Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
Learn how to preserve the User-ID mapping for GlobalProtect users who are accessing
apps behind a data center with ZTNA Connector.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access
5.1.1
You can use ZTNA Connector in Prisma Access to secure private applications. To limit
access to the applications based on User-ID, you can deploy a Next-Generation
Firewall (NGFW) in the data center or headquarters location where the private
applications are located; then, configure policy rules on the NGFW based on User-ID
mapping.
If your deployment uses a Next-Generation Firewall (NGFW) in the data center or
headquarters location where the private applications are located, and ZTNA Connector
does the source NAT, the NGFW can't retrieve the User-ID mapping. Source NAT on ZTNA
Connector prevents NGFW to get the client IP address, which is essential for
mapping. If the NGFW can't retrieve this client IP address, it can't enforce the
zone-based Security policy rules you have created on it based on User-ID mapping.
The ZTNA Connector has the following responsibilities to enable User-ID within the
NGFW secured data center:
Provide secure connection from the NGFW to the regional ZTNA Connector Tunnel
Terminators (ZTTs) for the NGFW to connect to its User-ID redistribution
agent.
For FQDN applications, with the health probe set to tcpping, application probe
the data center applications to determine if the application is up and reachable
from this individual connector.
Encapsulate user to app post-NAT data center space IP packets within a Geneve
packet including the original source IP address as an option.
The following diagram illustrates the network elements that provide the source IP
address to User-ID mapping to the NGFW and deliver Generic Network Virtualization
Encapsulation (Geneve) encapsulated data packets including the original
Prisma Access
source IP address option to the NGFW. These
elements enable the NGFW to effectively enforce security policy rules based on
User-ID.
Restrictions:
User-ID Support with ZTNA Connector is only available post these
versions:
Prisma Access dataplane: 10.2.4 version and later
Saas_agent: 5.1.0 version and later
NGFW version: 11.2.0 version and later
Connector version: 6.2.4-ztna-connector-b3 version and later
ICMP probing isn't supported for FQDN targets, which are attached to User-ID
based connector groups.
NGFW service route configuration for a UID agent only supports interfaces
with static IP addresses. If the NGFW interface is configured to be in a
dynamic mode (IP address assignment through DHCP), the User-ID channel from
NGFW to ZTT can't establish support for the ZTNA Connector User-ID. To
resolve this issue, you must set up the interface to be used for the UID
agent on NGFW with a static IP address.
Diagnostic tools like ping and traceroute are not supported for User-ID
based connectors.
This procedure assumes that you have the following network configurations in
place:
You have deployed an NGFW at the headquarters or data center where the
private apps are located.
You have applied security policy rules on the NGFW based on the zones
(untrusted zone and trusted zone) you have created in the NGFW. These
security policy rules include the User-ID enforcement.
To make sure that your network distributes the User-ID mapping to the headquarters or
data center, complete the procedure listed below, which allows the NGFW to enforce
the security policy rules based on the User-ID mapping it learns from
GlobalProtect.
for your connector. You require these IP addresses and
port ranges to configure User-ID Redistribution agents on the NGFW.
Also, go to
Connector Groups
and make a note of the
Anycast IP
. This IP address is required to
configure NGFW security policy rules to allow TCP application probing from
this source IP address.
Enter Pre-NAT Identification parameters on the NGFW.
Log in to the NGFW UI, and go to
Network
Zones
and
Add
two zones (zone for
interface connecting ZTNA Connector and zone for interface connecting
application server) or select the existing one.
Select the following
Pre-NAT
Identification
parameters for the zone with
interface connecting ZTNA Connector:
User-ID
—Preserves the mobile user User-ID
mapping used before the IP addresses were NATted.
Enable this if you're using User-ID in the security
policy rules.
Source Lookup
—Enables you to match the
original Source IP address received from
GlobalProtect
.
For the interface connecting to the application server zone, you
don't have to select any
Pre-NAT
Identification
parameters.
Click
OK
and
Commit
your changes.
Add the IP addresses to the interfaces.
Go to
Network
Interfaces
Ethernet
.
Select the interface that connects to the ZTNA Connector and the
application server, and configure them. Add the
Interface name
, and the
Interface type
to
Layer
3
.
For the Ethernet interface connected to the application server,
deselect the
Automatically create default route
pointing to default gateway provided by server
check box.
Go to
Interfaces
and add the static IP addresses
to the interfaces. Add the ZTNA Connector facing interface into the ZTNA
Connector zone (Geneve) and the application server facing interface into
the application server zone (Data Center).
Create a command-line interface (CLI) session with the NGFW and enter the
following command in the configuration mode:
set deviceconfig setting preserve-prenat-feature yes
If
you need to disable this feature in the future, enter
set
deviceconfig setting preserve-prenat-feature no
.
When setting up User-ID redistribution, you must add a redistribution agent
entry for each port within the specified range from step 3
User
ID Port Range
. For example, if the range is 55050-55055, you
have to configure 6 entries, aligning with the number of ZTNA Connector
regions you have deployed.
For each port in the range, select one IP address from
User ID
Redistribution Agent IP
in step 3 for the
Host
field. If you want redundancy at the ZTNA
Connector level, you can choose two addresses from
User ID
Redistribution Agent IP
and apply the full port range for
both IP addresses. Alternatively, all the ports on all the IP addresses in
User ID Redistribution Agent IP
can be
configured.
Add a redistribution agent for each of the ports in the range
User
ID Port Range
with one or more of the addresses in
User ID Redistribution Agent IP
.
On the NGFW UI, go to
Device
and then select
Data Redistribution
.
Click
Add
, add the
Name
and select the
Enabled
check box.
Select
Host and Port
, add
User ID
Redistribution Agent IP
from step 3 in
Host
, and add
User ID Port
Range
copied in step 3.
Enable the
IP User Mappings
check box and click
OK
.
Commit
to save the configuration.
On the NGFW UI, go to
Device
Setup
Services
Service Route Configuration
Customize
UID agent
.
Under
IPv4
, select the
SOURCE
INTERFACE
as
Ethernet1/1
(interface facing the ZTNA Connector), and add the
SOURCE
ADDRESS
.
Add a security policy rule to allow TCP packets with the source IP address. Add
the source IP address, which is the Anycast IP address copied in step 3 and
click
