Provide Secure Inbound Access to Remote Network Locations
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
- Activate and Edit a License for SASE 5G Through Common Services
-
- Prisma Access Onboarding Workflow
-
2.2 Preferred
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Prisma Access
- Prisma Access Infrastructure Management
- Releases and Upgrades
- Manage Upgrade Options for the GlobalProtect App
- Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions
- Retrieve the IP Addresses for Prisma Access
- Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections
- Service IP and Egress IP Address Allocation for Remote Networks
- How to Calculate Remote Network Bandwidth
- Prisma Access APIs
- Use Logging, Routing, and EDL Information to Troubleshoot Your Deployment
-
- Set Up Prisma Access
- Plan the Service Infrastructure and Service Connections
- Configure the Service Infrastructure
- Create a Service Connection to Allow Access to Your Corporate Resources
- Create a Service Connection to Enable Access between Mobile Users and Remote Networks
- Deployment Progress and Status
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections
- Routing Preferences for Service Connection Traffic
- Create a High-Bandwidth Network Using Multiple Service Connections
- List of Prisma Access Locations
-
- Plan To Deploy Prisma Access for Mobile Users
- Secure Mobile Users With GlobalProtect
- Secure Mobile Users with an Explicit Proxy
- Zone Mapping
- Specify IP Address Pools for Mobile Users
- How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
- View Logged In User Information and Log Out Current Users
-
- Use Explicit Proxy to Secure Public Apps and GlobalProtect or a Third-Party VPN to Secure Private Apps
- Prisma Access with On-Premises Gateways
-
- Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways
- Set a Higher Gateway Priority for an On-Premises Gateway
- Set Higher Priorities for Multiple On-Premises Gateways
- Configure Priorities for Prisma Access and On-Premises Gateways
- Allow Mobile Users to Manually Select Specific Prisma Access Gateways
- DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments
- IPv6 Support for Private App Access
- Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments
- Identification and Quarantine of Compromised Devices With Prisma Access
- Support for Gzip Encoding in Clientless VPN
- Report Website Access Issues
-
- Plan to Deploy Remote Networks
- Onboard and Configure Remote Networks
-
- Remote Network Locations with Overlapping Subnets
- Remote Network Locations with WAN Link
- Use Predefined IPSec Templates to Onboard Service and Remote Network Connections
- Onboard Remote Networks with Configuration Import
- Configure Quality of Service in Prisma Access
- Create a High-Bandwidth Network for a Remote Site
- Provide Secure Inbound Access to Remote Network Locations
-
- Multitenancy Overview
- Multitenancy Configuration Overview
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Control Role-Based Access for Tenant-Level Administrative Users
- Sort Logs by Device Group ID for External Logging
- Visibility and Monitoring Features in the Prisma Access App
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
- Integrate Third-Party NDRs with Prisma Access
- Juniper Mist Integration for SASE Health
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Provide Secure Inbound Access to Remote Network Locations
Allow internet-connected users access to applications
hosted at remote network sites.
If your organization hosts internet-accessible
applications at a remote network site, providing access to those
applications exposes your network to all the threats posed by an
open internet. This section describes how Prisma Access provides
a way to provide secure access to those applications, when you should
implement it, and how to configure it.
- Secure Inbound Access for Remote Network Sites
- Secure Inbound Access Examples
- Guidelines for Using Secure Inbound Access
- Configure Secure Inbound Access for Remote Network Sites
Secure Inbound Access for Remote Network Sites
