Prisma Access
ZTNA Connector Requirements and Guidelines
Table of Contents
ZTNA Connector Requirements and Guidelines
Learn about the requirements and guidelines for using ZTNA Connector.
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Before you start setting up ZTNA Connector, be sure that you understand the Connector
requirements and limits, as well as the guidelines you should follow when deploying
it.
Supported Prisma Access Versions and Requirements
Prisma Access
Versions and Requirements- Prisma Access4.0 version with a compatible SaaS Agent.Upgrade any Prisma Access release earlier than 4.0, including any Innovation releases, to a minimum version of 4.0.A minimumPrisma Accessversion of 5.0 is required if you want to use FQDN wildcards or IP Subnets to access apps. In addition,Prisma Access5.0 unlocks the use of the Dump Overview, Packet Capture, and Tech Support diagnostic tools.
- You must upgrade your connector versions to a minimum of 6-2-2-ztna-connector-b1 to use 5.0 functionality.
- ForPrisma Access (Managed by Panorama), upgrade the Cloud Services plugin version to a minimum version of 4.0.Upgrade to 5.0 to unlock the latest features.
App Support
ZTNA Connector provides access to all of your private app traffic, with the
following exceptions:
- ZTNA Connector does not support the following:
- Traffic originating from the data center (such as SCCM or remote help desk traffic).
- Applications that perform port hopping (such as VoIP or Active Mode FTP).
- Application-level gateway (ALG) apps such as Active Mode FTP and SIP.
- Communication between apps behind a service connection and apps behind a ZTNA connector.For example, you host a Windows Active Directory (AD) server behind a service connection (since AD servers are not supported behind a ZTNA Connector), and host an FTP (Filezilla) server behind a ZTNA Connector. If the FTP server requires authentication to the Windows AD server, authentication fails, because you can't usePrisma Accessas a backbone between the Service Connection Corporate Access Node (SC-CAN) and the ZTNA-Connector Tunnel Terminator (ZTT).
Feature and Functionality Restrictions
Keep in mind the following restrictions when setting up and configuring a ZTNA
Connector deployment:
- Don't use special characters, including < > ! @ # $ % ^ & and Chinese, Japanese, or Korean characters, in ZTNA object names.
- The following functionalities are not supported with the default Prisma Access deployment; reach out to your Palo Alto Networks team to activate them:
- Using RFC 6598 Addresses for your with ZTNA Connector
- Connector Group Guidelines—When adding connector groups, use the following recommendations:
- All apps in a single connector group should use the same DNS server for DNS resolution.
- If you're accessing apps from a data center or headquarters location, all apps in the connector group should be from the same data center or headquarters location.
- Don't add connectors in two or more regions in a single connector group. All connectors in a connector group should be in the same region.
- Starting with Prisma Access 5.01, you can specify up to a four connector groups per FQDN target or wildcard target (release 5.0 and earlier support a single connector group per FQDN target or wildcard target). Be sure that, when you assign connector groups per FQDN target or wildcard target, you don't assign the same app to more than four connectors per region.For example, you have assigned the same app (either an FQDN target or a wildcard target) to four connector groups, each group has a single connector, and all connectors are in the same region. This configuration is acceptable because you're not assigning more than four connectors per app in a single region.However, if you assign the same app (either an FQDN target or a wildcard target) to three connector groups, each group has two connectors, and all connectors are in the same region, that is an invalid configuration, because you're assigning six connectors to the same app in a single region.
