Secure Inbound Access to Remote Networks

If your organization hosts internet-accessible applications at a remote network site, providing access to those applications exposes your network to all the threats the open internet poses. Here’s how you can use Prisma Access to secure access to these applications.

Set It Up — Secure Inbound Access

Here’s how to make an application accessible from a remote network site to all internet-connected users (not just Prisma Access users).
  1. If you haven’t already, review the inbound access remote network guidelines.
  2. Gather the application details you’ll need to get started.
    Make a list of the applications to which you want to provide access, and assign a private IP, port number, and protocol combination for each application. If you use the same IP address for multiple applications, the port/protocol combination must be unique for each application; if you use the same port/protocol combination for multiple applications, each IP address must be unique.
  3. Go to
    Manage
    Remote Networks
    Inbound Access Remote Networks
    , and
    Add Inbound Access Remote Networks
    .
  4. Choose the
    Number of Public IPs
    you want to use for the applications, either five or ten.
    Each public IP allocation takes bandwidth from your Remote Networks license, in addition to the license cost for the remote network. 5 IP addresses take 150 MB from your remote network license allocation, and 10 IP addresses take 300 MB.
  5. Add the
    Inbound Access Applications
    for which you want to secure access.
    Add the associated private IP / port number / protocol combination for the application.
  6. Decide how you want to map applications to the public IP addresses.
    By default, Prisma Access assigns the public IP addresses to the applications you specify, and multiple applications can be assigned to a single IP address. If you need to map a single application to a single public IP address, you can
    Assign Dedicated IP
    during system configuration. You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10).
  7. Finish setting up the inbound access remote network as you would a regular remote network site.

Guidelines — Secure Inbound Access

Consider these guidelines to configure a remote network to use secure inbound access.
Use these guidelines to configure a remote network to use secure inbound access:
  • The following locations are supported:
    • Australia Southeast
    • Belgium
    • Brazil South
    • Canada East
    • Finland
    • Germany Central
    • Hong Kong
    • India West
    • Japan Central
    • Netherlands Central
    • Singapore
    • Switzerland
    • Taiwan
    • UK
    • US Central
    • US East
    • US Northwest
    • US Southeast
    • US Southwest
  • You cannot modify an existing remote network to provide secure inbound access; instead, create a new remote network.
  • The inbound access feature is not available on remote networks that use ECMP load balancing.
  • Application port translation is not supported.
  • Do not use remote network inbound access with .
  • Outbound traffic originating at the branch is not allowed on the inbound remote network.
  • User-ID and application authentication are not supported.
  • Prisma Access enforces the following rate limiting thresholds to provide flood protection, and measures the rate in connections per second (CPS):
    Flood Protection Type
    Alarm Rate in CPS
    Activate Rate in CPS
    10000
    15000
    20
    20
  • Remote networks that are configured for secure inbound access can only be used for that purpose. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access—as shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote network location.

When to Use It — Secure Inbound Access

Prisma Access for remote networks allows outbound access to internet-connected applications. In some cases, your organization might have a requirement to provide inbound access to an application or website at a remote site, and provide secure access to that application for any internet-connected user—not just users who are protected by Prisma Access. For example:
  • You host a public-facing custom application or portal at a remote network site.
  • You have a lab or staging environment for which you want to provide secure access.
  • You have a need to provide access to an application or website to users who are not members or an organizational domain.
  • You have IoT devices that require access to an internal asset management, tracking, or status application.
To do this, create a remote network that allows secure inbound access. If you require outbound access as well as inbound access for a remote network site, you’ll need to create two remote network sites in the same location—one for inbound access and one for outbound access.
While this solution can provide access for up to 50,000 concurrent inbound sessions per remote network, Palo Alto Networks does not recommend using this solution to provide access to a high-volume application or website.

Examples — Secure Inbound Access

Here are inbound access examples, along with the IP addresses that Prisma Access assigns in various deployments.
Here are inbound access examples, along with the IP addresses that Prisma Access assigns in various deployments.
The following example shows a sample configuration to enable inbound access for an application (www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and a protocol of TCP to the application. You then enter these values in Prisma Access when you configure inbound access. After you save and commit your changes, Prisma Access assigns a public IP address to the application you defined, in this case 52.1.1.1.
Prisma Access performs source network address translation (source NAT) on the packets by default. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), you can disable source NAT.
The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the source IP address in the routing table changes from the IP of the user’s device (34.1.1.1) to the remote network’s EBGP routing address. (172.1.1.1).
The following figure shows the return path of traffic with source NAT enabled.
If you disable source NAT, Prisma Access still performs destination NAT, but the source IP address of the request is unchanged.
For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address (34.1.1.1).

Recommended For You