>
    Strata Copilot
    Security Policy for Apps Enabled with ZTNA Connector (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Security Policy for Apps Enabled with ZTNA Connector
    6. Security Policy for Apps Enabled with ZTNA Connector (Strata Cloud Manager)
    Download PDF
    Prisma Access

    Security Policy for Apps Enabled with ZTNA Connector (Strata Cloud Manager)

    Table of Contents

    Security Policy for Apps Enabled with ZTNA Connector (Strata Cloud Manager)

    Set up a Security policy rule that enables users to access apps behind ZTNA Connector for Cloud Managed Prisma Access deployments and Strata Cloud Manager.
    After you onboard apps to ZTNA Connector, you should set up policy rules to allow and control access for those apps. The procedure to create and apply policy differs on whether your apps are defined by wildcards, IP Subnets, or FQDNs.

    Security Policy for Wildcard-Based Apps

    Wildcard-based apps ( ZTNA ConnectorWildcard Targets) require that you create a custom URL category; however, that type of category only enforces policy for HTTP and HTTPS traffic, and other traffic (such as SSH) isn't allowed. For this reason, you need to temporarily allow access to all apps by allowing traffic to the ZTNA Connector Application IP blocks.
    After ZTNA Connector learns the FQDNs that are based on the wildcards, you can disable the policy that allows Application IP Block traffic and apply policy enforcement based on the learned FQDNs.
    1. Create a Custom URL category and add the wildcard URLs to the category.
      1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management.
      2. Under Custom URL categories, Add Category.
      3. Give a descriptive Name for the custom URL category and select a Type of URL List.
      4. Add the wildcard URLs you created in ZTNA Connector to the Items.
      5. Save your changes.
    2. Create a URL access Management Profile and add the custom URL category you created to it.
      1. While still in the URL Access Management area, select URL Access Management Profiles.
      2. Select an existing profile to modify or Add Profile.
      3. Add the Custom URL category you created to the profile.
      4. Select the following parameters:
        • Site Access: Allow
        • User Credential Submission: Allow
      5. Save your changes.
    3. Create a profile group and attach the URL Access Management Profile to the group.
      1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesProfile Groups.
      2. Add a profile group, specifying the URL Access Management Profile you created.
    4. Create a policy to allow the profile group and the IP addresses for the ZTNA Connector Application IP Blocks.
      1. Go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessPrisma Access Infrastructure and make a note of the Application IP Blocks under ZTNA Connector IPs.
      2. Go to ConfigurationNGFW and Prisma AccessObjectsAddressAddresses and Add address objects based on the IP addresses you retrieved.
        If you have IP Subnet-based apps, create address objects for those subnets as well.
      3. Go to ConfigurationNGFW and Prisma AccessObjectsAddressAddress Groups and Add the address objects you created to an address group.
      4. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre Rules and Add a Security policy to allow access to all application IP address blocks, specifying the Address Group and Profile Group you created in an earlier step.
        Adding this Security policy allows all traffic from wildcard-based app traffic to be passed while ZTNA Connector discovers the apps based on wildcards. Without the rule to allow the Application IP Blocks, users can't access wildcard-based apps.
        You can leave this policy in place until ZTNA Connector discovers the wildcard-based apps. Then, you can choose to disable this policy and add Security policy rules for each of the discovered apps.
    5. After ZTNA Connector has discovered the apps based on wildcards, configure a Security policy for the apps that you added using FQDNs.
      1. Go to ConfigurationZTNA ConnectorFQDN Targets and make a note of the FQDNs used by the apps.
      2. Create an Address object for the FQDN (ConfigurationNGFW and Prisma AccessObjectsAddressAddresses).
        Select the Prisma Access configuration scope.
      3. Add an address object with the Type of FQDN: Domain Name and enter the FQDN of the discovered application.
        Enter the FQDNs for the FQDN targets.
      4. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre Rules and Add a Security policy to allow access to the discovered apps.
    6. Push Config to save and push your configuration changes.
    7. (Optional) After you have created the Security policy based on FQDNs, remove the policy based on the IP application blocks.

    Security Policy for IP Subnet-Based Apps

    If you created ZTNA Connector application targets based on IP subnets (ZTNA ConnectorIP Subnets), complete the following steps to allow access to the apps.
    1. Go to ConfigurationZTNA ConnectorIP Subnets and make a note of the IP subnets used by the apps.
    2. Create a policy to allow the IP addresses for the IP subnets used for the apps.
      1. Go to ConfigurationNGFW and Prisma AccessObjectsAddressAddresses and Add address objects based on the IP addresses you retrieved.
      2. Go to ConfigurationNGFW and Prisma AccessObjectsAddressAddress Groups and Add the addresses you created to the address groups.
      3. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre Rules and Add a Security policy to allow access to the IP subnets for the apps, specifying the Addresses you created in an earlier step.
    3. Push Config to save and push your configuration changes.

    Security Policy for FQDN-Based Apps

    If you have added targets based on FQDNs (ConfigurationZTNA ConnectorFQDN Targets), create an address object and a Security policy to allow access to the apps by completing the following steps.
    1. Configure a Security policy for the apps that you added using FQDNs.
      1. Go to ConfigurationZTNA ConnectorFQDN Targets and make a note of the FQDNs used by the apps.
      2. Create an Address object for the FQDN (ConfigurationNGFW and Prisma AccessObjectsAddressAddresses).
        Select the Prisma Access configuration scope.
      3. Add an address object with the Type of FQDN: Domain Name and enter the FQDN of the discovered application.
        Enter the FQDNs for all discovered apps.
      4. Optional Go to ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity PolicyPre Rules and Add a Security policy to allow access to the discovered apps.
    2. Push Config to save and push your configuration changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.