>
    Security Policy for Apps Enabled with ZTNA Connector (Panorama)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access ZTNA Connector
    4. Security Policy for Apps Enabled with ZTNA Connector
    5. Security Policy for Apps Enabled with ZTNA Connector (Panorama)
    Download PDF
    Prisma Access

    Panorama

    Table of Contents

    Security Policy for Apps Enabled with ZTNA Connector (
    Panorama
    )

    Set up a Security policy rule that enables users to access apps behind ZTNA Connector for Panorama Managed Prisma Access deployments.
    After you onboard apps to ZTNA Connector, you should set up policy rules to allow and control access for those apps. The procedure to create and apply policy differs on whether your apps are defined by wildcards, IP Subnets, or FQDNs.

    Security Policy for Wildcard-Based Apps

    Wilcard-based apps ( (
    Settings
    ZTNA Connector
    Application Targets
    Wildcard Targets
    ) require that you create a custom URL category; however, that type of category only enforces policy for HTTP and HTTPS traffic, and other traffic (such as SSH) isn't allowed. For this reason, you need to temporarily allow access to all apps by allowing traffic to the ZTNA Connector Application IP blocks.
    After ZTNA Connector learns the FQDNs that are based on the wildcards, you can disable the policy that allows Application IP Block traffic and apply policy enforcement based on the learned FQDNs.
    1. Create a policy to allow the IP addresses for the ZTNA Connector Application IP Blocks.
      1. From the ZTNA Connector UI, go to
        Manage
        Service Setup
        Shared
        Prisma Access Setup
        Infrastructure Settings
         and make a note of the
        Application IP Blocks
         under ZTNA Connector IPs.
        If you're using Strata Cloud Manager, go to
        Workflows
        Prisma Access Setup
        Prisma Access
        Prisma Access Setup
         and make a note of the
        Application IP Blocks
         under ZTNA Connector IPs.
      2. Go to
        Objects
        Addresses
         and
        Add
         address objects based on the IP addresses you retrieved.
      3. Go To
        Objects
        Address Groups
         and
        Add
         the address objects you created to an address group.
      4. Go to
        Policies
        Security
        Pre Rules
         and
        Add
         a Security policy to allow access to all application IP address blocks, specifying the
        Address Group
         you created in an earlier step.
        Adding this Security policy allows all traffic from wildcard-based app traffic to be passed while ZTNA Connector discovers the apps based on wildcards. Without the rule to allow the Application IP Blocks, users can't access wildcard-based apps.
        You can leave this policy in place until ZTNA Connector discovers the wildcard-based apps. Then, you can choose to disable this policy and add Security policy rules for each of the discovered apps.
    2. After ZTNA Connector has discovered the apps based on wildcards, configure a Security policy for the apps that you added using FQDNs.
      1. Go to
        Settings
        ZTNA Connector
        Connectors
        Application Targets
        FQDN Targets
         and make a note of the FQDNs used by the apps.
        If you're using Strata Cloud Manager, go to
        Workflows
        ZTNA Connector
        Application Targets
        FQDN Targets
         and make a note of the FQDNs used by the apps.
      2. Create an Address object for the FQDN (
        Objects
        Addresses
        ).
        Select either the
        Mobile_User_Device_Group
         or the
        Remote_Network_Device_Group
        , depending on whether mobile users or users at branch sites will be accessing the private apps behind ZTNA Connector.
      3. Add
         an address object with the
        Type
         of
        FQDN
         and enter the
        FQDN
         of the discovered application.
        Enter the FQDNs for the FQDN targets.
      4. Go to
        Policies
        Security
        Pre Rules
         and
        Add
         a Security policy to allow access to the discovered apps.
    3. Commit and Push
       your changes.
    4. (
      Optional
      ) After you have created the Security policy based on FQDNs, remove the policy based on the IP application blocks.

    Security Policy for IP Subnet-Based Apps

    If you created ZTNA Connector application targets based on IP subnets (
    Settings
    ZTNA Connector
    Connectors
    Application Targets
    IP Subnets
    ), complete the following steps to allow access to the apps.
    1. Go to
      Settings
      ZTNA Connector
      Connectors
      Application Targets
      IP Subnets
       and make a note of the IP subnets used by the apps.
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      IP Subnets
       and make a note of the IP subnets used by the apps.
    2. Create a policy to allow the IP addresses for the IP subnets used for the apps.
      1. Go To
        Objects
        Addresses
         and
        Add
         address objects based on the IP addresses you retrieved.
        If you're using Strata Cloud Manager, go to
        Manage
        Configuration
        NGFW and Prisma Access
        Objects
        Address
        Addresses
         and
        Add
         address objects based on the IP addresses you retrieved.
      2. Go To
        Objects
        Address Groups
         and
        Add
         the addresses you created to the address groups.
      3. Go to
        Policies
        Security
        Pre Rules
         and
        Add
         a Security policy to allow access to the IP subnets for the apps, specifying the
        Addresses
         you created in an earlier step.
    3. Push Config
       to save and push your configuration changes.

    Security Policy for FQDN-Based Apps

    If you have added targets based on FQDNs (
    Settings
    ZTNA Connector
    Connectors
    Application Targets
    FQDN Targets
    ), create an address object and a Security policy to allow access to the apps by completing the following steps.
    1. Configure a Security policy for the apps that you added using FQDNs.
      1. Go to
        Settings
        ZTNA Connector
        Connectors
        Application Targets
        FQDN Targets
         and make a note of the FQDNs used by the apps.
        If you're using Strata Cloud Manager, go to
        Workflows
        ZTNA Connector
        Application Targets
        FQDN Targets
         and make a note of the FQDNs used by the apps.
      2. Create an Address object for the FQDN (
        Objects
        Addresses
        ).
        Select either the
        Mobile_User_Device_Group
         or the
        Remote_Network_Device_Group
        , depending on whether mobile users or users at branch sites will be accessing the private apps behind ZTNA Connector.
      3. Add
         an address object with the
        Type
         of
        FQDN
         and enter the
        FQDN
         of the discovered application.
        Enter the FQDNs for all discovered apps.
      4. Optional
         Go to
        Manage
        Configuration
        NGFW and Prisma Access
        Security Services
        Security Policy
        Pre Rules
         and
        Add
         a Security policy to allow access to the discovered apps.
        If you're using Strata Cloud Manager, go to
        Manage
        Configuration
        NGFW and Prisma Access
        Security Services
        Security Policy
        Pre Rules
         and
        Add
         a Security policy to allow access to the discovered apps.
    2. Push Config
       to save and push your configuration changes.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.