Prisma Access
Configure ZTNA Connector
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure ZTNA Connector
Learn how to configure a ZTNA Connector in
Prisma Access
.Where Can I Use This? | What Do I Need? |
---|---|
|
|
After you Enable ZTNA Connector you can begin setting up the ZTNA Connector components:
- Identify your Application IP and Connector IP address blocks and, add the IP address blocks inPrisma Access.If you use RFC 6598 addresses within your network, you must reserve a separate RFC 6598 IP address pool to reserve for use withinPrisma Accessinternally to route traffic to the connectors, and private applications you’ll be onboarding.
- Create a Connector Group.Connector Groups are logical groupings of connectors and applications. There are many different ways to group applications and connectors. You can group connectors in different geographic locations for redundancy. Or, you can create multiple connectors in the same data center for increased throughput. For simplified policy management, you may want to group applications that are used by the same user groups. Create your Connector Groups first, and then add connectors and applications to the groups.Repeat this step as needed to create all of the Connector Groups you need to group your connectors and applications.
- SelectandSettingsZTNA ConnectorOverviewCreate a Connector Group. You can also selectandSettingsZTNA ConnectorConnector GroupsCreate Connector Group..If you're using Strata Cloud Manager, go to, selectWorkflowsZTNA ConnectorOvervieworConnector Groups, andCreate Connector Group..
- Give the Connector group aNameand, optionally, provide aDescriptionfor it.
- Choose aTypeof eitherFQDN/WildcardorIP Subnet.If you choose a type ofFQDN/Wildcard, the FQDN is resolved by the connector at the data center, keeping thePrisma AccessIP address fabric separated from your organization's data center. If you choose a type ofIP Subnet,Prisma Accessand your organization's data centers are flat with no separation.Match the type of connector group with the target you create later in this procedure. If you specify aTypeofFQDN/Wildcardhere, createWildcard TargetsorFQDN Targetsfor this group. If you specify aTypeofIP Subnet, create anIP Subnettarget for the connector group.
- (Optional) If your data center is in Azure or AWS and you want to use the Auto Scale functionality, selectAutoscale.
- Createthe connector group.
- Create Connectors and add them to the Connector Group.Connectors represent the VMs running in your data centers that connect toPrisma Access. You must create the Connector withinPrisma Access, and then when you onboard the corresponding Connector VM in your data center you can configure the shared secret/key to enable automatic creation of the IPSec tunnels between them.Repeat this step as needed to create as many connectors as you need to connect your data center apps toPrisma Access.
- SelectandSettingsZTNA ConnectorConnectorsAdd Connector.If you're using Strata Cloud Manager, go to, selectWorkflowsZTNA ConnectorOvervieworConnectors, andCreate Connector..
- Enter aNamefor the Connector.
- (Optional) Add aDescriptionfor the Connector.
- Select theConnector Groupwhere the Connector should be added.For routing simplicity and fastest access to data center servers, Palo Alto Networks recommends that the connectors and servers be in the same subnet.
- Createthe Connector.
To keep the ZTNA Connectors up-to-date, you can update their software version Icons in theshow you the status of the connectors and if an upgrade is available.ZTNA ConnectorConnector Groups - Retrieve the key and secret that you will use to set up the Connector.You use the Key and Secret values when you set up the VMs in a later step.
- Select.SettingsZTNA ConnectorConnectorsIf you're using Strata Cloud Manager, go to.WorkflowsZTNA ConnectorConnectors
- Select the Connector that you want to deploy.
- SelectCopy Tokenin theStatusarea; then, copy theKeyandSecretvalues.You use the Key and Secret to associate the cloud instance or VM you create with the Connector.
- (Optional) Select, make a note of theSettingsZTNA ConnectorConnectorsPA Service IPaddress of the ZTNA Connector, and add this IP address to your organization's allow lists.If you're using Strata Cloud Manager, go to.WorkflowsZTNA ConnectorConnectorsIf required, add this IP address to your allow lists so that your network can transmit and receive ZTNA Connector traffic.
- Add the targets to the Connector Groups.Set up targets to access the private apps in the data centers through your ZTNA Connector VMs. You can add targets based on FQDN wildcards, FQDNs, or IP subnets; ZTNA Connector does the work of setting up the networking and DNS settings required for your mobile users and users at branch offices to reach the apps securely throughPrisma Access.
- Select.SettingsZTNA ConnectorApplication TargetsIf you're using Strata Cloud Manager, go to.WorkflowsZTNA ConnectorApplication Targets
- Select the type of target you want to create.
- Wildcard Targets—Use a wildcard (for example, *.example.com) for the target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically creates the configuration to onboard that child app with its specific FQDN, protocol, and port.In addition, when users access an app based on a wildcard (for example, app1.example.com based on the *.example.com wildcard), the app is discovered and added toFQDN Targets.
- Go toWildcard TargetsandCreate Wildcard Target.
