ZTNA Connector Requirements and Guidelines
Focus
Focus
Prisma Access

ZTNA Connector Requirements and Guidelines

Table of Contents

ZTNA Connector Requirements and Guidelines

Learn about the requirements and guidelines for using ZTNA Connector.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access 5.2.0
  • ZTNA Connector add-on license
    The Essential license with the add-on license includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet functionality.
    The Advanced license with the add-on license includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet functionality.
    The Premium license with the add-on license includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet functionality.
  • If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include four connectors, 40 FQDNs, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
Before you start setting up ZTNA Connector, be sure that you understand the Connector requirements and limits, as well as the guidelines you should follow when deploying it.

Supported Prisma Access Versions and Requirements

  • Prisma Access 4.0 version with a compatible SaaS Agent.
    Upgrade any Prisma Access release earlier than 4.0, including any Innovation releases, to a minimum version of 4.0.
    A minimum Prisma Access version of 5.0 is required if you want to use FQDN wildcards or IP Subnets to access apps. In addition, Prisma Access 5.0 unlocks the use of the Dump Overview, Packet Capture, and Tech Support diagnostic tools.
  • You must upgrade your connector versions to a minimum of 6-2-2-ztna-connector-b1 to use 5.0 functionality.
  • For Prisma Access (Managed by Panorama), upgrade the Cloud Services plugin version to a minimum version of 4.0. Upgrade to 5.0 to unlock the latest features.

App Support

ZTNA Connector provides access to all of your private app traffic, with the following exceptions:
  • ZTNA Connector does not support the following:
    • Traffic originating from the data center (such as SCCM or remote help desk traffic).
    • User-ID redistribution.
    • Applications that perform port hopping (such as VoIP or Active Mode FTP).
    • Application-level gateway (ALG) apps such as Active Mode FTP and SIP.
    • Windows-integrated authentication for applications (such as NTLM or Kerberos) are only supported if you onboard the data center domain controllers and resources as IP subnets. SAML, OAuth, and LDAP are supported.
    • Communication between apps behind a service connection and apps behind a ZTNA connector.
      For example, you host a Windows Active Directory (AD) server behind a service connection (since AD servers are not supported behind a ZTNA Connector), and host an FTP (Filezilla) server behind a ZTNA Connector. If the FTP server requires authentication to the Windows AD server, authentication fails, because you can't use Prisma Access as a backbone between the Service Connection Corporate Access Node (SC-CAN) and the ZTNA-Connector Tunnel Terminator (ZTT).

Feature and Functionality Restrictions

Keep in mind the following restrictions when setting up and configuring a ZTNA Connector deployment:
  • Don't use special characters, including < > ! @ # $ % ^ & and Chinese, Japanese, or Korean characters, in ZTNA object names.
  • The following functionalities are not supported with the default Prisma Access deployment; reach out to your Palo Alto Networks team to activate them:
  • Connector Group Guidelines—When adding connector groups, use the following recommendations:
    • All apps in a single connector group should use the same DNS server for DNS resolution.
    • If you're accessing apps from a data center or headquarters location, all apps in the connector group should be from the same data center or headquarters location.
    • Don't add connectors in two or more regions in a single connector group. All connectors in a connector group should be in the same region.
    • Starting with Prisma Access 5.01, you can specify up to a four connector groups per FQDN target or wildcard target (release 5.0 and earlier support a single connector group per FQDN target or wildcard target). Be sure that, when you assign connector groups per FQDN target or wildcard target, you don't assign the same app to more than four connectors per region.
      For example, you have assigned the same app (either an FQDN target or a wildcard target) to four connector groups, each group has a single connector, and all connectors are in the same region. This configuration is acceptable because you're not assigning more than four connectors per app in a single region.
      However, if you assign the same app (either an FQDN target or a wildcard target) to three connector groups, each group has two connectors, and all connectors are in the same region, that is an invalid configuration, because you're assigning six connectors to the same app in a single region.
  • Some ZTNA Connectors such as AWS-based connectors or Azure-based connectors support autoscaling, where AWS or Azure monitors network bandwidth utilization on the connectors and automatically adjusts capacity to maintain app performance. When network bandwidth utilization on connectors drop, AWS or Azure triggers auto scale-in. If scale-in occurs in a ZTNA connector, existing long-lived sessions handled by the ZTNA connector marked for scale-in are terminated prematurely. This does not impact new traffic sessions initiated after scale-in. For long-lived sessions, such as SSH or RDP, ZTNA Connector terminates the session during scale-in, and you must reconnect that session.

