Provide Secure Inbound Access to Remote Network Locations

Allow internet-connected users access to applications hosted at remote network sites.
If your organization hosts internet-accessible applications at a remote network site, providing access to those applications exposes your network to all the threats posed by an open internet. This section describes how Prisma Access provides a way to provide secure access to those applications, when you should implement it, and how to configure it.

Secure Inbound Access for Remote Network Sites

Prisma Access for remote networks allows outbound access to internet-connected applications. In some cases, your organization might have a requirement to provide inbound access to an application or website at a remote site, and provide secure access to that application for any internet-connected user—not just users who are protected by Prisma Access. For example:
  • You host a public-facing custom application or portal at a remote network site.
  • You have a lab or staging environment for which you want to provide secure access.
  • You have a need to provide access to an application or website to users who are not members or an organizational domain.
  • You have IoT devices that require access to an internal asset management, tracking, or status application.
To do this, create a remote network that allows secure inbound access. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access.
While this solution can provide access for up to 50,000 concurrent inbound sessions per remote network, Palo Alto Networks does not recommend using this solution to provide access to a high-volume application or website.
To make internet-accessible applications available from a remote network site, you first make a list of the applications to which you want to provide access, and assign a private IP, port number, and protocol combination for each application. If you use the same IP address for multiple applications, the port/protocol combination must be unique for each application; if you use the same port/protocol combination for multiple applications, each IP address must be unique.
To begin configuration, you choose how many public IP addresses you want to associate for the applications. You can specify either 5 or 10 public IP addresses per remote network site. Each public IP allocation takes bandwidth from your Remote Networks license, in addition to the license cost for the remote network. 5 IP addresses take 150 MB from your remote network license allocation, and 10 IP addresses take 300 MB. The following table provides examples of bandwidth cost.
Use the following examples as a guide; you can use any remote network bandwidth to implement secure inbound access.
Number of IP Addresses
Remote Network Bandwidth
Bandwidth Allocation from Remote Network Bandwidth Pool
5 IP addresses (Cost 150 MB from Remote Network bandwidth pool)
150 MB
300 MB (150 MB for 5 inbound access IP addresses + 150 MB remote network bandwidth)
10 IP addresses (Cost 300 MB from Remote Network bandwidth pool)
150 MB
450 MB (300 MB for 10 inbound access IP addresses + 150 MB remote network bandwidth)
5 IP addresses (Cost 150 MB from Remote Network bandwidth pool)
300 MB
450 MB (150 MB for 5 inbound access IP addresses + 300 MB remote network bandwidth)
10 IP addresses (Cost 300 MB from Remote Network bandwidth pool)
300 MB
600 MB (300 MB for 10 inbound access IP addresses + 300 MB remote network bandwidth)
After you choose the number of public IP addresses, you then enter the application, along with its associated private IP/port number/protocol combination, for which you want secure inbound access.
You can decide how you want to map your application to the public IP addresses. By default, Prisma Access assigns the public IP addresses to the applications you specify, and multiple applications can be assigned to a single IP address. If you need to map a single application to a single public IP address, you can select
Dedicated IP
during system configuration. You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10).

Secure Inbound Access Examples

This section provides inbound access examples, along with the IP addresses that Prisma Access assigns in various deployments.
The following example shows a sample configuration to enable inbound access for an application (www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and a protocol of TCP to the application. You then enter these values in Prisma Access when you configure inbound access. After you save and commit your changes, Prisma Access assigns a public IP address to the application you defined, in this case 52.1.1.1.
Prisma Access performs source network address translation (source NAT) on the packets by default. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), you can disable source NAT.
The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the source IP address in the routing table changes from the IP of the user’s device (34.1.1.1) to the remote network’s
EBGP Router
address (
Panorama
Cloud Services
Status
Network Details
Remote Networks
EBGP Router
). (172.1.1.1).
inbound-access-traffic-flow-from-users-to-applications.png
The following figure shows the return path of traffic with source NAT enabled.
inbound-access-traffic-flow-from-applications-to-users.png
If you disable source NAT, Prisma Access still performs destination NAT, but the source IP address of the request is unchanged.
inbound-access-traffic-flow-from-users-to-applications-snat-disabled.png
For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address (34.1.1.1).
inbound-access-traffic-flow-from-applications-to-users-snat-disabled.png

Guidelines for Using Secure Inbound Access

Use the following guidelines and restrictions when you configure a remote network to use secure inbound access:
  • The following locations are supported:
    • Australia Southeast
    • Belgium
    • Brazil South
    • Canada East
    • Finland
    • Germany Central
    • Hong Kong
    • India West
    • Japan Central
    • Netherlands Central
    • Singapore
    • Switzerland
    • Taiwan
    • UK
    • US Central
    • US East
    • US Northwest
    • US Southeast
    • US Southwest
  • You cannot modify an existing remote network to provide secure inbound access; instead, create a new remote network.
  • The inbound access feature is not available on remote networks that use ECMP load balancing.
  • Application port translation is not supported.
  • The bulk import feature to onboard remote networks does not support inbound access. Use Panorama to onboard new inbound access remote networks.
  • Do not use remote network inbound access with traffic forwarding rules with service connections.
  • Outbound traffic originating at the branch is not allowed on the inbound remote network.
  • User-ID and application authentication are not supported.
  • Prisma Access enforces the following rate limiting thresholds to provide flood protection, and measures the rate in connections per second (CPS):
    Flood Protection Type
    Alarm Rate in CPS
    Activate Rate in CPS
    10000
    15000
    20
    20
  • Remote networks that are configured for secure inbound access can only be used for that purpose. If you require outbound access as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and one for outbound access—as shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote network location.
    inbound-access-two-remote-networks.png
  • If you have a custom Prisma Access deployment where one of the cloud providers is excluded, inbound access might not be supported because you cannot choose the locations during remote network onboarding.
  • Secure inbound access is not supported with evaluation licenses.

