>
    Strata Copilot
    Onboard the ZTNA Connector VM in Your Data Center
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Onboard the ZTNA Connector VM in Your Data Center
    Download PDF
    Prisma Access

    Onboard the ZTNA Connector VM in Your Data Center

    Table of Contents

    Onboard the ZTNA Connector VM in Your Data Center

    Configure the connectors that are used for ZTNA Connector.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • We require a minimum version of Prisma Access 5.0 to enable ZTNA Connector support.
    • Prisma Access license includes 10 connectors, 20,000 FQDNs, and 1024 IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
    • The Private App add-on license includes 200 ZTNA Connectors, 20,000 FQDNs, and 1024 IP subnet functionality.
    After you configure your Connector groups, connectors, and application targets within Prisma Access, you must deploy the Connector VM in your data center. To simplify Connector onboarding, deployment templates for each data center environment are available from the Palo Alto Networks Customer Support Portal or from the cloud provider marketplace. The template you use depends on whether you’re planning to use a one-arm deployment or a two-arm deployment.

    Supported ZTNA Connector Deployments

    ZTNA Connector initiates the connection to the Prisma Access public IP address in the cloud, and you don't need to define any ingress firewall security rules. However, because ZTNA Connector initiates the connection, you'll need to add egress rules to allow ZTNA Connector access to the cloud controller and the IPSec connection to the Prisma Access dataplane. ZTNA Connector initiates the connection to the Prisma Access public IP address in the cloud. For this reason, you need the following egress rules so that ZTNA Connector can create an IPSec tunnel to Prisma Access:
    • Internet Facing—Allow egress for HTTPS (TCP 443) and IKE/IPSec (UDP 500 and 4500)
    • Data Center Facing—Allow egress application ports.
      For example, allow egress application ports HTTP (80) and HTTPS (443). These example ports are TCP ports. If your data center uses different ports, allow those ports instead.
    You must configure the time to UTC for on-premises ZTNA Connector deployments. For Cloud-based ZTNA Connector deployments, the underlying cloud VM handles the time setting automatically.
    You can deploy the Connector VM in the following deployment topologies:
    • One-Arm Deployment
      One-arm deployments are supported in cloud native environments such as AWS, Azure, GCP and OCI. In addition, one-arm deployments are supported in ESXi on-premise deployments. For other on-premise deployment for a a Kernel-based Virtual Machine (KVM) or or Microsoft Hyper-V, use the two-arm deployment.
      In this deployment, your ZTNA Connector is on a data center subnet that is private, with access to the internet through a data center router. Access to applications can be either locally on the same subnet, or through the data center router.
      The following diagram shows a sample ZTNA Connector network deployment using a one-arm deployment.
    • Two-Arm deployment
      If you want more control over your ingress and egress security rules, or if you have an on-premise VM deployment, you can use a two arm deployment, where one interface faces the internet and one faces the data center.
      When setting up IP addresses on a two-arm connector, make sure that you have set up the IP address assignments for ZTNA Connector correctly before you power on the VM. For example, the following sample diagram uses 192.168.10.10 and 192.168.100.20 IP addresses. Given these sample addresses, set up the ports on ZTNA Connector for 192.168.10.10 and 192.168.100.20, or Prisma Access cannot reach the apps in the data center through ZTNA Connector. 192.168.10.10 and 192.168.100.20 are sample IP addresses and you do not have to use these IP addresses for your deployment to function.
      The following diagram shows a sample ZTNA Connector network deployment using a two-arm deployment.

    © 2026 Palo Alto Networks, Inc. All rights reserved.