>
    Strata Copilot
    ZTNA Connector Application Discovery, User-ID Across NAT, and Support for Connector IP Block Deletion
    Focus
    Download PDF
    Focus
    1. Home
    2. What's New in the NetSec Platform
    3. What's New in the NetSec Platform
    4. June 2024
    5. ZTNA Connector Application Discovery, User-ID Across NAT, and Support for Connector IP Block Deletion
    Download PDF
    What's New in the NetSec Platform

    ZTNA Connector Application Discovery, User-ID Across NAT, and Support for Connector IP Block Deletion

    Table of Contents

    ZTNA Connector Application Discovery, User-ID Across NAT, and Support for Connector IP Block Deletion

    Learn about the ZTNA Connector enhancements that are supported in Prisma Access 5.1.1
    ZTNA Connector provides the following new functionalities with this release:
    • Application Discovery—Your enterprise network can have many applications hosted in its cloud or data center environment. In many cases, the network security teams are unaware of all the applications that are hosted in the network. As a result, when you deploy a ZTNA Connector and start to add application targets in connector groups, it can be difficult to determine which applications you need to add.
      Private application target discovery simplifies application hosting and discovery of applications that are hosted in AWS.
      The private application target discovery service:
      • Finds the Prisma Access tenant you have deployed and allows you to onboard that tenant to start the app discovery process, or lets you remove an existing tenant to remove apps that are discovered.
      • Retrieves application relevant information from one or more cloud providers accounts using Assumed Role and Work Load Identity (WLI).
      • Allows you to view the application discovery results.
      • Provides a way for other modules to query for the discovered applications.
    • User-ID Across NAT—Mobile users access private apps using a ZTNA Connector. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and ZTNA Connector has source NAT enabled, the NGFW can't retrieve the User-ID and Device-ID mapping. Source NAT on the service connection or ZTNA Connector prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based Security policy rules you have created on it based on User-ID or Device-ID mapping.
      User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW, thus allowing the NGFW to enforce Security policy rules based on the User-ID mapping it has learned from the service connection or ZTNA Connector. This configuration ensures a consistent security posture across your mobile user deployment.
    • IP Connector Block Deletion—To allow you more flexibility after configuring Connector IP Blocks, you can now delete and update the Connector IP Blocks. You can delete the Connector IP Blocks only after you delete all the ZTNA objects such as connectors, applications, wildcards, and connector-groups on the tenant.

    © 2025 Palo Alto Networks, Inc. All rights reserved.