Prisma Access Agent Administration
  • Prisma Access Agent Administration
  • Prisma Access Agent Documentation
  • All Documentation
>
Set Up Forwarding Profiles to Manage Agent Traffic
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access Agent
  3. Configure the Prisma Access Agent
  4. Set Up Forwarding Profiles to Manage Agent Traffic
Download PDF
Prisma Access Agent

Set Up Forwarding Profiles to Manage Agent Traffic

Table of Contents
Provide consistent security for internet, SaaS, and private app access across locations, using traffic forwarding rules to optimize traffic routing and policy enforcement.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Forwarding profiles provide a seamless end-to-end security solution for consistent access to internet, SaaS, and private applications for your users under varying conditions. This feature enables always-on security for internet access from any location and on-demand security for private apps based on user presence (remote or on-premises).
To effectively configure and use this feature, you will need to understand several key components:
Forwarding Profiles
Forwarding profiles contain a set of rules that define how to direct traffic based on various criteria. Once you set up the forwarding profiles, you can assign them to users or user groups in the Agent Settings page. These forwarding profiles allow you to create a comprehensive traffic management strategy tailored to your organization's needs.
Traffic Forwarding Rules
Traffic forwarding rules within forwarding profiles consist of several important elements. Traffic that matches a rule is steered according to the traffic forwarding specifications.
  • Traffic Objects: You can define the criteria for traffic handling based on traffic objects. This includes applications, destinations, and traffic types, such as network traffic and DNS traffic.
  • Connectivity Options: For each rule, you can choose how to route the traffic. Options include:
    • Best Available—Routes traffic through the tunnel to the nearest gateway for inspection and policy enforcement
    • Direct—Allows traffic to go straight to its destination
    • Block—Blocks traffic at the endpoint
  • Fallback Behavior: For rules using the Best Available connectivity option, you can set the fallback behavior when the primary connection is unavailable:
    • Block—Blocks all traffic when the tunnel is down or for unsupported traffic types
    • Direct—Allows traffic to go directly to its destination when the tunnel is down or for unsupported traffic types
  • Predefined Rules—The system includes predefined forwarding rules for common scenarios, such as:
    • Video Streaming—Directs network traffic from video streaming apps such as YouTube and Netflix outside the tunnel (direct connectivity)
    • Default—Sends all DNS and network traffic through the tunnel to Prisma Access for inspection
These rules work together to provide granular control over your network traffic, ensuring consistent security policies and optimal routing based on traffic characteristics. By leveraging these forwarding profiles and rules, you can create a dynamic and adaptive traffic management system that meets your organization's security and performance requirements.
On Prisma Access Agent and GlobalProtect™ coexistence tenants, Prisma Access Agents will use forwarding profiles to manage traffic forwarding rules, while GlobalProtect will continue to use existing split tunnel configuration on GlobalProtect gateways.
Provide consistent security for internet, SaaS, and private app access across locations, using traffic forwarding rules to optimize traffic routing and policy enforcement.
To configure forwarding profiles on Prisma Access (Managed by Strata Cloud Manager) deployments, complete the following steps:
  1. Navigate to the Forwarding Profiles page from Strata Cloud Manager.
    1. Select WorkflowsPrisma Access SetupMobile Users.
    2. Edit the settings in the Forwarding Profiles Setup section.
  2. Set up Source Applications if you want to direct application traffic through or outside the tunnel by creating a split tunnel based on a SaaS or public cloud application name.
    1. In the Forwarding Profiles Setup page, select Source ApplicationsAdd Source Application.
    2. Enter a meaningful Name for the application that you want to add.
    3. Click + in the Applications table and enter the complete path of the application. You can add one or more applications to manage whether to exclude or include the application traffic in the tunnel.
      You will select these applications when setting up the forwarding rules in a forwarding profile. To exclude application traffic, select Direct connectivity when configuring the forwarding rule. Traffic from these applications will be sent through the physical adapter on the endpoints rather than the tunnel (the virtual adapter). If you choose to include application traffic, select the Best Available - Fail Safe, Best Available - Fail Open, or your own configured connectivity option when configuring the forwarding rule. Traffic from these applications is routed to Prisma Access, even if it meets the excluded traffic criteria.
      For example, to manage traffic from the Zoom application, add the following complete paths:
      • Windows endpoints: %AppData%\Roaming\Zoom\bin\Zoom.exe
      • macOS endpoints: /Applications/zoom.us.app/Contents/MacOS/zoom.us
      (Strata Cloud Manager) If you have a list of applications in a text file in comma-separated values format (.csv), you can Upload .csv File.