- Enter a uniqueNamefor the target.
- Enter theConnector Groupto associate with the target.The Group must be a type ofFQDN/Wildcard.Starting withPrisma Access5.0.1. you can select multiple connector groups for both wildcard and FQDN targets, up to a maximum of four connector groups per wildcard or FQDN target. Use the guidelines when selecting multiple connector groups per target.
- Enter theWildcardto use with the target.Enter it in the format of .example.com or .my.example.com (the UI implicitly adds the asterisk to the front of the wildcard). Do not allow all sites by specifying a wildcard of *.*, example.*.com, or *.com.
- Select theProtocol(tcporudp).
- Select thePortto use for the app.Enter a single port, multiple ports using commas between the ports, a range of ports using dashes, or both. Do not add spaces after the commas. SelectAnyport to match any ports you specify, or selectMatchand enter the port or ports to match.
- Enter aProbing Typeoftcp ping,icmp ping, ornone, depending on the protocol you select.If you selecttcp ping, select aprobing port. Enter a single port or a range of ports. The port does not have to be in the range of ports you entered in theportandprotocolarea. ZTNA connector determines the reachability of the app by performing a tcp ping from the probing port to the FQDN's resolved IP address. If the ping is successful, the app is consideredUp.If you selecticmp ping, ZTNA Connector performs an ICMP ping to the FQDN's resolved IP address. If a response is received to the ICMP ping, the app is consideredUp.If you selectnone, no probing is performed and the application is always marked asUp.
- SelectActivatedandCreatethe target.
- FQDN Targets—to create a target for a single FQDN, create an FQDN target.Starting withPrisma Access5.0, for Connector groups having 5.0 or higher ZTNA connector version, if an application FQDN resolves to multiple private IP addresses, the ZTNA connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.To create an FQDN target, go toFQDN TargetsandCreate FQDN Target. You create an FQDN target the same as you create an FQDN wildcard, substituting the FQDN wildcard with a single FQDN.Starting withPrisma Access5.0.1. you can select multiple connector groups per FQDN target as well as wildcard targets, up to a maximum of four connector groups per FQDN or wildcard targets. Use the guidelines when configuring multiple connector groups per target.Applications that are discovered as the result of a wildcard target also display here. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically adds that app to the list of FQDN targets.After an FQDN application is discovered from a parent wildcard target, any changes to the wildcard target are not updated in the discovered application. In addition, the same discovered FQDN is not rediscovered. If the characteristics for the discovered FQDN application require updating, perform a manual update on the discovered application using these steps.
- IP Subnet—Create an IP subnet-based target to find apps based on IP subnets instead of FQDNs.
- Go toIP SubnetsandCreate Subnet Rule.
- Enter a uniqueNamefor the target.
- Enter theConnector Groupto associate with the target.The Group must be a type ofIP Subnet.
- Specify the data centerIP Subnetsto which the connector in the group provides IP routing access.All connectors in the group provide routing access to the specified IP subnets. You can select a single IP address in the form of 10.1.1.1/32, a single subnet, or multiple subnets separated by commas. Enter a maximum of 16 subnets.The IP subnet must be routable within the tenant's IP Fabric and the IP subnets cannot overlap with any other IP subnets in the tenant, including:
- Other IP routable subnets, including static routes configured by user on Panorama, routes advertised from the branch to the remote network, or routes advertised from the data center to the service connection.
- ZTNA FQDN Application IP subnets
- ZTNA Connector IP subnets
- SelectActivatedandCreatethe target.
- Add the applications that are auto-discovered by ZTNA Connector to the Connector Group.
- Select.SettingsZTNA ConnectorApplication TargetsDiscovered Application TargetsIf you're using Strata Cloud Manager, go to.WorkflowsZTNA ConnectorApplication TargetsDiscovered Application Targets
- Click + underActionsto add the application to a Connector group.
- Give the application a uniqueName.
- Select theZTNA Connector Groupto associate with the app.
- Enter theProbing Type(tcp ping,icmp ping, ornone).
- If you selecttcp ping, you also select aprobing port. The port does not have to be in the range of ports you entered in theportandprotocolarea. If you selecttcp pingfor the probing type, Palo Alto Networks recommends that you to use this same port for theprobing port.ZTNA connector determines the reachability of the app by performing a tcp ping from the probing port to the FQDN's resolved IP address. If the ping is successful, the app is consideredUp.
- If you selecticmp ping, ZTNA Connector performs an ICMP ping to the FQDN. If a response is received to the ICMP ping, ZTNA Connector sets the status of the application asUp.
- If you selectnone, no probing is performed and the application is always marked asUp.
- SelectEnabled.
- Createthe application target.
- (Optional) View and Monitor ZTNA Connectors to see how your ZTNA connectors and connector groups are performing.
- (Optional) If you encounter issues with accessing private apps using ZTNA Connector, use the ping, traceroute, and nslookup diagnostic tools to check app reachability.