>
    Strata Copilot
    Microperimeter Architecture
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Microperimeter
    5. Microperimeter Architecture
    Download PDF
    Prisma AIRS

    Microperimeter Architecture

    Table of Contents

    Microperimeter Architecture

    Microperimeter architecture provides a L7-aware secure microsegmentation solution along with deep packet inspection (DPI) and Zero Trust policy enforcement for east-west traffic.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS
    • Private and public cloud platforms, including ESXi, KVM, Nutanix, AWS, Azure, and GCP.
    Microperimeter (PAN Traffic Redirector) provides a L7-aware secure microsegmentation solution for critical workloads within private and public cloud environments. Unlike traditional microsegmentation that relies on coarse L3/L4 controls, the Microperimeter architecture enables deep packet inspection (DPI) and Zero Trust policy enforcement for east-west traffic.
    The Microperimeter solution consists of two primary components that work together to secure application-layer behavior:
    • PAN Traffic Redirector package— A pan redirector software package installed directly on the Linux workload. The package utilizes the Linux Packet Control subsystem to intercept and redirect L3 traffic without requiring complex network re-architecture.
    • Prisma AIRS™ Firewall — The Prisma AIRS firewall serves as the inspection engine, performing security processing and threat prevention for all redirected traffic. Use authcodes to enable Prisma AIRS on universal images.

    Traffic Redirection Workflow

    The architecture utilizes a hairpin traffic pattern to ensure all packets undergo inspection before reaching their final destination. The redirection works on both inbound and outbound directions and follows these steps:
    1. Interception — The agent intercepts inbound and outbound packets on the designated workload interface.
    2. Encapsulation — The agent encapsulates the packets into a GENEVE tunnel using UDP port 6081. It adds a specific GENEVE option (0x20) and a flow direction flag to uniquely identify the traffic.
    3. Inspection — The agent forwards the encapsulated traffic to the Prisma AIRS™ firewall data interface. The firewall decapsulates the packet, performs L7 inspection based on security policies, and re-encapsulates the traffic.
    4. Delivery — The firewall sends the packet back to the original host. The agent decapsulates the returning packet and forwards it to the Linux kernel protocol stack for final delivery to the application or destination

    © 2026 Palo Alto Networks, Inc. All rights reserved.