Private Application Target Discovery
Focus
Focus
Prisma Access

Private Application Target Discovery

Table of Contents

Private Application Target Discovery

Discovery of private applications by ZTNA Connector.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access 4.0
  • ZTNA Connector add-on license
    The Essential license with the add-on license includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet functionality.
    The Advanced license with the add-on license includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet functionality.
    The Premium license with the add-on license includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet functionality.
  • If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include four connectors, 40 FQDNs, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
In a modern networking infrastructure, thousands of private applications are deployed across on-premises and in multicloud data centers. The networking teams are not aware of the applications running in their network or within a particular subnet in the network leading to a lack of application visibility.
To provide a secure access to applications, you have to manually enter the FQDN, port, application, and be aware of the dependency this application has on the other applications.
Private application target discovery provides a way to discover the applications hosted in the cloud environment and allows those applications to be onboarded on the ZTNA Connector solution. It also connects to the cloud provider network, does the discovery, and stores it in the database. It also provides APIs to the different services to get the discovered applications. If the user has only a service connection instead of a ZTNA Connector, only application targets are discovered.
The private application target discovery identifies:
  • FQDN
  • Port of the application
  • Protocol of the application
Make sure you activate cloud identity engine (CIE) before you enable the private application discovery feature.
Complete the following steps to add a cloud account, an IAM role in AWS, and discover the target applications.
  1. Get the CloudFormation template (CFT) to add a cloud account.
    1. Navigate to Application Targets(WorkflowsZTNA ConnectorApplication Targets).
    2. On the Application Targets page, select Discovered Targets, and then select Manage Target Discovery Accounts.
    3. Select Enable Target Discovery, and then select Enable.
    4. On the Manage Target Discovery Accounts page, select Add Cloud Account.
    5. Add the Account Name, and click the check box under Cloud Account Enabled. Add the AWS Account ID , and click Download IAM Role CFT to download the file.
  2. Create the IAM role in AWS.
    1. Navigate to the AWS application, select your account, and Sign in.
    2. Navigate to CloudFormationStacksCreate stackWith new resources (standard) to create the stack.
    3. On the Create stack page, under Prerequisite-Prepare template, select Choose an existing template. Under Specify template, select Upload a template file. Upload the previously downloaded file in Step 1, and select Next.
    4. Add Stack name, AppDisRoleName, and select Next.
    5. On the Configure stack options page, don't make any updates, and select Next.
    6. Review the changes. Select the check box under Capabilities to acknowledge the creation of IAM resources with custom names, and then select Submit.
    7. Navigate to IAMRoles and search for the role name you defined. Select the role name and copy the ARN for the role.
  3. Paste the ARN in the IAM Role ARN text field, and then select Verify. When the ARN is verified, select Save.
    If you add a wrong ARN in the IAM Role ARN text field, the verification fails and an error message appears.
    After you add the account, you can see the status, account ID, and other details. The refresh period for the discovery is 24 hours. You can also add multiple accounts to the same tenant.
  4. To identify the discovered apps, select Discovered Targets. You can find the list of identified applications under Discovered Application Targets.
  5. (Optional) Delete the cloud account.
    To delete your cloud account and add a new one without disabling target discovery, follow this procedure. However, these steps are mandatory if you want to disable target discovery functionality.
    1. Under Manage Target Discovery Accounts, click the Account Name that you want to delete.
    2. Disable Cloud Account Enabled, and select Update. When the account is updated, select Delete. The account is deleted.
  6. (Optional) Disable target discovery.
    Make sure all the cloud accounts are deleted before you disable the target discovery.
    1. Select Disable Target Discovery, and then select Disable Target Discovery.