Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access 5.1.1

You can use ZTNA Connector in Prisma Access to secure private applications. To limit access to the applications based on User-ID, you can deploy a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private applications are located; then, configure policy rules on the NGFW based on User-ID mapping.

If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private applications are located, and ZTNA Connector does the source NAT, the NGFW can't retrieve the User-ID mapping. Source NAT on ZTNA Connector prevents NGFW to get the client IP address, which is essential for mapping. If the NGFW can't retrieve this client IP address, it can't enforce the zone-based Security policy rules you have created on it based on User-ID mapping.

The ZTNA Connector has the following responsibilities to enable User-ID within the NGFW secured data center:

1. Provide secure connection from the NGFW to the regional ZTNA Connector Tunnel Terminators (ZTTs) for the NGFW to connect to its User-ID redistribution agent.
2. For FQDN applications, with the health probe set to tcpping, application probe the data center applications to determine if the application is up and reachable from this individual connector.
3. Encapsulate user to app post-NAT data center space IP packets within a Geneve packet including the original source IP address as an option.

The following diagram illustrates the network elements that provide the source IP address to User-ID mapping to the NGFW and deliver Generic Network Virtualization Encapsulation (Geneve) encapsulated data packets including the original Prisma Access source IP address option to the NGFW. These elements enable the NGFW to effectively enforce security policy rules based on User-ID.

Restrictions:

• User-ID Support with ZTNA Connector is only available post these versions:
  • Prisma Access dataplane: 10.2.4 version and later
  • Saas_agent: 5.1.0 version and later
  • NGFW version: 11.2.0 version and later
  • Connector version: 6.2.4-ztna-connector-b3 version and later
• ICMP probing isn't supported for FQDN targets, which are attached to User-ID based connector groups.
• NGFW service route configuration for a UID agent only supports interfaces with static IP addresses. If the NGFW interface is configured to be in a dynamic mode (IP address assignment through DHCP), the User-ID channel from NGFW to ZTT can't establish support for the ZTNA Connector User-ID. To resolve this issue, you must set up the interface to be used for the UID agent on NGFW with a static IP address.
• Diagnostic tools like ping and traceroute are not supported for User-ID based connectors.

This procedure assumes that you have the following network configurations in place:

• You have deployed an NGFW at the headquarters or data center where the private apps are located.
• You have applied security policy rules on the NGFW based on the zones (untrusted zone and trusted zone) you have created in the NGFW. These security policy rules include the User-ID enforcement.

To make sure that your network distributes the User-ID mapping to the headquarters or data center, complete the procedure listed below, which allows the NGFW to enforce the security policy rules based on the User-ID mapping it learns from GlobalProtect.

1. Create a Connector Group, enable Preserve User ID, and add the Connectors.

2. Deploy and on-board the connectors in your data center and check if the tunnels are up and functioning.

3. Go to Connector and make a note of the User ID Redistribution Agent IP and User ID Port Range for your connector. You require these IP addresses and port ranges to configure User-ID Redistribution agents on the NGFW.

   Also, go to Connector Groups and make a note of the Anycast IP. This IP address is required to configure NGFW security policy rules to allow TCP application probing from this source IP address.

4. Enter Pre-NAT Identification parameters on the NGFW.

   1. Log in to the NGFW UI, and go to NetworkZones and Add two zones (zone for interface connecting ZTNA Connector and zone for interface connecting application server) or select the existing one.

      1. Select the following Pre-NAT Identification parameters for the zone with interface connecting ZTNA Connector:
         • User-ID—Preserves the mobile user User-ID mapping used before the IP addresses were NATted. Enable this if you're using User-ID in the security policy rules.
         • Source Lookup—Enables you to match the original Source IP address received from GlobalProtect.

      2. For the interface connecting to the application server zone, you don't have to select any Pre-NAT Identification parameters.

      3. Click OK and Commit your changes.
   2. Add the IP addresses to the interfaces.

      1. Go to NetworkInterfacesEthernet.
      2. Select the interface that connects to the ZTNA Connector and the application server, and configure them. Add the Interface name, and the Interface type to Layer 3.

      3. For the Ethernet interface connected to the application server, deselect the Automatically create default route pointing to default gateway provided by server check box.

   3. Go to Interfaces and add the static IP addresses to the interfaces. Add the ZTNA Connector facing interface into the ZTNA Connector zone (Geneve) and the application server facing interface into the application server zone (Data Center).
5. Create a command-line interface (CLI) session with the NGFW and enter the following command in the configuration mode:

   set deviceconfig setting preserve-prenat-feature yes

   If you need to disable this feature in the future, enter set deviceconfig setting preserve-prenat-feature no.
6. When setting up User-ID redistribution, you must add a redistribution agent entry for each port within the specified range from step 3 User ID Port Range. For example, if the range is 55050-55055, you have to configure 6 entries, aligning with the number of ZTNA Connector regions you have deployed.

   For each port in the range, select one IP address from User ID Redistribution Agent IP in step 3 for the Host field. If you want redundancy at the ZTNA Connector level, you can choose two addresses from User ID Redistribution Agent IP and apply the full port range for both IP addresses. Alternatively, all the ports on all the IP addresses in User ID Redistribution Agent IP can be configured.
   Add a redistribution agent for each of the ports in the range User ID Port Range with one or more of the addresses in User ID Redistribution Agent IP.

   1. On the NGFW UI, go to Device and then select Data Redistribution.
   2. Click Add, add the Name and select the Enabled check box.
   3. Select Host and Port, add User ID Redistribution Agent IP from step 3 in Host, and add User ID Port Range copied in step 3.
   4. Enable the IP User Mappings check box and click OK.

   5. Commit to save the configuration.
7. On the NGFW UI, go to DeviceSetupServicesService Route ConfigurationCustomizeUID agent.

   1. Under IPv4, select the SOURCE INTERFACE as Ethernet1/1 (interface facing the ZTNA Connector), and add the SOURCE ADDRESS.
8. Add a security policy rule to allow TCP packets with the source IP address. Add the source IP address, which is the Anycast IP address copied in step 3 and click OK.
9. (Optional) Enable TCP Probing.

   1. To create a FQDN Target:

      1. Go to WorkflowsApplication TargetsFQDN Targets and click Create FQDN Target.
      2. Add a Name and select the Connector Group.
      3. Enable tcp, specific, tcp ping, and Enabled. Add the Port and click Create.

10. On the NGFW UI, go to Policies and define the User-ID based policies.