Security Policy for Apps Enabled with ZTNA Connector
Focus
Focus
Prisma Access

Security Policy for Apps Enabled with ZTNA Connector

Table of Contents

Security Policy for Apps Enabled with ZTNA Connector

ZTNA Connector seamlessly extends your existing
Prisma Access
security policy to the applications it enables for
Prisma Access
.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access
    5.1.1
  • ZTNA Connector add-on license
    The Business license with the add-on license includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet functionality.
    The Advanced license with the add-on license includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet functionality.
    The Business Premium license with the add-on license includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet functionality.
  • If you don't purchase the ZTNA Connector add-on license,
    Prisma Access
    licenses include four connectors, 40 FQDNs, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
ZTNA Connector does not enforce policy; it seamlessly extends your existing Prisma Access security policy to the applications it enables for
Prisma Access
. This means you can use a common policy across all your applications and data centers, and you don't need to author your security policy separately for apps onboarded to ZTNA Connector.
However, as part of setting up ZTNA Connector, you do need to make sure that your security policy:
Allows traffic between
Prisma Access
and ZTNA Connector
For this, follow the ZTNA Connector Requirements and Guidelines to make sure that ZTNA Connector can connect to
Prisma Access
.
Users can access the applications behind the ZTNA Connector
To ensure your users can access ZTNA Connector apps, follow the steps here for the interface you're using to manage
Prisma Access
.

Security Policy for Apps Enabled with ZTNA Connector (
Strata Cloud Manager
)

Set up a Security policy rule that enables users to access apps behind ZTNA Connector for Cloud Managed Prisma Access deployments and Strata Cloud Manager.
After you onboard apps to ZTNA Connector, you should set up policy rules to allow and control access for those apps. The procedure to create and apply policy differs on whether your apps are defined by wildcards, IP Subnets, or FQDNs.

Security Policy for Wildcard-Based Apps

Wilcard-based apps ( (
Settings
ZTNA Connector
Application Targets
Wildcard Targets
) require that you create a custom URL category; however, that type of category only enforces policy for HTTP and HTTPS traffic, and other traffic (such as SSH) isn't allowed. For this reason, you need to temporarily allow access to all apps by allowing traffic to the ZTNA Connector Application IP blocks.
After ZTNA Connector learns the FQDNs that are based on the wildcards, you can disable the policy that allows Application IP Block traffic and apply policy enforcement based on the learned FQDNs.
  1. Create a Custom URL category and add the wildcard URLs to the category.
    1. Go to
      Manage
      Configuration
      Security Services
      URL Access Management
      Access Control
      .
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      URL Access Management
      .
    2. Under Custom URL categories,
      Add Category
      .
    3. Give a descriptive
      Name
      for the custom URL category and select a
      Type
      of
      URL List
      .
    4. Add the wildcard URLs you created in ZTNA Connector to the
      Items
      .
    5. Save
      your changes.
  2. Create a URL access Management Profile and add the custom URL category you created to it.
    1. While still in the
      URL Access Management
      area, select
      URL Access Management Profiles
      .
    2. Select an existing profile to modify or
      Add Profile
      .
    3. Add the Custom URL category you created to the profile.
    4. Select the following parameters:
      • Site Access
        : Allow
      • User Credential Submission
        : Allow
    5. Save
      your changes.
  3. Create a profile group and attach the URL Access Management Profile to the group.
    1. Go to
      Manage
      Configuration
      Security Services
      Profile Groups
      .
      If you're using Strata Cloud Manager, go to
      Configuration
      NGFW and Prisma Access
      Security Services
      Profile Groups
      .
    2. Add
      a profile group, specifying the URL Access Management Profile you created.
  4. Create a policy to allow the profile group and the IP addresses for the ZTNA Connector Application IP Blocks.
    1. Go to
      Manage
      Service Setup
      Shared
      Prisma Access Setup
      Infrastructure Settings
      and make a note of the
      Application IP Blocks
      under ZTNA Connector IPs.
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access Setup
      Prisma Access
      Prisma Access Setup
      and make a note of the
      Application IP Blocks
      under ZTNA Connector IPs.
    2. Go to
      Manage
      Configuration
      Objects
      Address
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
      If you have IP Subnet-based apps, create address objects for those subnets as well.
    3. Go To
      Manage
      Configuration
      Objects
      Address
      Address Groups
      and
      Add
      the address objects you created to an address group.
      If you're using Strata Cloud Manager, to go
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Address Groups
      and
      Add
      the addresses you created to the address groups.
    4. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to all application IP address blocks, specifying the
      Address Group
      and
      Profile Group
      you created in an earlier step.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to all application IP address blocks, specifying the
      Address Group
      and
      Profile Group
      you created in an earlier step.
      Adding this Security policy allows all traffic from wildcard-based app traffic to be passed while ZTNA Connector discovers the apps based on wildcards. Without the rule to allow the Application IP Blocks, users can't access wildcard-based apps.
      You can leave this policy in place until ZTNA Connector discovers the wildcard-based apps. Then, you can choose to disable this policy and add Security policy rules for each of the discovered apps.
  5. After ZTNA Connector has discovered the apps based on wildcards, configure a Security policy for the apps that you added using FQDNs.
    1. Go to
      Settings
      ZTNA Connector
      Connectors
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
    2. Create an Address object for the FQDN (
      Manage
      Configuration
      Objects
      Address Objects
      ).
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Addresses
      .
      Select the
      Prisma Access
      configuration scope.
    3. Add
      an address object with the
      Type
      of
      FQDN: Domain Name
      and enter the
      FQDN
      of the discovered application.
      Enter the FQDNs for the FQDN targets.
    4. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
  6. Push Config
    to save and push your configuration changes.
  7. (
    Optional
    ) After you have created the Security policy based on FQDNs, remove the policy based on the IP application blocks.

