Provide Secure Inbound Access to Remote Network Locations
Allow internet-connected users access to applications hosted at remote network sites.
If your organization hosts internet-accessible applications at a remote network site, providing access to those applications exposes your network to all the threats posed by an open internet. This section describes how Prisma Access provides a way to provide secure access to those applications, when you should implement it, and how to configure it.
Secure Inbound Access for Remote Network Sites
Prisma Access for remote networks allows outbound access to internet-connected applications. In some cases, your organization might have a requirement to provide inbound access to an application or website at a remote site, and provide secure access to that application for any internet-connected user—not just users who are protected by Prisma Access. For example:
- You host a public-facing custom application or portal at a remote network site.
- You have a lab or staging environment for which you want to provide secure access.
- You have a need to provide access to an application or website to users who are not members or an organizational domain.
- You have IoT devices that require access to an internal asset management, tracking, or status application.
To do this, create a remote network that allows secure inbound access. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access.
While this solution can provide access for up to 50,000 concurrent inbound sessions per remote network, Palo Alto Networks does not recommend using this solution to provide access to a high-volume application or website.
To make internet-accessible applications available from a remote network site, you first make a list of the applications to which you want to provide access, and assign a private IP, port number, and protocol combination for each application. If you use the same IP address for multiple applications, the port/protocol combination must be unique for each application; if you use the same port/protocol combination for multiple applications, each IP address must be unique.
To begin configuration, you choose how many public IP addresses you want to associate for the applications. You can specify either 5 or 10 public IP addresses per remote network site. Each public IP allocation takes bandwidth (units) from your Remote Networks license, in addition to the bandwidth that you have allocated for the compute location associated to the remote network. 5 IP addresses take 150 Mbps from your remote network license allocation, and 10 IP addresses take 300 Mbps.
After you choose the number of public IP addresses, you then enter the application, along with its associated private IP/port number/protocol combination, for which you want secure inbound access.
You can decide how you want to map your application to the public IP addresses. By default, Prisma Access assigns the public IP addresses to the applications you specify, and multiple applications can be assigned to a single IP address. If you need to map a single application to a single public IP address, you can select
Dedicated IPduring system configuration. You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10).
Secure Inbound Access Examples
This section provides inbound access examples, along with the IP addresses that Prisma Access assigns in various deployments.
The following example shows a sample configuration to enable inbound access for an application (www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and a protocol of TCP to the application. You then enter these values in Prisma Access when you configure inbound access. After you save and commit your changes, Prisma Access assigns a public IP address to the application you defined, in this case 220.127.116.11.
Prisma Access performs source network address translation (source NAT) on the packets by default. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), you can disable source NAT.
The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the source IP address in the routing table changes from the IP of the user’s device (18.104.22.168) to the remote network’s
EBGP Routeraddress (
The following figure shows the return path of traffic with source NAT enabled.
If you disable source NAT, Prisma Access still performs destination NAT, but the source IP address of the request is unchanged.
For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address (22.214.171.124).
If you have a resource that is in a remote network site that has inbound access enabled and you want users at non-inbound access sites to have access to that resource, you can
Allow inbound flows to other Remote Networks over the Prisma Access backbonewhen you configure the non-inbound access remote network.
If you allow inbound flows from other remote networks, you must enable source NAT.
Guidelines for Using Secure Inbound Access
Use the following guidelines and restrictions when you configure a remote network to use secure inbound access:
- When you configure a remote network for inbound access, you add units (Mbps) from your license for the IP addresses you allocate (150 Mbps for 5 IP addresses and 300 Mbps for 10 IP addresses). For this reason, make sure that you have enough remaining licensed bandwidth to onboard the inbound access remote networks before you start. To check your available bandwidth, selectand view your licensedPanoramaCloud ServicesConfigurationRemote NetworksBandwidth Allocation. This area shows the bandwidth you have already allocated, along with the total licensed bandwidth.
- The following locations are supported:
- Australia Southeast
- Brazil South
- Canada East
- Germany Central
- Hong Kong
- India West
- Japan Central
- Japan South
- Netherlands Central
- US Central
- US East
- US Northwest
- US Southeast
- US Southwest
- You cannot modify an existing remote network to provide secure inbound access; instead, create a new remote network.
