ZTNA Connector is a critical component of the Zero Trust security offering, providing secure access to your private applications. To deliver a comprehensive and flexible security solution, the ZTNA Connector has been enhanced to support server-initiated traffic flow. Now, applications running in your data center can initiate connections to clients across the Prisma Access ^® fabric.

When you enable server-initiated traffic on a ZTNA Connector Group, it establishes a bidirectional communication capability. Your data center servers can now establish TCP, UDP, and ICMP sessions to the following destinations:

• GlobalProtect users connected to a GlobalProtect gateway
• Remote network hosts
• IP subnet hosts in other ZTNA Connector data centers

This functionality is essential for applications such as remote troubleshooting, device inventory and patch distribution systems, and Voice Over IP (VoIP) applications. All server-initiated traffic flows are Source NATed (SNAT) using the ZTNA Connector's IPSec tunnel IP address (this address is from the /27 prefix that the connector got from the connector IP blocks), therefore mobile user/remote network destinations don't need private data center IP prefixes in their routing tables.

The data center router can learn the routes into the Prisma Access network through the data center connectors in two ways:

Server-initiated traffic reduces operational complexity while maintaining network integrity.

Server-initiated traffic establishes server-to-client flows; for optimal organization and management. Palo Alto Networks recommends that the client-initiated flows and server-initiated traffic flows should be configured in separate ZTNA Connector Groups.

Upon receiving the flow, ZTNA Connector first performs a route check based on the configured destination prefix security rule (the union of MU Pools, RN Prefixes, and ZTNA IP Subnet targets). If permitted, the Connector then performs Source NAT (SNAT), translating the data center server's IP to the ZTNA Connector's IPSec tunnel interface IP. The SNATed traffic is then routed through the Prisma Access Fabric towards the destination endpoint. You are responsible for enforcing any necessary security policy on traffic after it exits Prisma Access. Finally, the GP User or RN Host receives the connection, with the source appearing as the ZTNA Connector's IPSec IP, and return traffic naturally follows the reverse path back to the SNAT address, maintaining path symmetry.

Configure server-initiated traffic using the following steps:

1. Go to ConfigurationZTNA ConnectorConnector Groups and select the Connector Group.
2. Select Settings and Enable Server Initiated Traffic.

3. Configure the Destinations for server-initiated traffic:
   1. If you want to enable server-initiated connections to GlobalProtect users, select the Mobile User Pools checkbox to allow access to all mobile user pools.
   2. If you want to enable server-initiated connections to hosts on remote networks, select the Remote Network Pools checkbox and enter the specific IP subnets within the remote network to allow access.
   3. If you want to server-initiated connections to destinations in another ZTNA Connector group's IP subnet targets, select the ZTNA Connector Data Center checkbox, and then select the IP subnet(s) to allow access.
      Currently, there is no support for ZTNA Connector FQDN targets.
4. Go to Routing and select the settings icon. Under Connectors with Server Initiated Traffic Enabled, select the Connector for which you want to configure the data center routing.
   You can select routing as either Dynamic or Static.
   1. Select the Routing Type as Dynamic or Static:
      1. For Dynamic: add AS Number, Peer AS, Peer IP Address, and Secret, if required.
      2. For Static: configure the mobile users prefixes, remote network prefixes and ZTNA Connector prefixes at the data center router where ZTNA connectors and this group reside.
         When using static routing, you must configure every router involved to forward traffic through the connectors.
5. The server-initiated connections make flow logs in the ZTNA Connector and the destination mobile user, remote network, or the other ZTNA Connector. You can view the ZTNA Connector logs.