    4. Save the source application.
    5. Repeat these steps to add more source applications.
  3. Set up Destinations if you want to create a split tunnel based on the destination domain or access routes.
    1. In the Forwarding Profiles Setup page, select DestinationsAdd Destination.
      Prisma Access Agent also offers predefined destination domains, such as Okta SAML Authentication Domains, Azure SAML Authentication Domains, Microsoft Client Authentication Domains, and Video Traffic so that you can easily create forwarding rules for these destination domains.
    2. Enter a meaningful Name for the destination that you want to add.
    3. Add a destination by specifying the domain name, access route, or both.
      • To add a destination domain, click + in the FQDNs table and enter the FQDN for the destination domain. You can optionally add a port. If you don't specify a port, all ports for the specified domain are subjected to the forwarding rule. You can add one or more domains for traffic management.
        You can enter alphanumeric characters for the FQDN. You can also specify a wildcard domain by including a wildcard character (*) in the FQDN. However, the wildcard must appear only once and must be the first character of the string, and a period must follow the wildcard.
        The following are valid FQDN examples:
        • example.com (exact domain)
        • *.local (wildcard domain)
        The following FQDN examples are not valid:
        • .example.com (missing characters before the first period)
        • *example.com (missing period after the wildcard)
        • my*.example.* (only one wildcard allowed and it must appear at the start of the string)
        • *.example.*.com (wildcard not allowed in middle of string)
        Prisma Access Agent will check whether your FQDN entry is valid or not. For invalid domain inputs, the "Invalid FQDN format" message appears.
        If you add a port, the port can only contain positive numbers. The range is 1-65535.
        You will select these destinations when setting up the forwarding rules in a forwarding profile. To exclude traffic based on the domain name, select Direct connectivity when configuring the forwarding rule. Traffic from the domain will be sent through the physical adapter on the endpoints rather than the tunnel (the virtual adapter). If you choose to include traffic based on the domain name, select the Best Available - Fail Safe, Best Available - Fail Open, or your own configured connectivity option when configuring the forwarding rule. Traffic from the domain is routed to Prisma Access, even if it meets the excluded traffic criteria.
      • To add an access route, click + in the IP Addresses table and enter a destination subnet. You can add one or more access routes for traffic management.
        Enter a valid IPv4 address. You can also include a wildcard character (*) in the IP address, but the wildcard must not appear in the middle of the IP address. Once a wildcard is used, all the following octets must also be wildcards.
        The following are some examples of valid IP addresses:
        • 1.2.3.4 (exact IP address)
        • 1.4.3.* (wildcard IP address)
        • 1.*.*.*
        • *.*.*.* (full wildcard IP address)
        • 1.2.3.4/32 (exact IP address followed by CIDR)
        The following are examples of an invalid IP address:
        • 1.2.3.300 (each byte must be 0-255)
        • 3.3.3.3/255.255.255.256 (invalid subnet mask)
        Prisma Access Agent will check whether your IP address entry is valid or not. For invalid inputs, a message appears indicating that the IP address is not valid.
        In some cases (such as 1.2.*.4 and 7.7.7.7/33), the configuration validator will allow the entry, but the agent will ultimately reject it because the entry does not adhere to a supported format. In this case, the agent will reject the forwarding profile rule and fall back to the fail-safe mode, forwarding all traffic to the tunnel.
        If you don't include or exclude routes or applications, every request is routed through the tunnel (without a split tunnel). Also, all traffic is inspected and subjected to policy enforcement whenever users connect to Prisma Access.
        When you define split tunnel traffic to exclude access routes (by selecting Direct connectivity in the forwarding rule), these routes are sent through the physical adapter on the endpoint instead of being sent through the tunnel via the virtual adapter (the tunnel). By excluding split tunnel traffic by access routes, you can send latency-sensitive or high-bandwidth traffic outside of the tunnel, while all other traffic is routed through the tunnel for inspection and policy enforcement by the gateway.
        When you define split tunnel traffic to include access routes (by selecting Best Available - Fail Safe, Best Available - Fail Open, or your own configured connectivity option in the forwarding rule), the gateway pushes these routes to the remote users’ endpoints to specify what traffic these endpoints can send through the tunnel.
        Specify exclude routes that are more specific than include routes; otherwise, you might exclude more traffic than intended.
        (Strata Cloud Manager) If you have a list of IP addresses in a text file in .csv format, you can Upload .csv File.