- Application port translation is not supported.
- Outbound traffic originating at the branch is not allowed on the inbound remote network.
- User-ID and application authentication are not supported.
- Remote networks that are configured for secure inbound access can only be used for that purpose. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access—as shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote network location.
- If you have a custom Prisma Access deployment where one of the cloud providers is excluded, inbound access might not be supported; in this case, you cannot choose the location during remote network onboarding.
- Secure inbound access is not supported with evaluation licenses.
Configure Secure Inbound Access for Remote Network Sites
To create a remote network sites that allows secure inbound access, complete the following steps.
- Select,PanoramaCloud ServicesConfigurationRemote NetworksAdda connection, and configure the remote network, including routing and IPSec tunnel options.
- Click theInbound Accesstab to configure inbound access options.
- SelectEnableto enable inbound access for the remote network.If you selected a location that is unsupported for inbound access, Prisma Access prompts you to select a supported one.
- (Optional) To disable source NAT, deselectEnable Source NAT.By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), or if you have not selectedAllow inbound flows to other Remote Networks over the Prisma Access backbone, deselectEnable source NAT.You mustEnable source NATin theInbound Accesstab if you select this check box. Source NAT is a requirement to allow inbound flows to other remote networks.
- Addthe applications to provide secure inbound access.You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10). Enter a uniquePrivate IPaddress,Protocol, andPortcombination for each application. It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you selectTCPfor one application andUDPfor another application.Provide the following values:
- Specify the name of theApplication.
- Specify thePrivate IPaddress to use with this application.
- Specify theProtocolto use with the application (TCPorUDP).
- Specify thePortto use with the application.
- Choose whether you want to dedicate a single public IP address to a single application; to do so, selectDedicated IP.
- ClickOKto save your changes.
- SaveandCommityour changes.
- Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then selectand make a note of thePanoramaCloud ServicesStatusNetwork DetailsRemote NetworksPublic Addressthat is associated with theApp Namefor application you created.If you selectedDedicated IP, find the single application that is associated with thePublic Address.
- Create security policies to allow traffic from the inbound internet users.Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to configure security polices to allow untrust-to-trust traffic for your inbound access applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound applications. The following examples provide access to SSH servers, web portals, and RDP servers.
- SelectandPoliciesSecurityAdda policy.Be sure to create this policy under theRemote_Network_Device_Groupdevice group.
- Select theSourcetraffic asUntrust.
- Create a policy to allow SSH server traffic by selecting theDestination Zonefor destination traffic asTrustand specifying aDestination AddressofSSH-server-public. This is an Address or Address Group object you created that has a list of all the public IP addresses that are used for SSH login.
- Select anApplicationofssh.
- Select aService/URL Categoryofapplication-defaultto allow or deny applications based only their default ports as defined by Palo Alto Networks.
- InActions, selectAllow.
- ClickOKto save the policy.
- Create a policy to allow web portal access by creating a policy in the previous steps but substituting the following settings in theDestinationandApplicationtabs:
- Select aDestination Addressof an Address or Address Group ofWeb-Portal-Public, which contains all the public IP addresses of the web portal.
- Select anApplicationofweb-browsing.
- Create a security policy for RDP server access, using the same settings as you did for the other policies but creating an Address or Address Group object calledRDP-Server-Public, which contains the public IP addresses for the RDP server, as theDestination Addressandwebrdpas theApplication.When complete, you have three different policies to allow SSH server access, web portal access, and RDP server access.
- SaveandCommityour changes.
- Check that the remote network connection is operational and correctly processing inbound traffic.
- Selectand hover over thePanoramaCloud ServicesStatusStatusRemote NetworksStatusandConfig Statusareas to see the tunnel’s status.
- If you find issues, select, select the location of the remote network tunnel in the map, and hover over thePanoramaCloud ServicesStatusMonitorRemote NetworksTunnel Statusarea to determine the cause of the error.
Recommended For You
Recommended videos not found.