Focus

Prisma Access

Enable ZTNA Connector

Table of Contents

Filter

Expand All | Collapse All

Learn how to configure a ZTNA Connector in Prisma Access.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	We recommend a minimum version of Prisma Access 5.0 to unlock the latest ZTNA Connector features. Prisma Access license includes 10 connectors, 10,000 FQDNs, and 1024 IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment. The Private App add-on license includes 200 ZTNA Connectors, 10,000 FQDNs, and 1024 IP subnet functionality.

Before you can set up ZTNA Connector, you must enable it within Prisma Access. Before you enable ZTNA Connector, do the following:

Review the ZTNA Connector Requirements and Guidelines.
Identify your Application IP and Connector IP address blocks. You must reserve a separate address pool to reserve for use within Prisma Access internally to route traffic to the connectors and private applications you’ll be onboarding. Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block. Similarly, Prisma Access uses the Connector IP address block to route traffic from the remote network or mobile user to the appropriate ZTNA Connector.
You should reserve at least a /16 subnet for the address pool. Use RFC 1918 or RFC 6598 addresses. You can specify an RFC 1918 address pool during ZTNA Connector setup instead of RFC 6598; however, you cannot change the address pool type back to RFC 6598 after you specify RFC 1918.

Enable ZTNA Connector (Strata Cloud Manager)

Learn how to configure a ZTNA Connector in Prisma Access.

Use the following workflow to enable ZTNA Connector in Cloud Managed Prisma Access.

You must define separate IP address blocks for your connectors and your applications and the blocks cannot overlap with:

Each other
The Prisma Access infrastructure subnet
The GlobalProtect IP address pool
If you are using service connections with ZTNA Connector, subnets advertised from a data center to the Prisma Access service connection using static routes or BGP

Configure the IP address blocks that Prisma Access will use internally to route traffic to the ZTNA Connector and the private apps you onboard.
- Select WorkflowsPrisma Access SetupPrisma AccessInfrastructure Settings.
- Add ZTNA Connectors Application IP Blocks.
  You can add a single Application IP Block, or multiple blocks depending on your deployment. For example, enter 100.64.10.0/24 and 100.64.11.0/24. You can also Advertise Application IP blocks to Remote Networks to provide remote network access.
- Add ZTNA Connectors Connector IP Blocks that Prisma Access will use internally to route traffic between mobile users, remote networks and the connector VMs in your data centers.
  You can add a single Connector IP Block, or multiple blocks depending on your deployment. For example, enter 100.65.10.0/24 and 100.65.11.0/24.
- Click Save to save the IP address block configuration and then Commit and push the configuration.
Launch ZTNA Connector from Strata Cloud Manager.
- Select WorkflowsZTNA Connector.
- Prisma Access begins setting up the infrastructure for the ZTNA Connector. This may take a few minutes.
- When onboarding finishes, the ZTNA Connector Overview displays.

Learn how to configure a ZTNA Connector in Prisma Access (Managed by Panorama).

Use the following workflow to enable ZTNA Connector in Prisma Access (Managed by Panorama).

You must define separate IP address blocks for your connectors and your applications and the blocks cannot overlap with:

Each other
The Prisma Access infrastructure subnet
The GlobalProtect IP address pool
If you are using service connections with ZTNA Connector, subnets advertised from a data center to the Prisma Access service connection using static routes or BGP