    4. Save the destinations.
    5. Repeat these steps to add more destinations.
  4. Set up Connectivity options to direct traffic based on the connectivity method.
    1. In the Forwarding Profiles Setup page, select ConnectivityAdd Connectivity.
      Prisma Access Agent also offers predefined connectivity options when users are using the best available location but the tunnel and proxy (if enabled) are not available or the traffic type is unsupported (such as IPv6 traffic).
      • Best Available - Fail Safe—Connect to the nearest gateway but block access if the user can’t connect to the tunnel and proxy (when enabled) or the traffic type is unsupported, such as proxy-only UDP traffic.
      • Best Available - Fail Open—Connect to the nearest gateway but allow access even if the user can’t connect to the tunnel and proxy (when enabled) or the traffic type is unsupported, such as proxy-only UDP traffic.
    2. Enter a meaningful Name for the connectivity option you want to add.
    3. (Strata Cloud Manager only) Select TypePrisma Access Agent.
    4. For Connectivity Methods, enable Tunnel to direct traffic through the tunnel.
    5. Select a Fallback behavior if the user is not connected using the specified connectivity method. You can prevent access (Block) or allow access (Direct).
    6. Save your connectivity settings.
    7. Repeat these steps to add more connectivity settings.
  5. Create a forwarding profile that allows or excludes traffic based on the source applications, destination, or connectivity options that you defined.
    1. From the Forwarding Profiles Setup page, add a forwarding profile.
        Expand all
        Collapse all
      • For Strata Cloud Manager Managed Prisma Access:
    2. Enter a meaningful Name for the forwarding profile.
    3. Add one or more forwarding rules.
      The Forwarding Rules table shows the rules that make up the forwarding profile. By default, all forwarding profiles contain the following rules:
      • The Video Streaming forwarding rule, which sends all network traffic from video streaming apps outside the tunnel (direct connectivity). By excluding lower risk video streaming traffic (such as YouTube and Netflix) from the tunnel, you can decrease bandwidth consumption on the gateway.
      • The Default forwarding rule, which sends all DNS and network traffic through the tunnel. Any new rules that you add are placed above the default rule. You cannot delete or move the default forwarding rule, but you can disable it or change its Connectivity setting.
      • An implicit forwarding rule for basic endpoint connectivity that allows traffic such as DHCP, loopback, Prisma Access Agent management plane, ADEM, and Remote Browser Isolation (RBI) traffic. The implicit forwarding rule is not displayed and cannot be changed.
      Traffic forwarding rules are applied from the top down in the forwarding profile. Therefore, configure the forwarding profile in a top-down manner, such as configuring the most specific rules first and the least specific rules last.
    4. Enter the specifications for the forwarding rule.
      1. (Strata Cloud Manager only) Enable the rule.
      2. Enter a Name for the rule.
      3. Select a Source Application that you defined previously. If you select Any, the forwarding rule will apply to traffic from any source applications.
        The rule will match only if the specified source application makes the connection.
      4. Select a Destination. If you select Any, the forwarding rule will apply to traffic from any destination domain or IP address.
        The rule will match only if the connection destination matches the specified destination domain or IP address.
      5. Select a Connectivity option that you configured, or select one of the following predefined connectivity options:
        • Direct—Sends the traffic outside of the tunnel. All traffic for the selected application or destination is sent directly to the physical adapter on the endpoint without inspection.
        • Block—Blocks traffic at the endpoint.
        • Best Available - Fail Safe—Connects to the nearest gateway but blocks all traffic when the tunnel is down or for unsupported traffic types.
        • Best Available - Fail Open—Connects to the nearest gateway but allows traffic to go directly to its destination when the tunnel is down or for unsupported traffic types.
      6. Select the Traffic Type:
        Specify whether to use split DNS to allow users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
        • DNS—Includes or excludes rules that are applied only to DNS traffic and not to network application traffic. All network application traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
        • DNS + Network Traffic—Ensures that the split tunnel based on the destination domain you specified for inclusions or exclusions are applied to the DNS traffic and the associated network application traffic for that domain.
        • Network Traffic—Includes or excludes rules that are applied only to network application traffic and not to DNS traffic. All DNS traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
        For Windows agents, the DNS + Network Traffic split tunnel option is not supported for source application-based split tunnel rules. If you set up split tunneling to include or exclude traffic from the tunnel based on application names and select DNS + Network Traffic, DNS query packets for excluded and included apps will not honor the split tunnel rule.
    5. Click Add to save the forwarding rule.
      The rule is added to the Forwarding Rules table. You can add multiple rules to the forwarding profile.
