>
    Strata Copilot
    Private AWS Application Target Discovery
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Private AWS Application Target Discovery
    Download PDF
    Prisma Access

    Private AWS Application Target Discovery

    Table of Contents

    Private AWS Application Target Discovery

    Discovery of private AWS applications by ZTNA Connector.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • We require a minimum version of Prisma Access 5.0 to enable ZTNA Connector support.
    • Prisma Access license includes 10 connectors, 20,000 FQDNs, and 1024 IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
    • The Private App add-on license includes 200 ZTNA Connectors, 20,000 FQDNs, and 1024 IP subnet functionality.
    In a modern networking infrastructure, thousands of private applications are deployed across on-premises and in multicloud data centers. The networking teams are not aware of the applications running in their network or within a particular subnet in the network leading to a lack of application visibility.
    To provide a secure access to applications, you have to manually enter the FQDN, port, application, and be aware of the dependency this application has on the other applications.
    Private application target discovery provides a way to discover the applications hosted in the cloud environment and allows those applications to be onboarded on the ZTNA Connector solution. It also connects to the cloud provider network, does the discovery, and stores it in the database. It also provides APIs to the different services to get the discovered applications. If the user has only a service connection instead of a ZTNA Connector, only application targets are discovered.
    The private application target discovery identifies:
    • FQDN
    • Port of the application
    • Protocol of the application
    Make sure you activate cloud identity engine (CIE) before you enable the private application discovery feature.
    Complete the following steps to add a cloud account, an IAM role in AWS, and discover the target applications.
    1. Get the CloudFormation template (CFT) to add a cloud account.
      1. Navigate to Application Targets(ConfigurationZTNA ConnectorApplication Targets).
      2. On the Application Targets page, select Discovered Targets, and then select Manage Target Discovery Accounts.
      3. Select Enable Target Discovery, and then select Enable.
      4. On the Manage Target Discovery Accounts page, select Add Cloud Account.
      5. Add the Account Name, and click the check box under Cloud Account Enabled. Add the AWS Account ID , and click Download IAM Role CFT to download the file.
    2. Create the IAM role in AWS.
      1. Navigate to the AWS application, select your account, and Sign in.
      2. Navigate to CloudFormationStacksCreate stackWith new resources (standard) to create the stack.
      3. On the Create stack page, under Prerequisite-Prepare template, select Choose an existing template. Under Specify template, select Upload a template file. Upload the previously downloaded file in Step 1, and select Next.
      4. Add Stack name, AppDisRoleName, and select Next.
      5. On the Configure stack options page, don't make any updates, and select Next.
      6. Review the changes. Select the check box under Capabilities to acknowledge the creation of IAM resources with custom names, and then select Submit.
      7. Navigate to IAMRoles and search for the role name you defined. Select the role name and copy the ARN for the role.
    3. Paste the ARN in the IAM Role ARN text field, and then select Verify. When the ARN is verified, select Save.
      If you add a wrong ARN in the IAM Role ARN text field, the verification fails and an error message appears.
      After you add the account, you can see the status, account ID, and other details. The refresh period for the discovery is 24 hours. You can also add multiple accounts to the same tenant.
    4. To identify the discovered apps, select Discovered Targets. You can find the list of identified applications under Discovered Application Targets.
    5. (Optional) Delete the cloud account.
      To delete your cloud account and add a new one without disabling target discovery, follow this procedure. However, these steps are mandatory if you want to disable target discovery functionality.
      1. Under Manage Target Discovery Accounts, click the Account Name that you want to delete.
      2. Disable Cloud Account Enabled, and select Update. When the account is updated, select Delete. The account is deleted.
    6. (Optional) Disable target discovery.
      Make sure all the cloud accounts are deleted before you disable the target discovery.
      1. Select Disable Target Discovery, and then select Disable Target Discovery.

    © 2026 Palo Alto Networks, Inc. All rights reserved.