Prisma Access
Security Policy for Apps Enabled with ZTNA Connector
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Security Policy for Apps Enabled with ZTNA Connector
ZTNA Connector seamlessly extends your existing
Prisma Access
security policy to the
applications it enables for Prisma Access
.Where Can I Use This? | What Do I Need? |
---|---|
|
|
ZTNA Connector does not enforce policy; it seamlessly extends your existing Prisma
Access security policy to the applications it enables for
Prisma Access
. This means
you can use a common policy across all your applications and data centers, and you
don't need to author your security policy separately for apps onboarded to ZTNA
Connector.However, as part of setting up ZTNA Connector, you do need to make sure that your
security policy:
Allows traffic between
Prisma Access
and ZTNA ConnectorFor this, follow the ZTNA Connector Requirements and Guidelines to make sure that ZTNA Connector can
connect to
Prisma Access
.Users can access the applications behind the ZTNA Connector
To ensure your users can access ZTNA Connector apps, follow the steps here for the
interface you're using to manage
Prisma Access
.Cloud Management
Set up a Security policy rule that enables users to access apps behind ZTNA Connector
for Cloud Managed Prisma Access deployments and Strata Cloud Manager.
After you onboard apps to ZTNA Connector, you should set up policy rules to allow and
control access for those apps. The procedure to create and apply policy differs on
whether your apps are defined by wildcards, IP Subnets, or FQDNs.
Security Policy for Wildcard-Based Apps
Wilcard-based apps ( () require that you create a custom URL category; however, that
type of category only enforces policy for HTTP and HTTPS traffic, and other
traffic (such as SSH) isn't allowed. For this reason, you need to temporarily
allow access to all apps by allowing traffic to the ZTNA Connector Application
IP blocks.
Settings
ZTNA Connector
Application Targets
Wildcard Targets
After ZTNA Connector learns the FQDNs that are based on the wildcards, you can
disable the policy that allows Application IP Block traffic and apply policy
enforcement based on the learned FQDNs.
- Create a Custom URL category and add the wildcard URLs to the category.
- Go to.ManageConfigurationSecurity ServicesURL Access ManagementAccess ControlIf you're using Strata Cloud Manager, go to.ManageConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management
- Under Custom URL categories,Add Category.
- Give a descriptiveNamefor the custom URL category and select aTypeofURL List.
- Add the wildcard URLs you created in ZTNA Connector to theItems.
- Saveyour changes.
- Create a URL access Management Profile and add the custom URL category you created to it.
- While still in theURL Access Managementarea, selectURL Access Management Profiles.
- Select an existing profile to modify orAdd Profile.
- Add the Custom URL category you created to the profile.
- Select the following parameters:
- Site Access: Allow
- User Credential Submission: Allow
- Saveyour changes.
- Create a profile group and attach the URL Access Management Profile to the group.
- Go to.ManageConfigurationSecurity ServicesProfile GroupsIf you're using Strata Cloud Manager, go to.ConfigurationNGFW and Prisma AccessSecurity ServicesProfile Groups
- Adda profile group, specifying the URL Access Management Profile you created.
- Create a policy to allow the profile group and the IP addresses for the ZTNA Connector Application IP Blocks.
- Go toand make a note of theManageService SetupSharedPrisma Access SetupInfrastructure SettingsApplication IP Blocksunder ZTNA Connector IPs.If you're using Strata Cloud Manager, go toand make a note of theWorkflowsPrisma Access SetupPrisma AccessPrisma Access SetupApplication IP Blocksunder ZTNA Connector IPs.
- Go toandManageConfigurationObjectsAddressAddressesAddaddress objects based on the IP addresses you retrieved.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessObjectsAddressAddressesAddaddress objects based on the IP addresses you retrieved.If you have IP Subnet-based apps, create address objects for those subnets as well.
- Go ToandManageConfigurationObjectsAddressAddress GroupsAddthe address objects you created to an address group.If you're using Strata Cloud Manager, to goandManageConfigurationNGFW and Prisma AccessObjectsAddressAddress GroupsAddthe addresses you created to the address groups.
- Go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to all application IP address blocks, specifying theAddress GroupandProfile Groupyou created in an earlier step.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to all application IP address blocks, specifying theAddress GroupandProfile Groupyou created in an earlier step.Adding this Security policy allows all traffic from wildcard-based app traffic to be passed while ZTNA Connector discovers the apps based on wildcards. Without the rule to allow the Application IP Blocks, users can't access wildcard-based apps.You can leave this policy in place until ZTNA Connector discovers the wildcard-based apps. Then, you can choose to disable this policy and add Security policy rules for each of the discovered apps.
