Focus

Prisma Access

Onboard the ZTNA Connector VM in Your Data Center

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Security Policy for Apps Enabled with ZTNA Connector

Microsoft Azure Deployments Supported by ZTNA Connector

Onboard the ZTNA Connector VM in Your Data Center

Configure the connectors that are used for ZTNA Connector.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access 4.0 `Prisma Access` 5.0 supports wildcards and IP subnet-based app targets. Prisma Access 5.0.1 supports associating multiple connector groups with FQDN Targets and Wildcard Targets and introduces proximity-based application routing. ZTNA Connector add-on license The Business license with the add-on license includes eight ZTNA Connectors, 100 FQDN, and four IP subnet functionality. The Business Premium license with the add-on license includes 40 ZTNA Connectors, 300 FQDN, and unlimited IP subnet functionality. The Advanced license with the add-on license has unlimited ZTNA Connectors, FQDN, and IP subnet functionality. If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include 20 apps, two connectors, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.

Where Can I Use This?

What Do I Need?

Prisma Access (Managed by Strata Cloud Manager)

Prisma Access (Managed by Panorama)

Prisma Access

4.0

Prisma Access 5.0 supports wildcards and IP subnet-based app targets.

Prisma Access

5.0.1 supports associating multiple connector groups with FQDN Targets and Wildcard Targets and introduces proximity-based application routing.

ZTNA Connector add-on license

The Business license with the add-on license includes eight ZTNA Connectors, 100 FQDN, and four IP subnet functionality.

The Business Premium license with the add-on license includes 40 ZTNA Connectors, 300 FQDN, and unlimited IP subnet functionality.

The Advanced license with the add-on license has unlimited ZTNA Connectors, FQDN, and IP subnet functionality.

If you don't purchase the ZTNA Connector add-on license,

Prisma Access

licenses include 20 apps, two connectors, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.

After you configure your Connector groups, connectors, and application targets within Prisma Access, you must deploy the Connector VM in your data center. To simplify Connector onboarding, deployment templates for each data center environment are available from the Palo Alto Networks Customer Support Portal or from the cloud provider marketplace. The template you use depends on whether you’re planning to use a one-arm deployment or a two-arm deployment.

Supported ZTNA Connector Deployments

ZTNA Connector initiates the connection to the Prisma Access public IP address in the cloud, and you don't need to define any ingress firewall security rules. However, because ZTNA Connector initiates the connection, you'll need to add egress rules to allow ZTNA Connector access to the cloud controller and the IPSec connection to the Prisma Access dataplane. ZTNA Connector initiates the connection to the Prisma Access public IP address in the cloud. For this reason, you need the following egress rules so that ZTNA Connector can create an IPSec tunnel to Prisma Access:

Internet Facing
—Allow egress for HTTPS (TCP 443) and IKE/IPSec (UDP 500 and 4500)

Data Center Facing
—Allow egress application ports.

For example, allow egress application ports HTTP (80) and HTTPS (443). These example ports are TCP ports. If your data center uses different ports, allow those ports instead.

You can deploy the Connector VM in the following deployment topologies:

One-Arm Deployment

One-arm deployments are only supported in cloud native environments such as AWS, Azure, or GCP. For on-premise deployments such as ESXi or

a Kernel-based Virtual Machine (KVM)

or Microsoft Hyper-V

, use the two-arm deployment.

In this deployment, your ZTNA Connector is on a data center subnet that is private, with access to the internet through a data center router. Access to applications can be either locally on the same subnet, or through the data center router.

The following diagram shows a sample ZTNA Connector network deployment using a one-arm deployment.

Two-Arm deployment

If you want more control over your ingress and egress security rules, or if you have an on-premise VM deployment, you can use a two arm deployment, where one interface faces the internet and one faces the data center.

When setting up IP addresses on a two-arm connector, make sure that you have set up the IP address assignments for ZTNA Connector correctly before you power on the VM. Given the following diagram, be sure that you set up the ports on ZTNA Connector for 192.168.10.10 and 192.168.100.20, or Prisma Access cannot reach the apps in the data center through ZTNA Connector.

The following diagram shows a sample ZTNA Connector network deployment using a two-arm deployment.

Security Policy for Apps Enabled with ZTNA Connector

Microsoft Azure Deployments Supported by ZTNA Connector

Prisma Access Docs

Onboard the ZTNA Connector VM in Your Data Center

Prisma Access Docs

Onboard the ZTNA Connector VM in Your Data Center

Supported ZTNA Connector Deployments

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner