Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
Learn how to preserve the User-ID mapping for GlobalProtect users who are accessing
apps behind a data center with ZTNA Connector.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access 5.1.1
You can use ZTNA Connector in Prisma Access to secure private applications. To limit
access to the applications based on User-ID, you can deploy a Next-Generation
Firewall (NGFW) in the data center or headquarters location where the private
applications are located; then, configure policy rules on the NGFW based on User-ID
mapping.
If your deployment uses NGFW in the data center or headquarters location where the
private applications are located, and ZTNA Connector does source NAT, the NGFW can't
retrieve the User-ID mapping because the NGFW can't retrieve the user device's
source IP address. If the NGFW can't retrieve this source IP address, it can't
enforce the zone-based Security policy rules you have created on it based on User-ID
mapping.
ZTNA Connector has the following responsibilities to enable User-ID within the NGFW
secured data center:
Provide a secure connection from the NGFW to the regional ZTNA Connector Tunnel
Terminators (ZTTs) for the NGFW to connect to its User-ID redistribution
agent.
For FQDN applications, with the health probe set to tcp ping, application probe the data
center applications to determine if the application is up and reachable from
this individual connector.
Optionally, encapsulate user-to-app post-NAT data center IP address packets
within a Generic Network Virtualization Encapsulation (Geneve) packet including
the original source IP address.
The following diagram illustrates the network elements that provide the source IP
address to User-ID mapping to the NGFW and deliver Geneve encapsulated data packets
including the original Prisma Access source IP address option
to the NGFW. These elements enable the NGFW to effectively enforce security policy
rules based on User-ID.
Restrictions:
User-ID Support with ZTNA Connector is only available post these
versions:
NGFW version: 11.2.0 version and later
ZTNA Connector version: 6.2.4-ztna-connector-b3 version and
later
ICMP probing isn't supported for FQDN targets, which are attached to User-ID
based connector groups.
NGFW service route configuration for an User-ID agent only supports
interfaces with static IP addresses. If the NGFW interface is configured to
be in a dynamic mode (IP address assignment through DHCP), the User-ID
channel from NGFW to ZTT can't establish support for the ZTNA Connector
User-ID. To resolve this issue, set up static IP addressing on the NGFW
interface to support the User-ID agent configuration.
Diagnostic tools like ping and
traceroute are not supported for User-ID based connectors.
This procedure assumes that you have the following network configurations in
place:
You have deployed an NGFW at the headquarters or data center where the
private apps are located.
You have created trust and untrust zones to match the zones in Prisma Access and applied security policy rules
based on those zones on the NGFW. These
security policy rules include the User-ID enforcement.
To make sure that your network distributes the User-ID mapping to the headquarters or
data center, complete the following steps, which enables NGFW to enforce the
security policy rules based on the User-ID mapping it learns from GlobalProtect.
Create a Connector Group, enable Preserve User ID, and
add the Connectors.
Go to Connector and make a note of the User
ID Redistribution Agent IP and User ID Port
Range for your connector. You require these IP addresses and
port ranges to configure User-ID Redistribution agents on NGFW.
Also, go to Connector Groups and make a note of the
Anycast IP. This IP address is required to
configure NGFW security policy rules to allow TCP application probing from
this source IP address.
Enter Pre-NAT Identification parameters on the NGFW.
Log in to the NGFW UI, and go to NetworkZones and Add two zones (zone for
interface connecting ZTNA Connector and zone for interface connecting
application server) or select the existing one.
Select the following Pre-NAT
Identification parameters for the zone with
interface connecting ZTNA Connector:
User-ID—Preserves the mobile user User-ID
mapping used before the IP addresses were NATed.
Enable this if you're using User-ID in the security
policy rules.
Source Lookup—Enables you to match the
original Source IP address received from GlobalProtect.
For the interface connecting to the application server zone, you
don't have to select any Pre-NAT
Identification parameters.
OK and Commit your
changes.
Add the IP addresses to the interfaces.
Go to NetworkInterfacesEthernet.
Select the interface that connects to the ZTNA Connector and the
application server, and configure them. Add the
Interface name, and the
Interface type to Layer
3.
For the Ethernet interface connected to the application server,
deselect the Automatically create default route
pointing to default gateway provided by server
check box.
Go to Interfaces and add the static IP addresses
to the interfaces. Add the ZTNA Connector facing interface into the ZTNA
Connector zone (Geneve) and the application server facing interface into
the application server zone (Data Center).
Create a command-line interface (CLI) session with the NGFW and enter the
following command in the configuration mode:
set deviceconfig setting preserve-prenat-feature yes
If
you need to disable this feature in the future, enter set
deviceconfig setting preserve-prenat-feature no.
When setting up User-ID redistribution, you must add a redistribution agent
entry for each port within the specified range from step 3 User
ID Port Range. For example, if the range is 55050-55055, you
have to configure six entries, aligning with the number of ZTNA Connector
regions you have deployed.
For each port in the range, select one IP address from User ID
Redistribution Agent IP in step 3 for the
Host field. If you want redundancy at the ZTNA
Connector level, you can choose two addresses from User ID
Redistribution Agent IP and apply the full port range for
both IP addresses. Alternatively, all the ports on all the IP addresses in
User ID Redistribution Agent IP can be
configured.
Add a redistribution agent for each of the ports in the range User
ID Port Range with one or more of the addresses in
User ID Redistribution Agent IP.
On the NGFW UI, go to Device and then select
Data Redistribution.
Click Add, add the Name
and select the Enabled check box.
Select Host and Port, add User ID
Redistribution Agent IP from step 3 in
Host, and add User ID Port
Range copied in step 3.
Enable the IP User Mappings check box and click
OK.
Commit to save the configuration.
On the NGFW UI, go to DeviceSetupServicesService Route ConfigurationCustomizeUID agent.
Under IPv4, select the SOURCE
INTERFACE as Ethernet1/1
(interface facing the ZTNA Connector), and add the SOURCE
ADDRESS.
Add a security policy rule to enable TCP packets with the source IP address.
Add the source IP address, which is the Anycast IP address copied in step 3 and
click OK.
(Optional) Enable TCP Probing.
To create a FQDN Target:
Go to WorkflowsApplication TargetsFQDN Targets and click Create FQDN
Target.
Add a Name and select the
Connector Group.
Enable tcp,
specific, tcp
ping, and Enabled. Add
the Port and click
Create.
On the NGFW UI, go to Policies and define the User-ID
based policies.
xThanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.