- After ZTNA Connector has discovered the apps based on wildcards, configure a Security policy for the apps that you added using FQDNs.
- Go toand make a note of the FQDNs used by the apps.SettingsZTNA ConnectorConnectorsApplication TargetsFQDN TargetsIf you're using Strata Cloud Manager, go toand make a note of the FQDNs used by the apps.WorkflowsZTNA ConnectorApplication TargetsFQDN Targets
- Create an Address object for the FQDN ().ManageConfigurationObjectsAddress ObjectsIf you're using Strata Cloud Manager, go to.ManageConfigurationNGFW and Prisma AccessObjectsAddressAddressesSelect thePrisma Accessconfiguration scope.
- Addan address object with theTypeofFQDN: Domain Nameand enter theFQDNof the discovered application.Enter the FQDNs for the FQDN targets.
- Go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the discovered apps.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the discovered apps.
- Push Configto save and push your configuration changes.
- (Optional) After you have created the Security policy based on FQDNs, remove the policy based on the IP application blocks.
Security Policy for IP Subnet-Based Apps
If you created ZTNA Connector application targets
based on IP subnets (), complete the following steps to allow access to the apps.
Settings
ZTNA Connector
Connectors
Application Targets
IP Subnets
- Go toand make a note of the IP subnets used by the apps.SettingsZTNA ConnectorConnectorsApplication TargetsIP SubnetsIf you're using Strata Cloud Manager, go toand make a note of the IP subnets used by the apps.WorkflowsZTNA ConnectorApplication TargetsIP Subnets
- Create a policy to allow the IP addresses for the IP subnets used for the apps.
- Go ToandManageConfigurationObjectsAddressAddressesAddaddress objects based on the IP addresses you retrieved.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessObjectsAddressAddressesAddaddress objects based on the IP addresses you retrieved.
- Go ToandManageConfigurationObjectsAddressAddress GroupsAddthe addresses you created to the address groups.If you're using Strata Cloud Manager, to goandManageConfigurationNGFW and Prisma AccessObjectsAddressAddress GroupsAddthe addresses you created to the address groups.
- Go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the IP subnets for the apps, specifying theAddressesyou created in an earlier step.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the IP subnets for the apps toDestinationaddresses, specifying theAddressesyou created in an earlier step.
- Push Configto save and push your configuration changes.
Security Policy for FQDN-Based Apps
If you have added targets based on FQDNs (), create an address object and a Security policy to allow access to
the apps by completing the following steps.
Settings
ZTNA Connector
Connectors
Application Targets
FQDN Targets
- Configure a Security policy for the apps that you added using FQDNs.
- Go toand make a note of the FQDNs used by the apps.SettingsZTNA ConnectorConnectorsApplication TargetsFQDN TargetsIf you're using Strata Cloud Manager, go toand make a note of the FQDNs used by the apps.WorkflowsZTNA ConnectorApplication TargetsFQDN Targets
- Create an Address object for the FQDN ().ManageConfigurationObjectsAddress ObjectsIf you're using Strata Cloud Manager, go to.ManageConfigurationNGFW and Prisma AccessObjectsAddressAddressesSelect thePrisma Accessconfiguration scope.
- Addan address object with theTypeofFQDN: Domain Nameand enter theFQDNof the discovered application.Enter the FQDNs for all discovered apps.
- OptionalGo toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the discovered apps.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the discovered apps.
- Push Configto save and push your configuration changes.
Panorama
Set up a Security policy rule that enables users to access apps behind ZTNA Connector
for Panorama Managed Prisma Access deployments.
After you onboard apps to ZTNA Connector, you should set up policy rules to allow and
control access for those apps. The procedure to create and apply policy differs on
whether your apps are defined by wildcards, IP Subnets, or FQDNs.
Security Policy for Wildcard-Based Apps
Wilcard-based apps ( () require that you create a custom URL category; however, that
type of category only enforces policy for HTTP and HTTPS traffic, and other
traffic (such as SSH) isn't allowed. For this reason, you need to temporarily
allow access to all apps by allowing traffic to the ZTNA Connector Application
IP blocks.
