>
    Enable ZTNA Connector
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access ZTNA Connector
    4. Enable ZTNA Connector
    Download PDF
    Prisma Access

    Enable ZTNA Connector

    Table of Contents

    Enable ZTNA Connector

    Learn how to configure a ZTNA Connector in Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access 5.2.0
    • ZTNA Connector add-on license
      The Essential license with the add-on license includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet functionality.
      The Advanced license with the add-on license includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet functionality.
      The Premium license with the add-on license includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet functionality.
    • If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include four connectors, 40 FQDNs, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
    Before you can set up ZTNA Connector, you must enable it within Prisma Access. Before you enable ZTNA Connector, do the following:
    • Review the ZTNA Connector Requirements and Guidelines.
    • Identify your Application IP and Connector IP address blocks. You must reserve a separate address pool to reserve for use within Prisma Access internally to route traffic to the connectors and private applications you’ll be onboarding. Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block. Similarly, Prisma Access uses the Connector IP address block to route traffic from the remote network or mobile user to the appropriate ZTNA Connector.
      You should reserve at least a /16 subnet for the address pool. Use RFC 1918 or RFC 6598 addresses. You can specify an RFC 1918 address pool during ZTNA Connector setup instead of RFC 6598; however, you cannot change the address pool type back to RFC 6598 after you specify RFC 1918.

    Enable ZTNA Connector (Strata Cloud Manager)

    Learn how to configure a ZTNA Connector in Prisma Access.
    Use the following workflow to enable ZTNA Connector in Cloud Managed Prisma Access.
    1. Configure the IP address blocks that Prisma Access will use internally to route traffic to the ZTNA Connector and the private apps you onboard.
      You must define separate IP address blocks for your connectors and your applications and the blocks cannot overlap with each other, with the Prisma Access infrastructure subnet, or with you GlobalProtect IP address pool.
      • Select WorkflowsPrisma Access SetupPrisma AccessInfrastructure Settings.
      • Add ZTNA Connectors Application IP Blocks.
        You can add a single Application IP Block, or multiple blocks depending on your deployment. For example, enter 100.64.10.0/24 and 100.64.11.0/24. You can also Advertise Application IP blocks to Remote Networks to provide remote network access.
      • Add ZTNA Connectors Connector IP Blocks that Prisma Access will use internally to route traffic between mobile users, remote networks and the connector VMs in your data centers.
        You can add a single Connector IP Block, or multiple blocks depending on your deployment. For example, enter 100.65.10.0/24 and 100.65.11.0/24.
      • Click Save to save the IP address block configuration and then Commit and push the configuration.
    2. Launch ZTNA Connector from Strata Cloud Manager.
      • Select WorkflowsZTNA Connector.
      • Prisma Access begins setting up the infrastructure for the ZTNA Connector. This may take a few minutes.
      • When onboarding finishes, the ZTNA Connector Overview displays.

    Enable ZTNA Connector (Panorama)

    Learn how to configure a ZTNA Connector in Prisma Access (Managed by Panorama).
    Use the following workflow to enable ZTNA Connector in Prisma Access (Managed by Panorama).
    1. Configure the IP address blocks that Prisma Access will use internally to route traffic to the ZTNA Connector and the private apps you onboard.
      • Select PanoramaCloud ServicesConfigurationService Setup and Edit the Settings.
      • On the ZTNA Connector tab Add an Application IP Block.
        You can add a single Application IP Block, or multiple blocks depending on your deployment. For example, if 100.64.10.0/24 and 100.64.11.0/24. You can also Enable Advertise Application IP Block to Remote Networks.
      • Set the Connector IP Blocks that Prisma Access will use internally to route traffic between mobile users, remote networks and the connector VMs in your data centers.
        You can add a single Connector IP Block, or multiple blocks depending on your deployment. For example, enter 100.65.10.0/24 and 100.65.11.0/24.
      • Click OK to save the IP address block configuration and then Commit and push the configuration.
    2. Launch ZTNA Connector from the Cloud Services Plugin on Panorama.
      • SelectPanoramaCloud ServicesZTNA Connector.
      • Click Strata Cloud Manager to launch ZTNA Connector in Strata Cloud Manager on the hub.
      • From Strata Cloud Manager, select SettingsZTNA Connector.
      • Prisma Access begins setting up the infrastructure for the ZTNA Connector. This may take a few minutes.
      • When onboarding finishes, the ZTNA Connector Overview displays.

    © 2024 Palo Alto Networks, Inc. All rights reserved.