10-13-2025 09:36 AM
Good day all,
I wasn't sure which group to post this on exactly so I figure try general topics first and then perhaps the conversation will lead me to the correct place where I can get more insight on this. What I am trying to do is I wanted to see if there is a better want to provide remote users access. Right now I am using VPN tunnels/GRE tunnels. In the beginning(covid days) this seem to be good enough but now a days I am getting more complaints about latency and the back and forth between us and the different home users ISPs about connectivity issues and latency. I work for a trading firm so latency and more reliable and stable connectivity for our remote traders is what I am trying to fix. I started reading about PA ZTNA and was wondering if anyone had any comments about this? I am looking in the right place or is there a better alternative?
Thank you in advance!!!
Warren
10-14-2025 01:08 AM
Hi @W.Granada ,
Classic VPN models are often setup in an all-or-nothing configuration (they don't have to be but are often setup as such) sending all traffic back through the corporate network This backhauling can add significant latency.
Your instincts are correct. ZTNA is an alternative to explore.
It operates on the principle of "never trust, always verify." No user or device is trusted by default, regardless of their location. Every access request is verified based on factors like user identity, device posture (is it up-to-date with security patches?), and context. Its model enforces the principle of least privilege. So instead of granting network access, ZTNA provides highly granular, application-specific access. A remote trader would only be granted access to the specific trading platform and data resources they need for a single session. This significantly reduces the attack surface and minimizes the risk of lateral movement if a device is compromised.
ZTNA is often a cloud-based service, which can improve performance. It establishes secure, direct, one-to-one connections between the user and the specific application, bypassing the need to backhaul all traffic through a central data center. This "split-tunneling" approach can lead to lower latency and a better user experience. ZTNA can be more seamless for users. It works transparently in the background, without requiring the user to manually connect to a VPN client.
An alternative solution for trading can be to use VPS (Virtual Private Server). Your remote traders would connect to a high-performance VPS, which is typically located in a data center with ultra-low latency connectivity. This bypasses the latency and connectivity issues of the home user's ISP. The connection between the VPS and the trading exchange is optimized for speed. It also ensures 24/7 uptime for automated strategies, regardless of the home user's internet connectivity. That said, it's a different operational model and might not be the right fit if your traders need to access other internal applications directly from their home computers.
Sources:
https://docs.paloaltonetworks.com/best-practices/zero-trust-best-practices
https://www.paloaltonetworks.com/cyberpedia/what-is-zero-trust-network-access-ztna
https://www.paloaltonetworks.com/cyberpedia/what-is-zero-trust-network-access-2-0
Hope this helps,
Kim.
10-14-2025 01:08 AM
Hi @W.Granada ,
Classic VPN models are often setup in an all-or-nothing configuration (they don't have to be but are often setup as such) sending all traffic back through the corporate network This backhauling can add significant latency.
Your instincts are correct. ZTNA is an alternative to explore.
It operates on the principle of "never trust, always verify." No user or device is trusted by default, regardless of their location. Every access request is verified based on factors like user identity, device posture (is it up-to-date with security patches?), and context. Its model enforces the principle of least privilege. So instead of granting network access, ZTNA provides highly granular, application-specific access. A remote trader would only be granted access to the specific trading platform and data resources they need for a single session. This significantly reduces the attack surface and minimizes the risk of lateral movement if a device is compromised.
ZTNA is often a cloud-based service, which can improve performance. It establishes secure, direct, one-to-one connections between the user and the specific application, bypassing the need to backhaul all traffic through a central data center. This "split-tunneling" approach can lead to lower latency and a better user experience. ZTNA can be more seamless for users. It works transparently in the background, without requiring the user to manually connect to a VPN client.
An alternative solution for trading can be to use VPS (Virtual Private Server). Your remote traders would connect to a high-performance VPS, which is typically located in a data center with ultra-low latency connectivity. This bypasses the latency and connectivity issues of the home user's ISP. The connection between the VPS and the trading exchange is optimized for speed. It also ensures 24/7 uptime for automated strategies, regardless of the home user's internet connectivity. That said, it's a different operational model and might not be the right fit if your traders need to access other internal applications directly from their home computers.
Sources:
https://docs.paloaltonetworks.com/best-practices/zero-trust-best-practices
https://www.paloaltonetworks.com/cyberpedia/what-is-zero-trust-network-access-ztna
https://www.paloaltonetworks.com/cyberpedia/what-is-zero-trust-network-access-2-0
Hope this helps,
Kim.
10-14-2025 11:37 AM
Hi Kiwi,
Interesting yes this sounds something that I need to dig deeper into but thank you for the information and links!!! I will check them out and reach out to Palo as we already do business with them.
Thank you for the info!!!
Warren
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