  6. Configure the Traffic Enforcement options to determine how you want traffic to be enforced.
    • Block outbound LAN access when connected to the tunnel—When enabled, blocks direct access to the local network when the agent is connected to the tunnel.
      Blocking access to your local network causes all traffic from being sent to the local adapter. In addition, your users won't be able to access resources on the local subnet, such as printers. Split tunnel traffic based on access route, destination domain, and application still works as expected.
      If you disable this option, your end users can access local resources without requiring them to first connect to Prisma Access using the Prisma Access Agent.
    • Block inbound access when connected to the tunnel—When enabled, blocks all inbound connections from the tunnel.
  7. Save your forwarding profile.
  8. Push the configuration by selecting Push ConfigPush. This action will make your forwarding profile available for selection in the Agent Settings page.
Provide consistent security for internet, SaaS, and private app access across locations, using traffic forwarding rules to optimize traffic routing and policy enforcement.
To configure forwarding profiles on Prisma Access (Managed by Panorama) and NGFW (Managed by Panorama) deployments, complete the following steps:
  1. Navigate to the Prisma Access Agent setup.
      Expand all
      Collapse all
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
  2. Select WorkflowsPrisma Access AgentForwarding Profiles.
  3. Set up Source Applications if you want to direct application traffic through or outside the tunnel by creating a split tunnel based on the SaaS or public cloud application name.
    1. Select Source ApplicationsAdd Source Application.
    2. Enter a meaningful Name for the application that you want to add.
    3. Click + in the Source Applications table and enter the complete path of the application. You can add one or more applications to manage whether to exclude or include the application traffic in the tunnel.
      You will select these applications when setting up the forwarding rules in a forwarding profile. To exclude application traffic, select Direct connectivity when configuring the forwarding rule. Prisma Access Agent sends these applications through the physical adapter on the endpoints rather than the tunnel (the virtual adapter). If you choose to include application traffic, select the Best Available - Fail Safe, Best Available - Fail Open, or your own configured connectivity option when configuring the forwarding rule. Traffic from these applications is routed to Prisma Access, even if it meets the excluded traffic criteria.
      For example, to manage traffic from the Zoom application, add the following complete paths:
      • Windows endpoints: %AppData%\Roaming\Zoom\bin\Zoom.exe
      • macOS endpoints: /Applications/zoom.us.app/Contents/MacOS/zoom.us
    4. Create the source application.
    5. Repeat these steps to add more source applications.
  4. Set up Destinations if you want to create a split tunnel based on the destination domain or access routes.
    1. Select DestinationsAdd Destination.
      Prisma Access Agent also offers predefined destination domains, such as Okta SAML Authentication Domains, Azure SAML Authentication Domains, Microsoft Client Authentication Domains, and Video Traffic so that you can easily create forwarding rules for these destination domains.
    2. Enter a meaningful Name for the destination that you want to add.
    3. Add a destination by specifying the domain name, access route, or both.
      • To add a destination domain, click + in the FQDNs table and enter the FQDN for the destination domain. You can optionally add a port. If you don't specify a port, all ports for the specified domain are subjected to the forwarding rule. You can add one or more domains for traffic management.
        You can enter alphanumeric characters for the FQDN. You can also specify a wildcard domain by including a wildcard character (*) in the FQDN. However, the wildcard must appear only once and must be the first character of the string, and a period must follow the wildcard.
        The following are valid FQDN examples:
        • example.com (exact domain)
        • *.local (wildcard domain)
        The following FQDN examples are not valid:
        • .example.com (missing characters before the first period)
        • *example.com (missing period after the wildcard)
        • my*.example.* (only one wildcard allowed and it must appear at the start of the string)
        • *.example.*.com (wildcard not allowed in middle of string)
        Prisma Access Agent will check whether your FQDN entry is valid or not. For invalid domain inputs, the "Invalid FQDN format" message appears.
        If you add a port, the port can only contain positive numbers. The range is 1-65535.
        You will select these destinations when setting up the forwarding rules in a forwarding profile. To exclude traffic based on the domain name, select Direct connectivity when configuring the forwarding rule. Prisma Access Agent will send traffic from the domain through the physical adapter on the endpoints rather than the tunnel (the virtual adapter). If you choose to include traffic based on the domain name, select the Best Available - Fail Safe, Best Available - Fail Open, or your own configured connectivity option when configuring the forwarding rule. Traffic from the domain is routed to Prisma Access, even if it meets the excluded traffic criteria.
      • To add an access route, click + in the IP Addresses table and enter a destination subnet. You can add one or more access routes for traffic management.
