>
    Strata Copilot
    Enable or Disable ZTNA Connector
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Enable or Disable ZTNA Connector
    Download PDF
    Prisma Access

    Enable or Disable ZTNA Connector

    Table of Contents

    Enable or Disable ZTNA Connector

    Learn how to configure or deconfigure a ZTNA Connector in Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • We require a minimum version of Prisma Access 5.0 to enable ZTNA Connector support.
    • Prisma Access license includes 10 connectors, 20,000 FQDNs, and 1024 IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
    • The Private App add-on license includes 200 ZTNA Connectors, 20,000 FQDNs, and 1024 IP subnet functionality.
    Before you can set up ZTNA Connector, you must enable it within Prisma Access. Before you enable ZTNA Connector, do the following:
    • Review the ZTNA Connector Requirements and Guidelines.
    • Identify your Application IP and Connector IP address blocks. You must reserve a separate address pool to reserve for use within Prisma Access internally to route traffic to the connectors and private applications you’ll be onboarding. Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block. Similarly, Prisma Access uses the Connector IP address block to route traffic from the remote network or mobile user to the appropriate ZTNA Connector.
      Configure the connector IP address blocks carefully. Once you have added them, you can only update or delete them after you delete all the existing connectors or connector groups.
      When configuring, updating, or deleting the ZTNA Connector application and connector pools, you must do a commit and push to all the Prisma Access components.
      You should reserve at least a /16 subnet for the address pool. Use RFC 1918 or RFC 6598 addresses. You can specify an RFC 1918 address pool during ZTNA Connector setup instead of RFC 6598; however, you cannot change the address pool type back to RFC 6598 after you specify RFC 1918.

    Enable or Disable ZTNA Connector (Strata Cloud Manager)

    Learn how to configure a ZTNA Connector in Prisma Access.
    Use the following workflow to enable ZTNA Connector in Cloud Managed Prisma Access.
    You must define separate IP address blocks for your connectors and your applications and the blocks cannot overlap with:
    1. Configure the IP address blocks that Prisma Access will use internally to route traffic to the ZTNA Connector and the private apps you onboard.
      • Select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessPrisma Access InfrastructureInfrastructure Settings.
      • Add ZTNA Connectors Application IP Blocks.
        You can add a single Application IP Block, or multiple blocks depending on your deployment. You can also Advertise Application IP blocks to Remote Networks to provide remote network access.
        Use RFC 1918 or RFC 6598 addresses. You can specify an RFC 1918 address pool during ZTNA Connector setup instead of RFC 6598. However, you can change the address pool type back to RFC 6598 after you specify RFC 1918 only for application blocks. For connector IP address blocks, you can change the address pool type only when you delete all the connectors and connector groups.
      • Add ZTNA Connectors Connector IP Blocks that Prisma Access will use internally to route traffic between mobile users, remote networks and the connector VMs in your data centers.
        Configure the connector IP address blocks carefully. Once you have added them, you can only update or delete them after you delete all the existing connectors or connector groups.
        You can add a single Connector IP Block, or multiple blocks depending on your deployment.
      • Click Save to save the IP address block configuration and then Commit and push the configuration.
    2. Launch ZTNA Connector from Strata Cloud Manager.
      • Select ConfigurationZTNA Connector.
      • Prisma Access begins setting up the infrastructure for the ZTNA Connector. This may take a few minutes.
      • When onboarding finishes, the ZTNA Connector Overview displays.

    Disable ZTNA Connector (Strata Cloud Manager)

    ZTNA Connector Offboarding removes ZTNA Connectors and all associated entities from your system. This process ensures the complete removal of a ZTNA Connector's operational footprint, including configurations and access pathways, from your environment.
    ZTNA Connector offboarding involves several core components:
    • ZTNA Connector: The primary logical entity to be removed.
    • Connected Connectors: Logically linked connectors.
    • Connector Groups: Groups organizing ZTNA Connectors, subject to deletion if associated.
    • Application Targets (App Targets): Access configurations for private applications are permanently removed. The User Interface (UI) initiates and monitors the process, while a backend micro-service executes the deletion.
    Use this procedure to disable ZTNA Connector in your environment, including its associated Connector Groups and App targets. This action is irreversible and will terminate all active sessions, potentially impacting user access to private applications in your network.
    1. Go to ConfigurationZTNA Connector.
    2. Select the settings icon under General Information and select Disable ZTNA Connector.
    3. Review the disablement summary on the screen, which displays affected Connectors, Connector Groups, and App targets. Select Confirm to disable ZTNA Connector.
    4. A warning message appears to show consequence of disablement. Select Disable.
      When the process is completed, you can see the ZTNA Connector Welcome Page with an active Enable ZTNA Connector icon.

