Target Discovery, and then select
Disable Target Discovery.