Configure ZTNA Connector

Identify your Application IP and Connector IP address blocks and, add the IP address blocks in
Prisma Access
.
If you use RFC 6598 addresses within your network, you must reserve a separate RFC 6598 IP address pool to reserve for use within
Prisma Access
internally to route traffic to the connectors, and private applications you’ll be onboarding.
Create a Connector Group.
Connector Groups are logical groupings of connectors and applications. There are many different ways to group applications and connectors. You can group connectors in different geographic locations for redundancy. Or, you can create multiple connectors in the same data center for increased throughput. For simplified policy management, you may want to group applications that are used by the same user groups. Create your Connector Groups first, and then add connectors and applications to the groups.
Repeat this step as needed to create all of the Connector Groups you need to group your connectors and applications.
Select
Settings
ZTNA Connector
Overview
and
Create a Connector Group
. You can also select
Settings
ZTNA Connector
Connector Groups
and
Create Connector Group.
.
If you're using Strata Cloud Manager, go to
Workflows
ZTNA Connector
, select
Overview
or
Connector Groups
, and
Create Connector Group.
.

Give the Connector group a
Name
and, optionally, provide a
Description
for it.
Choose a
Type
of either
FQDN/Wildcard
or
IP Subnet
.
If you choose a type of
FQDN/Wildcard
, the FQDN is resolved by the connector at the data center, keeping the
Prisma Access
IP address fabric separated from your organization's data center. If you choose a type of
IP Subnet
,
Prisma Access
and your organization's data centers are flat with no separation.
Match the type of connector group with the target you create later in this procedure. If you specify a
Type
of
FQDN/Wildcard
here, create
Wildcard Targets
or
FQDN Targets
for this group. If you specify a
Type
of
IP Subnet
, create an
IP Subnet
target for the connector group.

(
Optional
) If your data center is in Azure or AWS and you want to use the Auto Scale functionality, select
Autoscale
.
Create
the connector group.
Create Connectors and add them to the Connector Group.
Connectors represent the VMs running in your data centers that connect to
Prisma Access
. You must create the Connector within
Prisma Access
, and then when you onboard the corresponding Connector VM in your data center you can configure the shared secret/key to enable automatic creation of the IPSec tunnels between them.
Repeat this step as needed to create as many connectors as you need to connect your data center apps to
Prisma Access
.
Select
Settings
ZTNA Connector
Connectors
and
Add Connector
.
If you're using Strata Cloud Manager, go to
Workflows
ZTNA Connector
, select
Overview
or
Connectors
, and
Create Connector.
.
Enter a
Name
for the Connector.

(
Optional
) Add a
Description
for the Connector.
Select the
Connector Group
where the Connector should be added.
For routing simplicity and fastest access to data center servers, Palo Alto Networks recommends that the connectors and servers be in the same subnet.
Create
the Connector.
To keep the ZTNA Connectors up-to-date, you can update their software version Icons in the
ZTNA Connector
Connector Groups
show you the status of the connectors and if an upgrade is available.
Retrieve the key and secret that you will use to set up the Connector.
You use the Key and Secret values when you set up the VMs in a later step.
Select

Settings

ZTNA Connector

Connectors

.

If you're using Strata Cloud Manager, go to

Workflows

ZTNA Connector

Connectors

.

Select the Connector that you want to deploy.

Select

Copy Token

in the

Status

area; then, copy the

Key

and

Secret

values.

You use the Key and Secret to associate the cloud instance or VM you create with the Connector.


Deploy your ZTNA Connector VMs in your data center.
(
Optional
) Select
Settings
ZTNA Connector
Connectors
, make a note of the
PA Service IP
address of the ZTNA Connector, and add this IP address to your organization's allow lists.
If you're using Strata Cloud Manager, go to
Workflows
ZTNA Connector
Connectors
.
If required, add this IP address to your allow lists so that your network can transmit and receive ZTNA Connector traffic.

Add the targets to the Connector Groups.
Set up targets to access the private apps in the data centers through your ZTNA Connector VMs. You can add targets based on FQDN wildcards, FQDNs, or IP subnets; ZTNA Connector does the work of setting up the networking and DNS settings required for your mobile users and users at branch offices to reach the apps securely through
Prisma Access
.
Select
Settings
ZTNA Connector
Application Targets
.
If you're using Strata Cloud Manager, go to
Workflows
ZTNA Connector
Application Targets
.
Select the type of target you want to create.
Wildcard Targets

—Use a wildcard (for example, *.example.com) for the target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically creates the configuration to onboard that child app with its specific FQDN, protocol, and port.

In addition, when users access an app based on a wildcard (for example, app1.example.com based on the *.example.com wildcard), the app is discovered and added to

FQDN Targets

.

Go to

Wildcard Targets

and

Create Wildcard Target

.

Enter a unique

Name

for the target.

Enter the

Connector Group

to associate with the target.

The Group must be a type of

FQDN/Wildcard

.