Scale and Throughput Considerations

ZTNA Connector supports the following maximum values:
  • 4,096 applications per tenant across all connector groups
  • 200 Connectors per tenant
  • 512 applications per Connector Group
  • 4 connectors per Connector Group
  • 200,000 concurrent sessions per Connector
    Each Connector can support 200,000 concurrent connections. A Connector Group can have a maximum of 4 connectors for up to 800,000 concurrent connections per Connector Group.
  • 26 compute regions
  • 1 Gbps throughput per connector, with a maximum of 10 Gbps per Prisma Access compute location

Supported Application Hosting Environments

You can deploy your ZTNA Connector VMs in the following data center environments with the specified minimum requirements:
Cloud ProviderInstance SizeCPU SizeMemory SizeDisk Size
Amazon AWSm5.xlarge per region4 vCPUs16 GB40 GB
Google Cloud Platform (GCP)n2-standard-4 per region4 vCPUs16 GB40 GB
Microsoft AzureStandard_D4_v3 per region4 vCPUs16 GB40 GB
KVMUses qcow image4 vCPUs16 GB40 GB
Hyper-VUses vhd image4 vCPUs8 GB memory per VM40 GB
VMware ESXiUses OVA image. Deployment is supported on vSphere and directly on ESXi Hosts 4 vCPUs per VM8 GB memory per VM40 GB disk (Thick Provisioned)
For VMware ESXi, vMotion, VM snapshots, or migrations are not supported for Connector VMs.
For KVM, Live Migrations and snapshots are not supported on Connector VMs.
It is your responsibility to host the VMs and ensure that they can connect to the internet.
AWS, GCP, and Azure have ZTNA Connectors you can acquire in their respective Marketplaces. You can download the VMware ESXi Open Virtualization Application (OVA) file and the KVM qcow file from the Palo Alto Customer Support Portal.

Network Requirements

The following networking requirements enable connectivity between ZTNA Connector and Prisma Access:
  • After you enable ZTNA Connector, Prisma Access sets up a DNS proxy for DNS requests, using the DNS rules set up for Remote Networks and Mobile Users—GlobalProtect.
  • UDP payload size, including headers, should not exceed an MTU size of 1,300 bytes on the path to the ZTNA application server. Palo Alto Networks recommends keeping packets at or below this MTU size.
  • Allow outbound UDP port 4500 and UDP 500 from the WAN interface (port 1) IP address for IPSec and IKE connectivity to the ZTNA Tunnel Terminator (ZTT). If you want to limit enabling an outbound UDP port 500 and 4500 connection to a single IP address, enable it for the PA Service IP address (under WorkflowsZTNA ConnectorConnectors) of the ZTNA Connector.
  • If ZTNA Connector uses a public IP address for its internet interface, you must allow a IP/50 Encapsulating Security Payload (ESP).
  • Allow outbound TCP port 443 from the WAN interface (port 1) IP address HTTPS connectivity to the ZTNA Connector Controllers.
  • ZTNA Connector autoconfigures both the Prisma Access ZTT side of the IPSec tunnel and the ZTNA Connector side. The algorithms configured for DH Group/Encryption/Hash for both IKE and ESP are: ecp384/aes256/sha512.
  • Don't terminate the IPSec tunnel that ZTNA Connector creates and uses to access the private apps.
  • (Mobile Users—GlobalProtect deployments only) When you first onboard an application in ZTNA Connector, you must refresh the GlobalProtect app so mobile users receive the updated DNS server configuration. If you removed an application from ZTNA Connector, you must refresh the GlobalProtect app so mobile users can receive the updated DNS server configuration.
  • If there is a firewall between the ZTNA Connector and the private app, the firewall must allow access to the app from the ZTNA Connector (that is, you must allow access to the app server's resolved IP addresses, protocols, and ports for the private app).
    In addition, you need to allow the protocol (either TCP or ICMP) you configured for the application target health probes to the app. The connector application probes the app server to determine if it can provide access to the app, and you can configure the Probing Type for the Application Target to be tcp ping, icmp ping, or none (no probing). If you specify tcp ping, the firewall must allow TCP access to the app; if you specify icmp ping, the firewall must allow ICMP echo request and reply for the app.
  • Be sure that you allow ICMP in your data center before using the ping and traceroute diagnostic tools. Some cloud environments have ICMP disallowed for security concerns; in this case, these tools don't display any activity.
    The traceroute diagnostic tool also uses random UDP ports, so you must allow all UDP and ICMP error replies for the traceroute tool to function.
  • Make sure you have configured DNS entries on the local interfaces to allow ZTNA Connector to resolve the app FQDNs, and that ZTNA Connector and access the DNS server at UDP port 53 (the port used for DNS resolution).
    Starting with Prisma Access 5.0, for Connector groups having a 5.0 or later ZTNA Connector version, if an application FQDN resolves to multiple private IP addresses, the ZTNA Connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.
  • If you use RFC 6598 shared addresses within your network, you must specify blocks of IP addresses that ZTNA Connector can use for routing between Prisma Access and your connectors and between Prisma Access and your private apps.
  • If you need to restrict the list of IP addresses and FQDNs that can be added to your organization's allow lists, add the ones listed in IP Addresses and FQDNs to Allow for ZTNA Connector.
    For example, if you're setting up a ZTNA Connector in the United States, add the following URLs to your organization's allow lists:
    • https://controller.cgnx.net
    • https://locator.cgnx.net
    • https://controller.hood.cgnx.net
    • https://vmfg.hood.cgnx.net
    • https://sdwan-stats-hood-us.cgnx.net
    • time.nist.gov (for NTP)
    DNS resolution of the previous FQDNs must be limited to IPv4 resolution. ZTNA Connector does not support establishing connection to the controller FQDNs using IPv6.
  • Disable the SSL decryption for sessions to the Controllers.