Settings
ZTNA Connector
Application Targets
Wildcard Targets
After ZTNA Connector learns the FQDNs that are based on the wildcards, you can
disable the policy that allows Application IP Block traffic and apply policy
enforcement based on the learned FQDNs.
- Create a policy to allow the IP addresses for the ZTNA Connector Application IP Blocks.
- From the ZTNA Connector UI, go toand make a note of theManageService SetupSharedPrisma Access SetupInfrastructure SettingsApplication IP Blocksunder ZTNA Connector IPs.If you're using Strata Cloud Manager, go toand make a note of theWorkflowsPrisma Access SetupPrisma AccessPrisma Access SetupApplication IP Blocksunder ZTNA Connector IPs.
- Go toandObjectsAddressesAddaddress objects based on the IP addresses you retrieved.
- Go ToandObjectsAddress GroupsAddthe address objects you created to an address group.
- Go toandPoliciesSecurityPre RulesAdda Security policy to allow access to all application IP address blocks, specifying theAddress Groupyou created in an earlier step.Adding this Security policy allows all traffic from wildcard-based app traffic to be passed while ZTNA Connector discovers the apps based on wildcards. Without the rule to allow the Application IP Blocks, users can't access wildcard-based apps.You can leave this policy in place until ZTNA Connector discovers the wildcard-based apps. Then, you can choose to disable this policy and add Security policy rules for each of the discovered apps.
- After ZTNA Connector has discovered the apps based on wildcards, configure a Security policy for the apps that you added using FQDNs.
- Go toand make a note of the FQDNs used by the apps.SettingsZTNA ConnectorConnectorsApplication TargetsFQDN TargetsIf you're using Strata Cloud Manager, go toand make a note of the FQDNs used by the apps.WorkflowsZTNA ConnectorApplication TargetsFQDN Targets
- Create an Address object for the FQDN ().ObjectsAddressesSelect either theMobile_User_Device_Groupor theRemote_Network_Device_Group, depending on whether mobile users or users at branch sites will be accessing the private apps behind ZTNA Connector.
- Addan address object with theTypeofFQDNand enter theFQDNof the discovered application.Enter the FQDNs for the FQDN targets.
- Go toandPoliciesSecurityPre RulesAdda Security policy to allow access to the discovered apps.
- Commit and Pushyour changes.
- (Optional) After you have created the Security policy based on FQDNs, remove the policy based on the IP application blocks.
Security Policy for IP Subnet-Based Apps
If you created ZTNA Connector application targets
based on IP subnets (), complete the following steps to allow access to the apps.
Settings
ZTNA Connector
Connectors
Application Targets
IP Subnets
- Go toand make a note of the IP subnets used by the apps.SettingsZTNA ConnectorConnectorsApplication TargetsIP SubnetsIf you're using Strata Cloud Manager, go toand make a note of the IP subnets used by the apps.WorkflowsZTNA ConnectorApplication TargetsIP Subnets
- Create a policy to allow the IP addresses for the IP subnets used for the apps.
- Go ToandObjectsAddressesAddaddress objects based on the IP addresses you retrieved.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessObjectsAddressAddressesAddaddress objects based on the IP addresses you retrieved.
- Go ToandObjectsAddress GroupsAddthe addresses you created to the address groups.
- Go toandPoliciesSecurityPre RulesAdda Security policy to allow access to the IP subnets for the apps, specifying theAddressesyou created in an earlier step.
- Push Configto save and push your configuration changes.
Security Policy for FQDN-Based Apps
If you have added targets based on FQDNs (), create an address object and a Security policy to allow access to
the apps by completing the following steps.
Settings
ZTNA Connector
Connectors
Application Targets
FQDN Targets
- Configure a Security policy for the apps that you added using FQDNs.
- Go toand make a note of the FQDNs used by the apps.SettingsZTNA ConnectorConnectorsApplication TargetsFQDN TargetsIf you're using Strata Cloud Manager, go toand make a note of the FQDNs used by the apps.WorkflowsZTNA ConnectorApplication TargetsFQDN Targets
- Create an Address object for the FQDN ().ObjectsAddressesSelect either theMobile_User_Device_Groupor theRemote_Network_Device_Group, depending on whether mobile users or users at branch sites will be accessing the private apps behind ZTNA Connector.
- Addan address object with theTypeofFQDNand enter theFQDNof the discovered application.Enter the FQDNs for all discovered apps.
- OptionalGo toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the discovered apps.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre RulesAdda Security policy to allow access to the discovered apps.
- Push Configto save and push your configuration changes.