>
    Strata Copilot
    Selective Steering and Microperimeter Exceptions
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Microperimeter
    5. Selective Steering and Microperimeter Exceptions
    Download PDF
    Prisma AIRS

    Selective Steering and Microperimeter Exceptions

    Table of Contents

    Selective Steering and Microperimeter Exceptions

    Orient yourself with Selective steering, health check and microperimeter telemetry.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS
    • Private and public cloud platforms, including ESXi, KVM, Nutanix, AWS, Azure, and GCP.
    Selective steering allows you to create granular exceptions based on 5-tuple rules– protocol, source IP, source port, destination IP, and destination port. By setting the action to pass, the agent routes the specified traffic locally instead of redirecting it to the firewall.
    PAN Traffic Redirector allows you to exempt specific traffic from redirection to the firewall. You use exceptions primarily to maintain management access to your workload such as SSH connectivity, if the firewall becomes unavailable or to allow specific trusted traffic to be routed locally.
    Selective steering command examples:
    panredirect rule append --interface ens224 --proto any --remoteip 192.168.100.7 --localip 192.168.100.13 --action pass
    panredirect rule delete --index 3 -- interface ens224
    panredirect rule insert --index1 --interface ens224 --proto any --remote 192.168.100.13 --localip 192.168.100.7 --action pass
    panredirect rules
    • The panredirect rules lists the panredirect rules configured
    • The rules are indexed and follow ascending order.
    • The rules are indexed and follow ascending order.

    Health Check

    The health check feature in Microperimeter (PAN Traffic Redirector) allows you to verify that the agent-based redirection is operational and that the Prisma AIRS™ firewall is correctly inspecting traffic. You should perform periodic health checks to ensure your workloads remain protected and to identify potential connectivity issues between the workload and the firewall.
    To confirm that redirection is active and the GENEVE tunnel is communicating with the firewall, you can run the built-in health check command:
    panredirect health_check
    Verify the output displays OK. The command returns an exit code of 0 on success and 1 on failure.
    Configure the firewall to allow the default payload UDP with source IP/PORT 169.254.1.1:45000 and destination IP/PORT 169.254.1.2:45000

    Monitor Microperimeter Telemetry

    Telemetry provides the visibility needed to manage your secure microsegmentation environment across data centers and public clouds.The PAN Traffic Redirector solution includes telemetry capabilities to track agent start, stop, and redirection.
    To track telemetry information, execute the command:
    /var/log/nginx less webserver-log microperimeter_tracker.log

    © 2026 Palo Alto Networks, Inc. All rights reserved.