Configure ZTNA Connector
Focus
Focus
Prisma Access

Configure ZTNA Connector

Table of Contents

Configure ZTNA Connector

Learn how to configure a ZTNA Connector in
Prisma Access
.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    4.0
    Prisma Access 5.0 supports wildcards and IP subnet-based app targets.
  • ZTNA Connector Add-On license
    Prisma Access
    Enterprise licenses include two Connectors and 10 Apps without the Add-On license in Enterprise and ZTNA Edition licenses. In the Business and Business Premium edition, the licenses include two Connectors and 10 Apps. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment. To deploy more apps and connectors, purchase the add-on license.
After you Enable ZTNA Connector you can begin setting up the ZTNA Connector components:
  1. Identify your Application IP and Connector IP address blocks and, add the IP address blocks in
    Prisma Access
    .
    If you use RFC 6598 addresses within your network, you must reserve a separate RFC 6598 IP address pool to reserve for use within
    Prisma Access
    internally to route traffic to the connectors, and private applications you’ll be onboarding.
  2. Create a Connector Group.
    Connector Groups are logical groupings of connectors and applications. There are many different ways to group applications and connectors. You can group connectors in different geographic locations for redundancy. Or, you can create multiple connectors in the same data center for increased throughput. For simplified policy management, you may want to group applications that are used by the same user groups. Create your Connector Groups first, and then add connectors and applications to the groups.
    Repeat this step as needed to create all of the Connector Groups you need to group your connectors and applications.
    1. Select
      Settings
      ZTNA Connector
      Overview
      and click
      Create a Connector Group
      . You can also select
      Settings
      ZTNA Connector
      Connector Groups
      and click
      Create Connector Group.
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      , select
      Overview
      or
      Connector Groups
      , and
      Create Connector Group.
      .
    2. Give the Connector group a
      Name
      and, optionally, provide a
      Description
      for it.
    3. Choose a
      Type
      of either
      FQDN/Wildcard
      or
      IP Subnet
      .
      If you choose a type of
      FQDN/Wildcard
      , the FQDN is resolved by the connector at the data center, keeping the
      Prisma Access
      IP address fabric separated from your organization's data center. If you choose a type of
      IP Subnet
      ,
      Prisma Access
      and your organization's data centers are flat with no separation.
      Match the type of connector group with the target you create later in this procedure. If you specify a
      Type
      of
      FQDN/Wildcard
      here, create
      Wildcard Targets
      or
      FQDN Targets
      for this group. If you specify a
      Type
      of
      IP Subnet
      , create an
      IP Subnet
      target for the connector group.
    4. (
      Optional
      ) If your data center is in Azure or AWS and you want to use the Auto Scale functionality, select
      Autoscale
      .
    5. Create
      the connector group.
  3. Create Connectors and add them to the Connector Group.
    Connectors represent the VMs running in your data centers that connect to
    Prisma Access
    . You must create the Connector within
    Prisma Access
    , and then when you onboard the corresponding Connector VM in your data center you can configure the shared secret/key to enable automatic creation of the IPSec tunnels between them.
    Repeat this step as needed to create as many connectors as you need to connect your data center apps to
    Prisma Access
    .
    • Select
      Settings
      ZTNA Connector
      Connectors
      and
      Add Connector
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      , select
      Overview
      or
      Connectors
      , and
      Create Connector.
      .
    • Enter a
      Name
      for the Connector.
    • (
      Optional
      ) Add a
      Description
      for the Connector.
    • Select the
      Connector Group
      where the Connector should be added.
      For routing simplicity and fastest access to data center servers, Palo Alto Networks recommends that the connectors and servers be in the same subnet.
    • Create
      the Connector.
    To keep the ZTNA Connectors up-to-date, you can update their software version Icons in the
    ZTNA Connector
    Connector Groups
    show you the status of the connectors and if an upgrade is available.
  4. Retrieve the key and secret that you will use to set up the Connector.
    You use the Key and Secret values when you set up the VMs in a later step.
    • Select
      Settings
      ZTNA Connector
      Connectors
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Connectors
      .
    • Select the Connector that you want to deploy.
    • Select
      Copy Token
      in the
      Status
      area; then, copy the
      Key
      and
      Secret
      values.
      You use the Key and Secret to associate the cloud instance or VM you create with the Connector.
  5. (
    Optional
    ) Select
    Settings
    ZTNA Connector
    Connectors
    , make a note of the
    PA Service IP
    address of the ZTNA Connector, and add this IP address to your organization's allow lists.
    If you're using Strata Cloud Manager, go to
    Workflows
    ZTNA Connector
    Connectors
    .
    If required, add this IP address to your allow lists so that your network can transmit and receive ZTNA Connector traffic.
  6. Add the application targets to the Connector Groups.
    The private apps in the data centers connect to
    Prisma Access
    through your Connector VMs. You can add apps based on FQDN wildcards, FQDNs, or IP subnets; ZTNA Connector does the work of setting up the networking and DNS settings required for your mobile users and users at branch offices to reach the apps securely through
    Prisma Access
    .
    1. Select
      Settings
      ZTNA Connector
      Application Targets
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      .
    2. Select the type of target you want to create.
    • Wildcard Targets