Prisma Access for remote networks allows outbound
access to internet-connected applications. In some cases, your organization
might have a requirement to provide inbound access to an application
or website at a remote site, and provide secure access to that application
for any internet-connected user—not just users who are protected
by Prisma Access. For example:
- You host a public-facing custom application or portal at a remote network site.
- You have a lab or staging environment for which you want to provide secure access.
- You have a need to provide access to an application or website to users who are not members of an organizational domain.
- You have IoT devices that require access to an internal asset management, tracking, or status application.
To
do this, create a remote network that allows secure inbound access.
If you require outbound access as well as inbound access for a remote
network site, create
two remote network
sites in the same location
—one for inbound access and one
for outbound access.While this solution can provide
access for up to 50,000 concurrent inbound sessions per remote network,
Palo Alto Networks does not recommend using this solution to provide
access to a high-volume application or website.
To
make internet-accessible applications available from a remote network
site, you first make a list of the applications to which you want
to provide access, and assign a private IP, port number, and protocol
combination for each application. If you use the same IP address
for multiple applications, the port/protocol combination must be
unique for each application; if you use the same port/protocol combination
for multiple applications, each IP address must be unique.
To
begin configuration, you choose how many public IP addresses you
want to associate for the applications. You can specify either 5
or 10 public IP addresses per remote network site. Each public IP allocation
takes bandwidth (units) from your Remote Networks license, in addition
to the bandwidth that you have allocated for the compute location associated
to the remote network. 5 IP addresses take 150 Mbps from your remote
network license allocation, and 10 IP addresses take 300 Mbps.
After
you choose the number of public IP addresses, you then enter the
application, along with its associated private IP/port number/protocol
combination, for which you want secure inbound access.
You
can decide how you want to map your application to the public IP
addresses. By default, Prisma Access assigns the public IP addresses
to the applications you specify, and multiple applications can be assigned
to a single IP address. If you need to map a single application
to a single public IP address, you can select Dedicated
IP during system configuration. You can configure up
to 100 inbound applications for each group of provisioned public
IP addresses (either 5 or 10).
Secure Inbound Access Examples
This section provides inbound access examples,
along with the IP addresses that Prisma Access assigns in various
deployments.
The following example shows a sample configuration
to enable inbound access for an application (www.example.com) at
a remote network site. You assign an IP address of 10.10.10.2, a
port of 443, and a protocol of TCP to the application. You then
enter these values in Prisma Access when you configure inbound access.
After you save and commit your changes, Prisma Access assigns a
public IP address to the application you defined, in this case 52.1.1.1.
Prisma
Access performs source network address translation (source NAT)
on the packets by default. If the IPSec-capable device at your remote
network site is capable of performing symmetric return (such
as a Palo Alto Networks next-generation firewall), you can disable
source NAT.
The following figure shows the traffic flow from
users to applications. Since source NAT is enabled, the source IP
address in the routing table changes from the IP of the user’s device
(34.1.1.1) to the remote network’s EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksEBGP Router).
(172.1.1.1).

