Learn how Prisma Access maps the zones in your security
policy for use in the cloud.
Where Can I Use
This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access license
On a firewall, zones are associated with interfaces. But within
Prisma Access, the networking infrastructure is automatically set
up for you. This means that you no longer need to worry about configuring
interfaces and associating them with the zones your create. However,
to enable consistent security policy enforcement, you must create
zone mappings so that Prisma Access will know whether to associate
a zone with an internal (trust) interface or an external (untrust)
interface. This will ensure that your security policy rules are
enforced properly. By default, all of the zones you push to Prisma
Access are set to untrust. You should leave any zones associated
with internet-bound traffic, including your sanctioned SaaS applications,
set to untrust. However, for all zones that enable access to applications
on your internal network or in your data center, you must map them
to trust. Notice in the example below, all sanctioned SaaS applications—Office
365 and Salesforce in this case—are segmented into the sanctioned-saas
zone to enable visibility and policy enforcement over the use of
these applications. To enable Prisma Access to associate the sanctioned-saas
zone with an external-facing interface, you must map this zone to
untrust. Similarly, the eng-tools and dc-apps zones provide access
to applications in the corporate office and you must therefore designate
them as trusted zones.
Prisma Access supports three zones (trust, untrust, and Clientless VPN) and
simplifies policy creating by setting them up for you.
Zone
Description
Trust
Zone containing all trusted and on-boarded IP addresses, service
connections, or mobile users within the corporate network.
Untrust
All untrusted IP addresses, service connections, or mobile users
outside of the corporate network. By default, any IP address or
mobile user that is not trusted is inherently untrusted.
Clientless VPN
Secure remote access to common enterprise web applications that use
HTML, HTML5, and Javascript technologies. Users have the advantage
of secure access from SSL-enabled web browsers without installing
client software. This is useful when you need to enable partner or
contractor access to applications, and to safely enable unmanaged
assets, including personal devices.
The zone for Clientless VPN is mapped to the trust zone by
default; this setting cannot be changed.
Prisma Access logs that display a zone of inter-fw are logs used
for communication within the Prisma Access infrastructure.
When creating zones, do not use any of the following names for
the zones, because these are names used for internal zones:
trust
untrust
inter-fw
Any name you use for the remote networks (remote network
names are used as the source zone in Strata Logging Service logs)
Prisma Access logs that display a zone of inter-fw are
logs used for communication within the Prisma Access infrastructure.