      —Use a wildcard (for example, *.example.com) for the target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically creates the configuration to onboard that child app with its specific FQDN, protocol, and port.
      In addition, when users access an app based on a wildcard (for example, app1.example.com based on the *.example.com wildcard), the app is discovered and added to
      FQDN Targets
      .
      1. Go to
        Wildcard Targets
        and
        Create Wildcard Target
        .
      2. Enter a unique
        Name
        for the target.
      3. Enter the
        Connector Group
        to associate with the target.
        The Group must be a type of
        FQDN/Wildcard
        .
      4. Enter the
        Wildcard
        to use with the target.
        Enter it in the format of .example.com or .my.example.com (the UI implicitly adds the asterisk to the front of the wildcard). Do not allow all sites by specifying a wildcard of *.*, example.*.com, or *.com.
      5. Select the
        Protocol
        (
        tcp
        or
        udp
        ).
      6. Select the
        Port
        to use for the app.
        Enter a single port, multiple ports using commas between the ports, a range of ports using dashes, or both. Do not add spaces after the commas. Select
        Any
        port to match any ports you specify, or select
        Match
        and enter the port or ports to match.
      7. Enter a
        Probing Type
        of
        tcp ping
        ,
        icmp ping
        , or
        none
        , depending on the protocol you select.
        If you select
        tcp ping
        , select a
        probing port
        . Enter a single port or a range of ports. The port does not have to be in the range of ports you entered in the
        port
        and
        protocol
        area. ZTNA connector determines the reachability of the app by performing a tcp ping from the probing port to the FQDN's resolved IP address. If the ping is successful, the app is considered
        Up
        .
        If you select
        icmp ping
        , ZTNA Connector performs an ICMP ping to the FQDN's resolved IP address. If a response is received to the ICMP ping, the app is considered
        Up
        .
        If you select
        none
        , no probing is performed and the application is always marked as
        Up
        .
      8. Select
        Activated
        and
        Create
        the target.
    • FQDN Targets
      —to create a target for a single FQDN, create an FQDN target.
      Starting with
      Prisma Access
      5.0, for Connector groups having 5.0 or higher ZTNA connector version, if an application FQDN resolves to multiple private IP addresses, the ZTNA connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.
      To create an FQDN target, go to
      FQDN Targets
      and
      Create FQDN Target
      . You create an FQDN target the same as you create an FQDN wildcard, substituting the FQDN wildcard with a single FQDN.
      Applications that are discovered as the result of a wildcard target also display here. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically adds that app to the list of FQDN targets.
      After an FQDN application is discovered from a parent wildcard target, any changes to the wildcard target are not updated in the discovered application. In addition, the same discovered FQDN is not rediscovered. If the characteristics for the discovered FQDN application require updating, perform a manual update on the discovered application using these steps.
    • IP Subnet
      —Create an IP subnet-based target to find apps based on IP subnets instead of FQDNs.
      1. Go to
        IP Subnets
        and
        Create Subnet Rule
        .
      2. Enter a unique
        Name
        for the target.
      3. Enter the
        Connector Group
        to associate with the target.
        The Group must be a type of
        IP Subnet
        .
      4. Specify the data center
        IP Subnets
        to which the connector in the group provides IP routing access.
        All connectors in the group provide routing access to the specified IP subnets. You can select a single IP address in the form of 10.1.1.1/32, a single subnet, or multiple subnets separated by commas. Enter a maximum of 16 subnets.
        The IP subnet must be routable within the tenant's IP Fabric and the IP subnets cannot overlap with any other IP subnets in the tenant, including:
      5. Select
        Activated
        and
        Create
        the target.
  7. Add the applications that are auto-discovered by ZTNA Connector to the Connector Group.
    1. Select
      Settings
      ZTNA Connector
      Application Targets
      Discovered Application Targets
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      Discovered Application Targets
      .
    2. Click + under
      Actions
      to add the application to a Connector group.
    3. Give the application a unique
      Name
      .
    4. Select the
      ZTNA Connector Group
      to associate with the app.
    5. Enter the
      Probing Type
      (
      tcp ping
      ,
      icmp ping
      , or
      none
      ).
      • If you select
        tcp ping
        , you also select a
        probing port
        . The port does not have to be in the range of ports you entered in the
        port
        and
        protocol
        area. If you select
        tcp ping
        for the probing type, Palo Alto Networks recommends that you to use this same port for the
        probing port
        .
        ZTNA connector determines the reachability of the app by performing a tcp ping from the probing port to the FQDN's resolved IP address. If the ping is successful, the app is considered
        Up
        .
      • If you select
        icmp ping
        , ZTNA Connector performs an ICMP ping to the FQDN. If a response is received to the ICMP ping, ZTNA Connector sets the status of the application as
        Up
        .
      • If you select
        none
        , no probing is performed and the application is always marked as
        Up
        .
    6. Select
      Enabled
      .
    7. Create
      the application target.
  8. (
    Optional
    ) View and Monitor ZTNA Connectors to see how your ZTNA connectors and connector groups are performing.
  9. (
    Optional
    ) If you encounter issues with accessing private apps using ZTNA Connector, use the ping, traceroute, and nslookup diagnostic tools to check app reachability.

Recommended For You