Scale and Throughput Considerations
ZTNA Connector supports the following maximum values:
- 4,096 applications per tenant across all connector groups
- 200 Connectors per tenant
- 256 applications per Connector Group
- 4connectors per Connector Group
- 250,000concurrent sessions per Connector Group
- 26 compute regions
- 1 Gbps throughput per connector, with a maximum of 10 Gbps perPrisma Accesscompute location
Supported Application Hosting Environments
You can deploy your ZTNA Connector VMs in the following data center environments
with the specified minimum requirements:
Cloud Provider | Instance Size | CPU Size | Memory Size | Disk Size |
|---|---|---|---|---|
Amazon AWS | m5.xlarge per region | 4 vCPUs | 16 GB | 40 GB |
Google Cloud Platform (GCP) | n2-standard-4 per region | 4 vCPUs | 16 GB | 40 GB |
Microsoft Azure | Standard_D4_v3 per region | 4 vCPUs | 16 GB | 40 GB |
KVM | Uses qcow image | 4 vCPUs | 16 GB | 40 GB |
Hyper-V | Uses vhd image | 4 vCPUs | 8 GB memory per VM | 40 GB |
VMware ESXi | Uses OVA image. Deployment is supported on vSphere and
directly on ESXi Hosts | 4 vCPUs per VM | 8 GB memory per VM | 40 GB disk (Thick Provisioned) |
For VMware ESXi, vMotion, VM snapshots, or migrations are not
supported for Connector VMs. For KVM, Live Migrations and snapshots are not supported on
Connector VMs. | ||||
AWS, GCP, and Azure have ZTNA Connectors you can acquire in their respective
Marketplaces. You can download the VMware ESXi Open Virtualization Application
(OVA) file and the KVM qcow file from the Palo Alto Customer Support Portal.
Network Requirements
The following networking requirements enable connectivity between ZTNA Connector
and
Prisma Access
:- UDP payload size, including headers, should not exceed an MTU size of 1,300 bytes on the path to the ZTNA application server. Palo Alto Networks recommends keeping packets at or below this MTU size.
- Allow outbound UDP port 4500 and UDP 500 from the WAN interface (port 1) IP address for IPSec and IKE connectivity to the ZTNA Tunnel Terminator (ZTT). If you want to limit enabling an outbound UDP port 500 and 4500 connection to a single IP address, enable it for thePA Service IPaddress (under ) of the ZTNA Connector.If you're using Strata Cloud Manager, go to .
- If ZTNA Connector uses a public IP address for its internet interface, you must allow a IP/50 Encapsulating Security Payload (ESP).
- Allow outbound TCP port 443 from the WAN interface (port 1) IP address HTTPS connectivity to the ZTNA Connector Controllers.
- ZTNA Connector autoconfigures both the Prisma Access ZTT side of the IPSec tunnel and the ZTNA Connector side. The algorithms configured for DH Group/Encryption/Hash for both IKE and ESP are: ecp384/aes256/sha512.
- Don't terminate the IPSec tunnel that ZTNA Connector creates and uses to access the private apps.
- (Mobile Users—GlobalProtect deployments only) When you first onboard an application in ZTNA Connector, you must refresh the GlobalProtect app so mobile users receive the updated DNS server configuration. If you removed an application from ZTNA Connector, you must refresh the GlobalProtect app so mobile users can receive the updated DNS server configuration.
- If there is a firewall between the ZTNA Connector and the private app, the firewall must allow access to the app from the ZTNA Connector (that is, you must allow access to the app server's resolved IP addresses, protocols, and ports for the private app).In addition, you need to allow the protocol (either TCP or ICMP) you configured for the application target health probes to the app. The connector application probes the app server to determine if it can provide access to the app, and you can configure the Probing Type for the Application Target to betcp ping,icmp ping, ornone(no probing). If you specifytcp ping, the firewall must allow TCP access to the app; if you specifyicmp ping, the firewall must allow ICMP echo request and reply for the app.
- Be sure that you allow ICMP in your data center before using the ping and traceroute diagnostic tools. Some cloud environments have ICMP disallowed for security concerns; in this case, these tools don't display any activity.The traceroute diagnostic tool also uses random UDP ports, so you must allow all UDP and ICMP error replies for the traceroute tool to function.
- Make sure you have configured DNS entries on the local interfaces to allow ZTNA Connector to resolve the app FQDNs, and that ZTNA Connector and access the DNS server at UDP port 53 (the port used for DNS resolution).Starting withPrisma Access5.0, for Connector groups having a 5.0 or later ZTNA Connector version, if an application FQDN resolves to multiple private IP addresses, the ZTNA Connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.
- If you use RFC 6598 shared addresses within your network, you must specify blocks of IP addresses that ZTNA Connector can use for routing betweenPrisma Accessand your connectors and betweenPrisma Accessand your private apps.
