Prisma Access Service Connections
Table of Contents
4.0 & Later
Expand all | Collapse all
-
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- High Availability for Prisma Access
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- Automatic Tunnel Restoration in Dynamic Privilege Access Prisma Access Agents
- Manage Prisma SASE 5G
-
-
- Explicit Proxy Configuration Guidelines
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- Explicit Proxy Best Practices
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
- Planning Checklist for Remote Networks
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- BGP Filtering and Route Metric Support on Service Connections in Prisma Access
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
Prisma Access Service Connections
Learn how service connections work in a Prisma Access
deployment.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
A service connection, also known as a Corporate Access Node (CAN), allows mobile users and users
at remote networks access to private apps and resources and lets your mobile users and
remote networks communicate with each other.
In addition to Service Connections, Palo Alto Networks provides you with other services
you can use to access private apps:
- ZTNA Connector—The Zero Trust Network Access (ZTNA) Connector lets you connect Prisma Access to your organization's private apps simply and securely. ZTNA Connector provides mobile users and users at branch locations access to your private apps using an automated secure tunnel. You can also automatically discover private apps for ZTNA to protect using the Cloud Identity Engine.
- Prisma Access—Colo-Connect allows you to use Prisma Access to secure private apps using a cloud interconnect that can provide high-bandwidth service connections.
Palo Alto Networks recommends always creating a service connection in your Prisma Access
deployment. All service connections have these characteristics:
- A service connection allows access to the resources in your HQ or data center.For example, if your security policy requires user authentication using an on-premises authentication service, such as your Active Directory, you will need to enable Prisma Access to access the corporate location where the service resides (and set up a service account that the service can use to access it). Similarly, if you have corporate resources that your remote networks and mobile users will need to access, you must enable Prisma Access to access the corresponding corporate network.If you create service connections for this reason, you should plan for the service connections before implementing them.
- A service connection allows remote networks and mobile users to communicate with each other.Even if you don’t need access to your HQ or data center, you might have a need to allow your mobile users to access your remote network locations. In this case, you can create a service connection with placeholder values. This is required because, while all remote network connections are fully meshed, mobile users connect to remote networks using the service connection in a hub-and-spoke network. For this reason, you might also create a service connection with placeholder values if your existing service connection is not in an ideal geographical location.
- Service connections do not support language localization because egress to the internet is not supported over service connections. Prisma Access allocates only one service IP sddress per service connection, and that IP address is geographically registered to the compute location that corresponds to the location you specify during onboarding.
The number of service
connections you receive depends on your Prisma Access license.
- If you have a ZTNA or Enterprise license, the number of service connections depends on your License edition. If you have a Local edition, you can configure a maximum of two service connections; if you have a Worldwide edition, you can configure a maximum of five service connections.
- The ZTNA Connector lets you connect Prisma Access to your organization's private apps. ZTNA Connector provides mobile users and users at branch locations access to your private apps using an automated secure tunnel. For more information, see Prisma Access ZTNA Connector.
- If you manage multiple tenants and have a ZTNA or Enterprise license, the number of service connections per tenant depends on the number of units you allocate per tenant and the type of license you have.
- If you have a Global license and allocate at least 1,000 units for a tenant, you can allocate a maximum of five service connections for that tenant.
- If you have a Global license and allocate between 200 and 999 units for a tenant, you can allocate a maximum of two service connections for that tenant (the same as the number of connections for a Local deployment).
- If you have a Local license, you can allocate a maximum of two service connections per tenant, regardless of the number of units you allocate past the minimum of 200.
For both Global and Local licenses, you can purchase additional licenses for service connections if more are required. For service connections in advanced deployments, see Prisma Access Service Connection Advanced Deployments.
Before you can start configuring your service connections, review what information you need to gather first.