Configure Secure Inbound Access for Remote Network Sites for Locations that Allocate Bandwidth by Location
Table of Contents
Configure Secure Inbound Access for Remote Network Sites for Locations
that Allocate Bandwidth by Location
Configure secure inbound access for remote network sites
for locations that allocate bandwidth by location.
If you have a Prisma Access deployment that
allocates remote network bandwidth by location, configure inbound
access by completing the following steps.
- Select ,Adda connection, and configure the remote network, including routing and IPSec tunnel options.See Onboard and Configure Remote Networks for details. Your deployment might onboard bandwidth by compute location or by location; either method is supported for inbound access.Make sure that you are selecting one of the supported locations for Inbound Access.
- Click theInbound Accesstab to configure inbound access options.
- SelectEnableto enable inbound access for the remote network.If you selected a location that is unsupported for inbound access, Prisma Access prompts you to select a supported one.
- (Optional) To disable source NAT, deselectEnable Source NAT.By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), or if you have not selectedAllow inbound flows to other Remote Networks over the Prisma Access backbone, deselectEnable source NAT.You mustEnable source NATin theInbound Accesstab if you select this check box. Source NAT is a requirement to allow inbound flows to other remote networks.
- Addthe applications to provide secure inbound access.You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10). Enter a uniquePrivate IPaddress,Protocol, andPortcombination for each application. It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you selectTCPfor one application andUDPfor another application.Provide the following values:
- Specify the name of theApplication.
- Specify thePrivate IPaddress to use with this application.
- Specify theProtocolto use with the application (TCPorUDP).
- Specify thePortto use with the application.
- Choose whether you want to dedicate a single public IP address to a single application; to do so, selectDedicated IP.
- ClickOKto save your changes.
- SaveandCommityour changes.
- Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then select and make a note of thePublic Addressthat is associated with theApp Namefor application you created.If you selectedDedicated IP, find the single application that is associated with thePublic Address.
- Create security policies to allow traffic from the inbound internet users.Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to configure security polices to allow untrust-to-trust traffic for your inbound access applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound applications. The following examples provide access to SSH servers, web portals, and RDP servers.
- Select andAdda policy.Be sure to create this policy under theRemote_Network_Device_Groupdevice group.
- Select theSourcetraffic asUntrust.
- Create a policy to allow SSH server traffic by selecting theDestination Zonefor destination traffic asTrustand specifying aDestination AddressofSSH-server-public. This is an Address or Address Group object you created that has a list of all the public IP addresses that are used for SSH login.
- Select anApplicationofssh.
- Select aService/URL Categoryofapplication-defaultto allow or deny applications based only their default ports as defined by Palo Alto Networks.
- InActions, selectAllow.
- ClickOKto save the policy.
- Create a policy to allow web portal access by creating a policy in the previous steps but substituting the following settings in theDestinationandApplicationtabs:
- Select aDestination Addressof an Address or Address Group ofWeb-Portal-Public, which contains all the public IP addresses of the web portal.
- Select anApplicationofweb-browsing.
- Create a security policy for RDP server access, using the same settings as you did for the other policies but creating an Address or Address Group object calledRDP-Server-Public, which contains the public IP addresses for the RDP server, as theDestination Addressandwebrdpas theApplication.When complete, you have three different policies to allow SSH server access, web portal access, and RDP server access.
- SaveandCommityour changes.
- Check that the remote network connection is operational and correctly processing inbound traffic.
- Select and hover over theStatusandConfig Statusareas to see the tunnel’s status.
- If you find issues, select , select the location of the remote network tunnel in the map, and hover over theTunnel Statusarea to determine the cause of the error.