- If you need to restrict the list of IP addresses and FQDNs that can be added to your organization's allow lists, add the ones listed in IP Addresses and FQDNs to Allow for ZTNA Connector.For example, if you're setting up a ZTNA Connector in the United States, add the following URLs to your organization's allow lists:
- https://controller.cgnx.net
- https://locator.cgnx.net
- https://controller.hood.cgnx.net
- https://vmfg.hood.cgnx.net
- https://sdwan-stats-hood-us.cgnx.net
- time.nist.gov (for NTP)
DNS resolution of the previous FQDNs must be limited to IPv4 resolution. ZTNA Connector does not support establishing connection to the controller FQDNs using IPv6. - Disable the SSL decryption for sessions to the Controllers.
IP Addresses and FQDNs to Allow for ZTNA Connector
To ensure smooth functioning of ZTNA Connector, add the following URLs and IP
addresses to your allow lists.
Service Name | Port | Direction | Source Interface Internet Protocol | Destination and IP Addresses |
|---|---|---|---|---|
ZTNA Connector access to Prisma Access | 443 | Outbound | ZTNA Connector WAN port | https://controller.cgnx.net Address:
52.8.93.87 Address:
52.8.25.40 https://locator.cgnx.net Address:
13.56.217.238 Address:
13.56.201.169 hood: 52.40.98.31 34.218.98.185 sugarloaf: 18.200.102.82 18.200.135.33 faber: 18.139.242.53 54.255.61.109 https://vmfg.cgnx.net Address:
52.53.122.104 Address:
52.53.102.7 https://controller.elcapitan.cgnx.net Address:
52.8.93.87 Address:
52.8.25.40 https://vmfg.elcapitan.cgnx.net Address:
52.53.122.104 Address:
52.53.102.7 https://controller.hood.cgnx.net Address:
52.32.167.5 Address:
54.70.168.33 https://vmfg.hood.cgnx.net Address:
50.112.136.184 Address:
34.210.34.87 https://controller.sugarloaf.cgnx.net Address:
108.128.176.192 Address:
18.200.144.58 https://vmfg.sugarloaf.cgnx.net Address:
99.81.179.99 Address:
99.80.52.255 https://sdwan-stats-hood-us.cgnx.net https://sdwan-stats-elcapitan-us.cgnx.net https://sdwan-stats-hood-jp.cgnx.net https://sdwan-stats-elcapitan-jp.cgnx.net https://sdwan-stats-hood-sg.cgnx.net https://sdwan-stats-elcapitan-sg.cgnx.net https://sdwan-stats-hood-au.cgnx.net https://sdwan-stats-elcapitan-au.cgnx.net https://sdwan-stats-hood-in.cgnx.net https://sdwan-stats-elcapitan-in.cgnx.net https://sdwan-stats-hood-ca.cgnx.net https://sdwan-stats-elcapitan-ca.cgnx.net https://sdwan-stats-sugarloaf-eu.cgnx.net https://sdwan-stats-sugarloaf-de.cgnx.net https://sdwan-stats-sugarloaf-uk.cgnx.net https://controller.bowfell.cgnx.net Address:
13.41.243.90 Address:
18.171.17.23 https://vmfg.bowfell.cgnx.net Address:
52.56.35.36 Address:
52.56.224.242 https://controller.faber.cgnx.net Address:
52.74.47.220 Address:
13.251.109.27 https://vmfg.faber.cgnx.net Address:
18.142.153.59 Address:
52.74.58.219 ttps://controller.townsend.cgnx.net Address:
13.55.31.41 Address:
3.106.168.215 https://vmfg.townsend.cgnx.net Address:
52.64.177.240 Address:
13.55.164.51 https://sdwan-stats-faber-sg.cgnx.net https://sdwan-stats-bowfell-uk.cgnx.net https://sdwan-stats-townsend-au.cgnx.net |
NTP | 123 | Outbound | ZTNA Connector WAN and LAN ports | time.nist.gov |
DNS | 53 | Outbound | ZTNA Connector WAN and LAN ports | Customer or Provider DNS servers |