The
following figure shows the return path of traffic with source NAT
enabled.

If
you disable source NAT, Prisma Access still performs destination
NAT, but the source IP address of the request is unchanged.

For
return traffic, SNAT is disabled, and the destination address for
all routing tables is user’s IP address (34.1.1.1).

If
you have a resource that is in a remote network site that has inbound
access enabled and you want users at non-inbound access sites to
have access to that resource, you can Allow inbound flows
to other Remote Networks over the Prisma Access backbone when
you configure the non-inbound access remote network.
If
you allow inbound flows from other remote networks, you must enable
source NAT.

Guidelines for Using Secure Inbound Access
Use the following guidelines and restrictions
when you configure a remote network to use secure inbound access:
- When you configure a remote network for inbound access, you add units (Mbps) from your license for the IP addresses you allocate (150 Mbps for 5 IP addresses and 300 Mbps for 10 IP addresses). For this reason, make sure that you have enough remaining licensed bandwidth to onboard the inbound access remote networks before you start. To check your available bandwidth, select PanoramaCloud ServicesConfigurationRemote Networks and view your licensed Bandwidth Allocation. This area shows the bandwidth you have already allocated, along with the total licensed bandwidth.
- The following locations are supported:
- Australia Southeast
- Belgium
- Brazil South
- Canada East
- Finland
- Germany Central
- Hong Kong
- India West
- Japan Central
- Japan South
- Netherlands Central
- Singapore
- Switzerland
- Taiwan
- UK
- US Central
- US East
- US Northwest
- US Southeast
- US Southwest
- You cannot modify an existing remote network to provide secure inbound access; instead, create a new remote network.
- The inbound access feature is not available on remote networks that use ECMP load balancing.
- Application port translation is not supported.
- The bulk import feature to onboard remote networks does not support inbound access. Use Panorama to onboard new inbound access remote networks.
- Do not use remote network inbound access with traffic forwarding rules with service connections.
- Outbound traffic originating at the branch is not allowed on the inbound remote network.
- User-ID and application authentication are not supported.
- Prisma Access enforces the following rate limiting thresholds to provide flood protection, and measures the rate in connections per second (CPS):
Flood Protection Type Alarm Rate in CPS Activate Rate in CPS SYN Flood 10000 15000 ICMP Flood 20 20 - Remote networks that are configured for secure inbound access can only be used for that purpose. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access—as shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote network location.
- If you have a custom Prisma Access deployment where one of the cloud providers is excluded, inbound access might not be supported; in this case, you cannot choose the location during remote network onboarding.
- Secure inbound access is not supported with evaluation licenses.
Configure Secure Inbound Access for Remote Network Sites
To create a remote network sites that allows
secure inbound access, complete the following steps.
- Select PanoramaCloud ServicesConfigurationRemote Networks, Add a connection, and configure the remote network, including routing and IPSec tunnel options.See Onboard and Configure Remote Networks for details. Your deployment might onboard bandwidth by compute location or by location; either method is supported for inbound access.Make sure that you are selecting one of thesupported locationsfor Inbound Access.
- Click the Inbound Access tab to configure inbound access options.
- Select Enable to enable inbound access for the remote network.If you selected a location that is unsupported for inbound access, Prisma Access prompts you to select a supported one.
- (Optional) To disable source NAT, deselect Enable Source NAT.By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), or if you have not selected Allow inbound flows to other Remote Networks over the Prisma Access backbone, deselect Enable source NAT.You must Enable source NAT in the Inbound Access tab if you select this check box. Source NAT is a requirement to allow inbound flows to other remote networks.
- Add the applications to provide secure inbound access.You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10). Enter a unique Private IP address, Protocol, and Port combination for each application. It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you select TCP for one application and UDP for another application.Provide the following values:
- Specify the name of the Application.
- Specify the Private IP address to use with this application.
- Specify the Protocol to use with the application (TCP or UDP).
- Specify the Port to use with the application.
- Choose whether you want to dedicate a single public IP address to a single application; to do so, select Dedicated IP.
- Click OK to save your changes.
- Save and Commit your changes.
- Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then select PanoramaCloud ServicesStatusNetwork DetailsRemote Networks and make a note of the Public Address that is associated with the App Name for application you created.If you selected Dedicated IP, find the single application that is associated with the Public Address.
- Create security policies to allow traffic from the inbound internet users.Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to configure security polices to allow untrust-to-trust traffic for your inbound access applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound applications. The following examples provide access to SSH servers, web portals, and RDP servers.
- Select PoliciesSecurity and Add a policy.Be sure to create this policy under the Remote_Network_Device_Group device group.
- Select the Source traffic as Untrust.
- Create a policy to allow SSH server traffic by selecting the Destination Zone for destination traffic as Trust and specifying a Destination Address of SSH-server-public. This is an Address or Address Group object you created that has a list of all the public IP addresses that are used for SSH login.
- Select an Application of ssh.
- Select a Service/URL Category of application-default to allow or deny applications based only their default ports as defined by Palo Alto Networks.
- In Actions, select Allow.
- Click OK to save the policy.
- Create a policy to allow web portal access by creating a policy in the previous steps but substituting the following settings in the Destination and Application tabs:
- Select a Destination Address of an Address or Address Group of Web-Portal-Public, which contains all the public IP addresses of the web portal.
- Select an Application of web-browsing.
- Create a security policy for RDP server access, using the same settings as you did for the other policies but creating an Address or Address Group object called RDP-Server-Public, which contains the public IP addresses for the RDP server, as the Destination Address and webrdp as the Application.When complete, you have three different policies to allow SSH server access, web portal access, and RDP server access.
- Save and Commit your changes.
- Check that the remote network connection is operational and correctly processing inbound traffic.
- Select PanoramaCloud Services StatusStatusRemote Networks and hover over the Status and Config Status areas to see the tunnel’s status.
- If you find issues, select PanoramaCloud Services StatusMonitorRemote Networks, select the location of the remote network tunnel in the map, and hover over the Tunnel Status area to determine the cause of the error.