Starting with

Prisma Access

5.0.1. you can select multiple connector groups for both wildcard and FQDN targets, up to a maximum of four connector groups per wildcard or FQDN target. Use the guidelines when selecting multiple connector groups per target.

Enter the

Wildcard

to use with the target.

Enter it in the format of .example.com or .my.example.com (the UI implicitly adds the asterisk to the front of the wildcard). Do not allow all sites by specifying a wildcard of *.*, example.*.com, or *.com.

Select the

Protocol

(

tcp

or

udp

).

Select the

Port

to use for the app.

Enter a single port, multiple ports using commas between the ports, a range of ports using dashes, or both. Do not add spaces after the commas. Select

Any

port to match any ports you specify, or select

Match

and enter the port or ports to match.

Enter a

Probing Type

of

tcp ping

,

icmp ping

, or

none

, depending on the protocol you select.

If you select

tcp ping

, select a

probing port

. Enter a single port or a range of ports. The port does not have to be in the range of ports you entered in the

port

and

protocol

area. ZTNA connector determines the reachability of the app by performing a tcp ping from the probing port to the FQDN's resolved IP address. If the ping is successful, the app is considered

Up

.

If you select

icmp ping

, ZTNA Connector performs an ICMP ping to the FQDN's resolved IP address. If a response is received to the ICMP ping, the app is considered

Up

.

If you select

none

, no probing is performed and the application is always marked as

Up

.

Select

Activated

and

Create

the target.



FQDN Targets

—to create a target for a single FQDN, create an FQDN target.

Starting with

Prisma Access

5.0, for Connector groups having 5.0 or higher ZTNA connector version, if an application FQDN resolves to multiple private IP addresses, the ZTNA connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.

To create an FQDN target, go to

FQDN Targets

and

Create FQDN Target

. You create an FQDN target the same as you create an FQDN wildcard, substituting the FQDN wildcard with a single FQDN.

Starting with

Prisma Access

5.0.1. you can select multiple connector groups per FQDN target as well as wildcard targets, up to a maximum of four connector groups per FQDN or wildcard targets. Use the guidelines when configuring multiple connector groups per target.

Applications that are discovered as the result of a wildcard target also display here. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically adds that app to the list of FQDN targets.

After an FQDN application is discovered from a parent wildcard target, any changes to the wildcard target are not updated in the discovered application. In addition, the same discovered FQDN is not rediscovered. If the characteristics for the discovered FQDN application require updating, perform a manual update on the discovered application using these steps.



IP Subnet

—Create an IP subnet-based target to find apps based on IP subnets instead of FQDNs.

Go to

IP Subnets

and

Create Subnet Rule

.

Enter a unique

Name

for the target.

Enter the

Connector Group

to associate with the target.

The Group must be a type of

IP Subnet

.

Specify the data center

IP Subnets

to which the connector in the group provides IP routing access.

All connectors in the group provide routing access to the specified IP subnets. You can select a single IP address in the form of 10.1.1.1/32, a single subnet, or multiple subnets separated by commas. Enter a maximum of 16 subnets.

The IP subnet must be routable within the tenant's IP Fabric and the IP subnets cannot overlap with any other IP subnets in the tenant, including:

Other IP routable subnets, including static routes configured by user on Panorama, routes advertised from the branch to the remote network, or routes advertised from the data center to the service connection.
ZTNA FQDN Application IP subnets
ZTNA Connector IP subnets
Infrastructure subnet IP addresses
Mobile Users—GlobalProtect IP address pools

Select

Activated

and

Create

the target.


Add the applications that are auto-discovered by ZTNA Connector to the Connector Group.
Set Up Auto Discovery of Applications Using Cloud Identity Engine
Select
Settings
ZTNA Connector
Application Targets
Discovered Application Targets
.
If you're using Strata Cloud Manager, go to
Workflows
ZTNA Connector
Application Targets
Discovered Application Targets
.

Click + under
Actions
to add the application to a Connector group.
Give the application a unique
Name
.
Select the
ZTNA Connector Group
to associate with the app.
Enter the
Probing Type
(
tcp ping
,
icmp ping
, or
none
).
If you select
tcp ping
, you also select a
probing port
. The port does not have to be in the range of ports you entered in the
port
and
protocol
area. If you select
tcp ping
for the probing type, Palo Alto Networks recommends that you to use this same port for the
probing port
.
ZTNA connector determines the reachability of the app by performing a tcp ping from the probing port to the FQDN's resolved IP address. If the ping is successful, the app is considered
Up
.
If you select
icmp ping
, ZTNA Connector performs an ICMP ping to the FQDN. If a response is received to the ICMP ping, ZTNA Connector sets the status of the application as
Up
.
If you select
none
, no probing is performed and the application is always marked as
Up
.
Select
Enabled
.
Create
the application target.
Create security policy rules to allow users access to the apps in the connectors.
(
Optional
) View and Monitor ZTNA Connectors to see how your ZTNA connectors and connector groups are performing.
(
Optional
) If you encounter issues with accessing private apps using ZTNA Connector, use the ping, traceroute, and nslookup diagnostic tools to check app reachability.