Prisma Access Zones
Focus
Focus
Prisma Access

Prisma Access Zones

Table of Contents

Prisma Access Zones

Learn how Prisma Access maps the zones in your security policy for use in the cloud.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
On a firewall, zones are associated with interfaces. But within Prisma Access, the networking infrastructure is automatically set up for you. This means that you no longer need to worry about configuring interfaces and associating them with the zones your create. However, to enable consistent security policy enforcement, you must create zone mappings so that Prisma Access will know whether to associate a zone with an internal (trust) interface or an external (untrust) interface. This will ensure that your security policy rules are enforced properly. By default, all of the zones you push to Prisma Access are set to untrust. You should leave any zones associated with internet-bound traffic, including your sanctioned SaaS applications, set to untrust. However, for all zones that enable access to applications on your internal network or in your data center, you must map them to trust. Notice in the example below, all sanctioned SaaS applications—Office 365 and Salesforce in this case—are segmented into the sanctioned-saas zone to enable visibility and policy enforcement over the use of these applications. To enable Prisma Access to associate the sanctioned-saas zone with an external-facing interface, you must map this zone to untrust. Similarly, the eng-tools and dc-apps zones provide access to applications in the corporate office and you must therefore designate them as trusted zones.
Prisma Access supports three zones (trust, untrust, and Clientless VPN) and simplifies policy creating by setting them up for you.
Zone
Description
Trust
Zone containing all trusted and on-boarded IP addresses, service connections, or mobile users within the corporate network.
Untrust
All untrusted IP addresses, service connections, or mobile users outside of the corporate network. By default, any IP address or mobile user that is not trusted is inherently untrusted.
Clientless VPN
Secure remote access to common enterprise web applications that use HTML, HTML5, and Javascript technologies. Users have the advantage of secure access from SSL-enabled web browsers without installing client software. This is useful when you need to enable partner or contractor access to applications, and to safely enable unmanaged assets, including personal devices.
The zone for Clientless VPN is mapped to the trust zone by default; this setting cannot be changed.
Prisma Access logs that display a zone of inter-fw are logs used for communication within the Prisma Access infrastructure.
When creating zones, do not use any of the following names for the zones, because these are names used for internal zones:
  • trust
  • untrust
  • inter-fw
  • Any name you use for the remote networks (remote network names are used as the source zone in Strata Logging Service logs)
Prisma Access logs that display a zone of inter-fw are logs used for communication within the Prisma Access infrastructure.