Security Policy for IP Subnet-Based Apps

If you created ZTNA Connector application targets based on IP subnets (
Settings
ZTNA Connector
Connectors
Application Targets
IP Subnets
), complete the following steps to allow access to the apps.
  1. Go to
    Settings
    ZTNA Connector
    Connectors
    Application Targets
    IP Subnets
    and make a note of the IP subnets used by the apps.
    If you're using Strata Cloud Manager, go to
    Workflows
    ZTNA Connector
    Application Targets
    IP Subnets
    and make a note of the IP subnets used by the apps.
  2. Create a policy to allow the IP addresses for the IP subnets used for the apps.
    1. Go To
      Manage
      Configuration
      Objects
      Address
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
    2. Go To
      Manage
      Configuration
      Objects
      Address
      Address Groups
      and
      Add
      the addresses you created to the address groups.
      If you're using Strata Cloud Manager, to go
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Address Groups
      and
      Add
      the addresses you created to the address groups.
    3. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the IP subnets for the apps, specifying the
      Addresses
      you created in an earlier step.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the IP subnets for the apps to
      Destination
      addresses, specifying the
      Addresses
      you created in an earlier step.
  3. Push Config
    to save and push your configuration changes.

Security Policy for FQDN-Based Apps

If you have added targets based on FQDNs (
Settings
ZTNA Connector
Connectors
Application Targets
FQDN Targets
), create an address object and a Security policy to allow access to the apps by completing the following steps.
  1. Configure a Security policy for the apps that you added using FQDNs.
    1. Go to
      Settings
      ZTNA Connector
      Connectors
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
    2. Create an Address object for the FQDN (
      Manage
      Configuration
      Objects
      Address Objects
      ).
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Addresses
      .
      Select the
      Prisma Access
      configuration scope.
    3. Add
      an address object with the
      Type
      of
      FQDN: Domain Name
      and enter the
      FQDN
      of the discovered application.
      Enter the FQDNs for all discovered apps.
    4. Optional
      Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
  2. Push Config
    to save and push your configuration changes.

Security Policy for Apps Enabled with ZTNA Connector (
Panorama
)

Set up a Security policy rule that enables users to access apps behind ZTNA Connector for Panorama Managed Prisma Access deployments.
After you onboard apps to ZTNA Connector, you should set up policy rules to allow and control access for those apps. The procedure to create and apply policy differs on whether your apps are defined by wildcards, IP Subnets, or FQDNs.

