Prisma Access
Set Up the Agent Infrastructure for Dynamic Privilege Access
Table of Contents
Set Up the Agent Infrastructure for Dynamic Privilege Access
Learn how to set up the infrastructure for the
Prisma Access Agent
, including
setting up the domain name, DHCP infrastructure, and client DNS.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Configure infrastructure settings for
Prisma Access Agent
so that Prisma Access
can provision your mobile user environment. Then, select the Prisma Access
locations where your Prisma Access Agent
users will connect
to. You can also optionally enable SC-NAT support for Dynamic Privilege Access if you
have created service connections to access private apps in their data center or
headquarters location, or enable route summarization for Dynamic Privilege
Access to reduce the number of routes that are sent to the network.
Configure Infrastructure Settings
To enable
Prisma Access
for internet access only for users, Prisma Access
provides a default IP address pool and a cloud default DNS server. However, if
you want your mobile users to access internal resources at your headquarters,
data centers, or at remote network sites to which you onboarded to Prisma Access
, you must allocate client IP address pools. Prisma Access
uses the IP address pools to assign IP addresses to your mobile users and set up the Prisma Access service
infrastructure.Before you configure the infrastructure settings, ensure that you configure
at least one project. Otherwise, when you try to commit and push the
infrastructure settings, the commit will fail. For more information, refer
to Create a Project.
- In Strata Cloud Manager, select .
- If you are setting up the infrastructure for the first time, clickSet Up Infrastructure Settings. Otherwise, edit theInfrastructure Settings.
![]()
- Add a hostname to theDomain Namefor the service that Prisma Access Agents connect to.By default, users can access the service using an FQDN based on your hostname and the.epm.gpcloudservice.comdomain.
![]()
- InClient IP Pool Allocation,Prisma Accessprovides a DHCP server that will manage the assignment of IP addresses to your endpoints for Dynamic Privilege Access.The project name and the location group ID fromPrisma Accessare part of the DHCP request. EachPrisma Access Agentconnecting to a specific project is assigned an IP address from that project's IP subnet. When a user changes to a different project, a different IP address is assigned to thePrisma Access Agentfrom the project's IP subnet.
![]()
You can configure the following options:- IP Lease Duration—Specify the amount of time (in seconds) for which the DHCP server allocates a network address to aPrisma Access Agent. The default IP address lease duration is 86,400 seconds.
- Lease Grace Duration—Specify the amount of time that thePrisma Access Agentcan continue to use its IP address lease after the lease expires. The default lease grace duration is 14,400 seconds.
- Global DHCP Pool Summary—Select the IP pool on which you want to enable SC-NAT or configure and select the global summary IP pools for route summarization.
- Savethe infrastructure settings.
Select Prisma Access Locations
Prisma Access
LocationsSelect the
Prisma Access
locations where you want to support Prisma Access Agent
users. The location groups are used for Dynamic
Privilege Access.- In Strata Cloud Manager, select .
- If you are setting up the infrastructure for the first time,Add Locations. Otherwise, edit thePrisma Access Locations.
![]()
- Select the Prisma Access locations where your mobile users will connect to.Depending on your license agreement, you can select either Local or Worldwide locations. The map shows the regions where you can deploy Prisma Access for Users. In addition, Prisma Access provides multiple locations within each region to ensure that your users can connect to a location that provides a user experience tailored to the users’ locale. For the best performance,Select All. Alternatively, select specific locations within each selected region where your users will need access. By limiting your deployment to a single region, you can have more granular control over your deployed regions and exclude regions required by your policy or industry regulations.For Prisma Access Agents, you can deploy Prisma Access to the following Strata Logging Service regions:
- US
- Germany
- India
This list will be updated as more regions become available.For the best user experience if you are limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location isn’t available in the country where your mobile users reside, choose a location that is closest to your users for the best performance.The images in this section are provided for illustrative purposes only.- Select an available region on the map.
![]()
- Click the plus sign+on the locations that you want to add.You can switch between theMapandListviews. You can alsoSelect Alllocations.
![]()
In the list view, you can select from the list of available locations to deploy Prisma Access. You can selectAllsites within a region.![]()
- Saveyour Prisma Access location settings.
