The ZTNA-C on NGFW multiple interface support feature extends Palo Alto Networks' Zero Trust Network Access Connector capabilities to enable seamless connectivity to private applications distributed across multiple network segments behind your NGFW deployment. This enhancement addresses a critical limitation in the current ZTNA-Connector implementation, which restricts access to applications behind only a single network interface or segment.

When you deploy NGFWs in your environment, whether on-premises or in cloud infrastructures, you typically organize your private applications across distinct network segments based on security requirements, data sensitivity, and operational needs. Your staging environments, production systems, internal tools, external-facing services, and databases often reside on separate network segments that route through your NGFW for enhanced security and threat protection. The enhanced ZTNA-C functionality recognizes this common deployment pattern and enables you to provide secure remote access to applications regardless of which network interface or virtual router they connect through.

You can now leverage this feature to automatically discover and enable access to private applications across multiple physical interfaces, sub-interfaces, VLANs, and virtual routers on your NGFW. The system intelligently performs path monitoring to identify the optimal network interface for reaching each application and dynamically creates the necessary routing and NAT configurations. When you configure applications for ZTNA access, the NGFW automatically determines the appropriate egress interface, establishes static routes for the ZTNA-C application subnet, and redistributes these routes to Prisma Access through BGP.

This capability is helpful when you need to maintain strict network segmentation while providing unified remote access through Prisma Access. Rather than deploying separate ZTNA connectors for each network segment, you can utilize a single NGFW-based connector to serve applications across your entire infrastructure. The feature supports both dynamic and static interface configurations, accommodating various network architectures and providing the flexibility you need for complex enterprise deployments.

The path monitoring functionality continuously validates application reachability and automatically adjusts routing configurations when network conditions change. If an application becomes unreachable through its current interface or if the optimal path changes, the system updates the configuration accordingly, ensuring consistent connectivity for your remote users. This dynamic adaptation reduces administrative overhead while maintaining the high availability your users expect from critical business applications.