    Enable or Disable ZTNA Connector (Panorama)

    Learn how to configure a ZTNA Connector in Prisma Access (Managed by Panorama).
    Use the following workflow to enable ZTNA Connector in Prisma Access (Managed by Panorama).
    You must define separate IP address blocks for your connectors and your applications and the blocks cannot overlap with:
    1. Configure the IP address blocks that Prisma Access will use internally to route traffic to the ZTNA Connector and the private apps you onboard.
      • Select PanoramaCloud ServicesConfigurationService Setup and Edit the Settings.
      • On the ZTNA Connector tab Add an Application IP Block.
        You can add a single Application IP Block, or multiple blocks depending on your deployment.You can also Enable Advertise Application IP Block to Remote Networks.
        Use RFC 1918 or RFC 6598 addresses. You can specify an RFC 1918 address pool during ZTNA Connector setup instead of RFC 6598. However, you can change the address pool type back to RFC 6598 after you specify RFC 1918 only for application blocks. For connector IP address blocks, you can change the address pool type only when you delete all the connectors and connector groups.
      • Set the Connector IP Blocks that Prisma Access will use internally to route traffic between mobile users, remote networks and the connector VMs in your data centers.
        Configure the connector IP address blocks carefully. Once you have added them, you can only update or delete them after you delete all the existing connectors or connector groups.
        You can add a single Connector IP Block, or multiple blocks depending on your deployment.
      • Click OK to save the IP address block configuration and then Commit and push the configuration.
    2. Launch ZTNA Connector from the Cloud Services Plugin on Panorama.
      • SelectPanoramaCloud ServicesZTNA Connector.
      • Click Strata Cloud Manager to launch ZTNA Connector in Strata Cloud Manager on the hub.
      • From Strata Cloud Manager, select SettingsZTNA Connector.
      • Prisma Access begins setting up the infrastructure for the ZTNA Connector. This may take a few minutes.
      • When onboarding finishes, the ZTNA Connector Overview displays.

    Disable ZTNA Connector (Panorama)

    ZTNA Connector Offboarding removes ZTNA Connectors and all associated entities from your system. This process ensures the complete removal of a ZTNA Connector's operational footprint, including configurations and access pathways, from your environment.
    ZTNA Connector offboarding involves several core components:
    • ZTNA Connector: The primary logical entity to be removed.
    • Connected Connectors: Logically linked connectors.
    • Connector Groups: Groups organizing ZTNA Connectors, subject to deletion if associated.
    • Application Targets (App Targets): Access configurations for private applications are permanently removed. The User Interface (UI) initiates and monitors the process, while a backend micro-service executes the deletion.
    Use this procedure to disable ZTNA Connector in your environment, including its associated Connector Groups and App targets. This action is irreversible and will terminate all active sessions, potentially impacting user access to private applications in your network.
    1. Go to PanoramaCloud ServicesZTNA Connector and select the Prisma Access App.
    2. Select Strata Cloud Manager to launch ZTNA Connector in Strata Cloud Manager on the hub.
    3. On Strata Cloud Manager, go to ConfigurationZTNA Connector.
    4. Select the settings icon under General Information and select Disable ZTNA Connector.
    5. Review the disablement summary on the screen, which displays affected Connectors, Connector Groups, and App targets. Select Confirm to disable ZTNA Connector.
    6. A warning message appears to show consequence of disablement. Select Disable.
      When the process is completed, you can see the ZTNA Connector Welcome Page with an active Enable ZTNA Connector icon.

    © 2026 Palo Alto Networks, Inc. All rights reserved.