- (Optional) Restrict access to your SaaS applications from unauthorized users.You can enable the egress IP allow lists for existing mobile user deployments and during new user onboarding. If you enable egress IP allow lists for existing Prisma Access deployments, Prisma Access migrates all the egress IP addresses already allocated for your locations to the egress IP allow lists. For new Prisma Access deployments, enable the egress IP allow list while onboarding the Prisma Access Agent mobile users. Every time you add a location or have an auto scaling event, you should retrieve the new egress IP addresses that Prisma Access allocates and add them to allow lists in your SaaS applications. You can then push the configuration to your Prisma Access deployment to confirm the egress IP allow lists allocated for your locations.
- Enable Egress IP Allowlistto display the IP addresses for onboarded Prisma Access locations.
![]()
- Copy and add the allocated addresses to the allow lists of your SaaS applications.
- Migrateto confirm the IP addresses allocated for the onboarded locations in Prisma Access.
- Retrieve the IP addresses for new onboarded locations or during an auto scaling event.
- Select theLocationname to find the new egress IP addresses allocated to the location.
- Add these IP addresses to the allow lists for your SaaS applications before you confirm them in Prisma Access.
- Savethe allocated egress IP addresses.
Enable SC-NAT Support for Dynamic Privilege Access
Use SC-NAT support for Dynamic Privilege Access (DPA) if you use DPA and have
created service connections to access private apps in your data center or
headquarters location. Multiple projects in your DPA environment can experience
IP address exhaustion if the IP addresses of the infrastructure subnet overlap.
To fix this issue, Prisma Access can implement source NAT (SNAT) for IP
addresses, which:
- Lets Prisma Access map a single IP address for a mobile user accessing private apps using a service connection
- Provides you with SNAT for easy routing
- Eliminates IP Pool overlap
- Eliminates IP Pool IPv4 exhaustion between Prisma Access and your data center or headquarters location
DPA customers can onboard client locations to Prisma Access using service
connections. However, multiple projects may have large IP pools on multiple data
centers, leading to potential exhaustion of private IP pools. To solve this
issue, Dynamic Privilege Access in Prisma Access offers support for SC-NAT with
defined pools. Customers have the option to use SC-NAT instead of the
infrastructure subnet in order to divide up the IP pools. If you enable SC-NAT
for a service connection corporate access node (SC-CAN), SC-NAT will always be
supported for that service connection.
With DPA enabled, you can turn SC-NAT on (to use SC-NAT) or off (to use the
Infrastructure Subnet) per project.
- In Strata Cloud Manager, select .
- Select a service connection from theService Connectionstable.
- Click the check box forData Traffic Source NAT.
- After you click theData Traffic Source NATcheck box, you see the mandatoryIP Poolfield. Enter the subnets for which you want to enable SC-NAT.
- Saveyour changes.
![]()
Enable Route Summarization for Dynamic Privilege Access
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
For enterprises that have on-premises hardware with limited capacity, such as
simple cloud routers that can accommodate only a few hundred routes, Prisma
Access can summarize Mobile User (MU) routes when advertising the routes to the
on-premises network. Route summarization minimizes the requirements on these
devices by staying within the route capacity on the data center.
To enable route summarization, you can configure global summary pools, which are
lists of large IP pools that can be used across multiple projects. When a user
connects to a project using the Prisma Access Agent and the agent is assigned an
IP address within the range of a global summary pool, the Prisma Access service
connection advertises the global summary pool instead of the smaller aggregate
route.
To help illustrate route summarization for projects, consider the following
scenario:
- You configure a global summary pool of 10.10.0.0/16 and enable the route summarization option on service connectionSC-A.
- User-Aconnects toProject-A, which is assigned the IP project pool of 10.10.10.0/24. Upon connection, the Prisma Access Agent acquires the 10.10.10.10/32 IP address.
- User-Bconnects toProject-B, which is assigned the IP project pool of 10.10.11.0/24. Upon connection, the Prisma Access Agent acquires the 10.10.11.10/32 IP address.
- In this case, the service connection advertises only one subnet (the global summary pool of 10.10.0.0/16) instead of the /24 aggregate routes to the on-premises network through eBGP.
- Prisma Access won't summarize IP pools that are not part of a project.
- Project IP pools within a project can overlap, and global summary IP pools can overlap as well.
- The global summary pools should be large IP pools that contain the project IP Pools that are associated with multiple projects.
To enable route summarization for projects in Strata Cloud Manager:
- Configure the project IP pools in the project settings in .
- Enable route summarization in the service connection.
- Go to .
- Select a service connection from theService Connectionstable.
- Editthe Routing settings.
![]()
- SelectSummarize Mobile User Routes before advertising.
![]()
- Savethe routing settings.
- Savethe service connection settings.
- Perform an all admins push configuration to Prisma Access.