Configure Secure Inbound Access for Remote Network Sites

To create a remote network sites that allows secure inbound access, complete the following steps.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Remote Networks
    and
    Add
    a connection.
    Any bandwidth is supported for secure inbound access.
  2. Select
    Inbound Access
    and
    Enable
    secure inbound access.
    inbound-access-enable.png
    If Palo Alto Networks has created a custom Prisma Access deployment for your organization where one of the cloud providers is excluded, inbound access features may not be configurable due to non-availability of the supported locations; in this case, no locations display in the
    Location
    area, as shown in the following screenshot.
    inbound-access-bad-config.png
  3. When prompted, click
    Close
    and select or re-select, a supported location.
    Prisma Access prompts you with a verification window when you enable secure inbound access, to make sure that you select a supported location.
    inbound-access-reselect-the-location.png
  4. (
    Optional
    ) To disable source NAT, deselect
    Enable Source NAT
    .
    By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo Alto Networks next-generation firewall), deselect
    Enable source NAT
    .
  5. Select the
    Number of Public IPs
    that you want to allocate for secure inbound access (
    5
    or
    10
    ).
    The IP addresses you use for inbound secure access take bandwidth from your remote network license. 5 public IP addresses use 150 MB from your remote networks license; 10 public IP addresses use 300 MB from your remote network license.
  6. Add
    the applications to provide secure inbound access.
    You can configure up to 100 inbound applications for each group of provisioned public IP addresses (either 5 or 10). Enter a unique
    Private IP
    address,
    Protocol
    , and
    Port
    combination for each application. It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you select
    TCP
    for one application and
    UDP
    for another application.
    Provide the following values:
    • Specify the name of the
      Application
      .
    • Specify the
      Private IP
      address to use with this application.
    • Specify the
      Protocol
      to use with the application (
      TCP
      or
      UDP
      ).
    • Specify the
      Port
      to user with the application.
    • Choose whether you want to dedicate a single public IP address to a single application; to do so, select
      Dedicated IP
      .
    inbound-access-add-an-application.png
  7. Click
    OK
    to save your changes.
  8. (
    Optional
    ) If you selected an unsupported location, a window prompts you to a supported location. If required, select a supported location, then click
    OK
    .
  9. Save
    and
    Commit
    your changes.
  10. Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then select
    Panorama
    Cloud Services
    Status
    Network Details
    Remote Networks
    and make a note of the
    Public Address
    that is associated with the
    App Name
    for application you created.
    If you selected
    Dedicated IP
    , find the single application that is associated with the
    Public Address
    .
    inbound-access-public-ip-addresses.png
  11. Create security policies to allow traffic from the inbound internet users.
    Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to configure security polices to allow untrust-to-trust (external-to-internal) traffic for your inbound access applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound applications. The following examples provide access to SSH servers, web portals, and RDP servers.
    1. Select
      Policies
      Security
      and
      Add
      a policy.
      Be sure to create this policy under the
      Remote_Network_Device_Group
      device group.
    2. Select the
      Source
      traffic as
      external
      .
      inbound-access-security-policy-external.png
    3. Create a policy to allow SSH server traffic by selecting the
      Destination Zone
      for destination traffic as
      Internal
      and specifying a
      Destination Address
      of
      SSH-server-public
      .
      inbound-access-security-policy-internal-ssh-traffic.png
    4. Select an
      Application
      of
      ssh
      .
      inbound-access-security-policy-application-ssh-traffic.png
    5. Select a
      Service/URL Category
      of
      application-default
      to allow or deny applications based only their default ports as defined by Palo Alto Networks.
    6. In
      Actions
      , select
      Allow
      .
    7. Click
      OK
      to save the policy.
    8. Create a policy to allow web portal access by creating a policy in the previous steps but substituting the following settings in the
      Destination
      and
      Application
      tabs:
      • Select a
        Destination Address
        of
        Web-Portal-Public
        .
        inbound-access-security-policy-internal-web-portal-public.png
      • Select an
        Application
        of
        web-browsing
        .
        inbound-access-security-policy-application-web-browsing.png
    9. Create a security policy for RDP server access, using the same settings as you did for the other policies but substituting
      RDP-Server-Public
      as the
      Destination Address
      and
      webrdp
      as the
      Application
      .
      When complete, you have three different policies to allow SSH server access, web portal access, and RDP server access.
      inbound-access-security-policy-complete.png
  12. Save
    and
    Commit
    your changes.
  13. Check that the remote network connection is operational and correctly processing inbound traffic.
    1. Select
      Panorama
      Cloud Services
      Status
      Status
      Remote Networks
      and hover over the
      Status
      and
      Config Status
      areas to see the tunnel’s status.
      verify_service_status.png
    2. If you find issues, select
      Panorama
      Cloud Services
      Status
      Monitor
      Remote Networks
      , select the location of the remote network tunnel in the map, and hover over the
      Tunnel Status
      area to determine the cause of the error.
      inbound-access-monitor-tunnel.png

Recommended For You