IP Addresses and FQDNs to Allow for ZTNA Connector

To ensure smooth functioning of ZTNA Connector, add the following URLs and IP addresses to your allow lists.
Service NamePortDirectionSource Interface Internet ProtocolDestination and IP Addresses
ZTNA Connector access to Prisma Access443Outbound
ZTNA Connector WAN port
https://controller.cgnx.net
Address: 52.8.93.87
Address: 52.8.25.40
https://locator.cgnx.net
Address: 13.56.217.238
Address: 13.56.201.169
hood:
52.40.98.31
34.218.98.185
sugarloaf:
18.200.102.82
18.200.135.33
faber:
18.139.242.53
54.255.61.109
https://vmfg.cgnx.net
Address: 52.53.122.104
Address: 52.53.102.7
https://controller.elcapitan.cgnx.net
Address: 52.8.93.87
Address: 52.8.25.40
https://vmfg.elcapitan.cgnx.net
Address: 52.53.122.104
Address: 52.53.102.7
https://controller.hood.cgnx.net
Address: 52.32.167.5
Address: 54.70.168.33
https://vmfg.hood.cgnx.net
Address: 50.112.136.184
Address: 34.210.34.87
https://controller.sugarloaf.cgnx.net
Address: 108.128.176.192
Address: 18.200.144.58
https://vmfg.sugarloaf.cgnx.net
Address: 99.81.179.99
Address: 99.80.52.255
https://sdwan-stats-hood-us.cgnx.net
https://sdwan-stats-elcapitan-us.cgnx.net
https://sdwan-stats-hood-jp.cgnx.net
https://sdwan-stats-elcapitan-jp.cgnx.net
https://sdwan-stats-hood-sg.cgnx.net
https://sdwan-stats-elcapitan-sg.cgnx.net
https://sdwan-stats-hood-au.cgnx.net
https://sdwan-stats-elcapitan-au.cgnx.net
https://sdwan-stats-hood-in.cgnx.net
https://sdwan-stats-elcapitan-in.cgnx.net
https://sdwan-stats-hood-ca.cgnx.net
https://sdwan-stats-elcapitan-ca.cgnx.net
https://sdwan-stats-sugarloaf-eu.cgnx.net
https://sdwan-stats-sugarloaf-de.cgnx.net
https://sdwan-stats-sugarloaf-uk.cgnx.net
https://controller.bowfell.cgnx.net
Address: 13.41.243.90
Address: 18.171.17.23
https://vmfg.bowfell.cgnx.net
Address: 52.56.35.36
Address: 52.56.224.242
https://controller.faber.cgnx.net
Address: 52.74.47.220
Address: 13.251.109.27
https://vmfg.faber.cgnx.net
Address: 18.142.153.59
Address: 52.74.58.219
h
ttps://controller.townsend.cgnx.net
Address: 13.55.31.41
Address: 3.106.168.215
https://vmfg.townsend.cgnx.net
Address: 52.64.177.240
Address: 13.55.164.51
https://sdwan-stats-faber-sg.cgnx.net
https://sdwan-stats-bowfell-uk.cgnx.net
https://sdwan-stats-townsend-au.cgnx.net
NTP123Outbound
ZTNA Connector WAN and LAN ports
time.nist.gov
DNS53Outbound
ZTNA Connector WAN and LAN ports
Customer or Provider DNS servers