Security Policy for Wildcard-Based Apps

Wilcard-based apps ( (
Settings
ZTNA Connector
Application Targets
Wildcard Targets
) require that you create a custom URL category; however, that type of category only enforces policy for HTTP and HTTPS traffic, and other traffic (such as SSH) isn't allowed. For this reason, you need to temporarily allow access to all apps by allowing traffic to the ZTNA Connector Application IP blocks.
After ZTNA Connector learns the FQDNs that are based on the wildcards, you can disable the policy that allows Application IP Block traffic and apply policy enforcement based on the learned FQDNs.
  1. Create a policy to allow the IP addresses for the ZTNA Connector Application IP Blocks.
    1. From the ZTNA Connector UI, go to
      Manage
      Service Setup
      Shared
      Prisma Access Setup
      Infrastructure Settings
      and make a note of the
      Application IP Blocks
      under ZTNA Connector IPs.
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access Setup
      Prisma Access
      Prisma Access Setup
      and make a note of the
      Application IP Blocks
      under ZTNA Connector IPs.
    2. Go to
      Objects
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
    3. Go To
      Objects
      Address Groups
      and
      Add
      the address objects you created to an address group.
    4. Go to
      Policies
      Security
      Pre Rules
      and
      Add
      a Security policy to allow access to all application IP address blocks, specifying the
      Address Group
      you created in an earlier step.
      Adding this Security policy allows all traffic from wildcard-based app traffic to be passed while ZTNA Connector discovers the apps based on wildcards. Without the rule to allow the Application IP Blocks, users can't access wildcard-based apps.
      You can leave this policy in place until ZTNA Connector discovers the wildcard-based apps. Then, you can choose to disable this policy and add Security policy rules for each of the discovered apps.
  2. After ZTNA Connector has discovered the apps based on wildcards, configure a Security policy for the apps that you added using FQDNs.
    1. Go to
      Settings
      ZTNA Connector
      Connectors
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
    2. Create an Address object for the FQDN (
      Objects
      Addresses
      ).
      Select either the
      Mobile_User_Device_Group
      or the
      Remote_Network_Device_Group
      , depending on whether mobile users or users at branch sites will be accessing the private apps behind ZTNA Connector.
    3. Add
      an address object with the
      Type
      of
      FQDN
      and enter the
      FQDN
      of the discovered application.
      Enter the FQDNs for the FQDN targets.
    4. Go to
      Policies
      Security
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
  3. Commit and Push
    your changes.
  4. (
    Optional
    ) After you have created the Security policy based on FQDNs, remove the policy based on the IP application blocks.

Security Policy for IP Subnet-Based Apps

If you created ZTNA Connector application targets based on IP subnets (
Settings
ZTNA Connector
Connectors
Application Targets
IP Subnets
), complete the following steps to allow access to the apps.
  1. Go to
    Settings
    ZTNA Connector
    Connectors
    Application Targets
    IP Subnets
    and make a note of the IP subnets used by the apps.
    If you're using Strata Cloud Manager, go to
    Workflows
    ZTNA Connector
    Application Targets
    IP Subnets
    and make a note of the IP subnets used by the apps.
  2. Create a policy to allow the IP addresses for the IP subnets used for the apps.
    1. Go To
      Objects
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Objects
      Address
      Addresses
      and
      Add
      address objects based on the IP addresses you retrieved.
    2. Go To
      Objects
      Address Groups
      and
      Add
      the addresses you created to the address groups.
    3. Go to
      Policies
      Security
      Pre Rules
      and
      Add
      a Security policy to allow access to the IP subnets for the apps, specifying the
      Addresses
      you created in an earlier step.
  3. Push Config
    to save and push your configuration changes.

Security Policy for FQDN-Based Apps

If you have added targets based on FQDNs (
Settings
ZTNA Connector
Connectors
Application Targets
FQDN Targets
), create an address object and a Security policy to allow access to the apps by completing the following steps.
  1. Configure a Security policy for the apps that you added using FQDNs.
    1. Go to
      Settings
      ZTNA Connector
      Connectors
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Application Targets
      FQDN Targets
      and make a note of the FQDNs used by the apps.
    2. Create an Address object for the FQDN (
      Objects
      Addresses
      ).
      Select either the
      Mobile_User_Device_Group
      or the
      Remote_Network_Device_Group
      , depending on whether mobile users or users at branch sites will be accessing the private apps behind ZTNA Connector.
    3. Add
      an address object with the
      Type
      of
      FQDN
      and enter the
      FQDN
      of the discovered application.
      Enter the FQDNs for all discovered apps.
    4. Optional
      Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      Pre Rules
      and
      Add
      a Security policy to allow access to the discovered apps.
  2. Push Config
    to save and push your configuration changes.

Recommended For You