        Enter a valid IPv4 address. You can also include a wildcard character (*) in the IP address, but the wildcard must not appear in the middle of the IP address. Once a wildcard is used, all the following octets must also be wildcards.
        The following are some examples of valid IP addresses:
        • 1.2.3.4 (exact IP address)
        • 1.4.3.* (wildcard IP address)
        • 1.*.*.*
        • *.*.*.* (full wildcard IP address)
        • 1.2.3.4/32 (exact IP address followed by CIDR)
        The following are examples of an invalid IP address:
        • 1.2.3.300 (each byte must be 0-255)
        • 3.3.3.3/255.255.255.256 (invalid subnet mask)
        Prisma Access Agent will check whether your IP address entry is valid or not. For invalid inputs, a message appears indicating that the IP address is not valid.
        In some cases (such as 1.2.*.4 and 7.7.7.7/33), the configuration validator will allow the entry, but the agent will ultimately reject it because the entry does not adhere to a supported format. In this case, the agent will reject the forwarding profile rule and fall back to the fail-safe mode, forwarding all traffic to the tunnel.
        If you don't include or exclude routes or applications, every request is routed through the tunnel (without a split tunnel). Also, all traffic is inspected and subjected to policy enforcement whenever users connect to Prisma Access.
        When you define split tunnel traffic to exclude access routes (by selecting Direct connectivity in the forwarding rule), Prisma Access Agent sends these routes through the physical adapter on the endpoint instead of being sent through the tunnel via the virtual adapter (the tunnel). By excluding split tunnel traffic by access routes, you can send latency-sensitive or high-bandwidth traffic outside of the tunnel, while all other traffic is routed through the tunnel for inspection and policy enforcement by the gateway.
        When you define split tunnel traffic to include access routes (by selecting Best Available - Fail Safe, Best Available - Fail Open, or your own configured connectivity option in the forwarding rule), the gateway pushes these routes to the remote users’ endpoints to specify what traffic these endpoints can send through the tunnel.
        Specify exclude routes that are more specific than include routes; otherwise, you might exclude more traffic than intended. For example:
    4. Create the destinations.
    5. Repeat these steps to add more destinations.
  5. Set up Connectivity options to direct traffic based on the connectivity method.
    1. In the Forwarding Profiles Setup page, select ConnectivityAdd Connectivity.
      Prisma Access Agent also offers predefined connectivity options when users are using the best available location but the tunnel and proxy (if enabled) are not available or the traffic type is unsupported (such is IPv6 traffic).
      • Best Available - Fail Safe—Connect to the nearest gateway but block access if the user can’t connect to the tunnel and proxy (when enabled) or the traffic type is unsupported, such as proxy-only UDP traffic.
      • Best Available - Fail Open—Connect to the nearest gateway but allow direct access even if the user can’t connect to the tunnel and proxy (when enabled) or the traffic type is unsupported, such as proxy-only UDP traffic.
    2. Enter a meaningful Name for the connectivity option you want to add.
    3. For Connectivity Methods, enable Tunnel to direct traffic through the tunnel.
    4. Select a Fallback behavior if the user isn’t connected using the specified connectivity method. You can prevent access (Block) or allow access (Direct). The default is Direct.
    5. Create your connectivity settings.
    6. Repeat these steps to add more connectivity settings.
  6. Create a forwarding profile that allows or excludes traffic based on the source applications, destination, or connectivity options that you defined.
    1. From the Forwarding Profiles page, select Forwarding ProfilesAdd Forwarding Profile.
    2. Enter a meaningful Name for the forwarding profile.
    3. Click Add Rule to add one or more forwarding rules.
      The Forwarding Rules table shows the rules that make up the forwarding profile. By default, all forwarding profiles contain the following rules:
      • The Video Streaming forwarding rule, which sends all network traffic from video streaming apps outside the tunnel (direct connectivity). By excluding lower risk video streaming traffic (such as YouTube and Netflix) from the tunnel, you can decrease bandwidth consumption on the gateway.
      • The Default forwarding rule, which sends all DNS and network traffic through the tunnel. Any new rules that you add are placed above the default rule. You can’t delete or move the default forwarding rule, but you can disable it or change its Connectivity setting.
      • An implicit forwarding rule for basic endpoint connectivity that allows traffic such as DHCP, loopback, Prisma Access Agent management plane, ADEM, and Remote Browser Isolation (RBI) traffic. The implicit forwarding rule isn’t displayed and can’t be changed.
      Traffic forwarding rules are applied from the top down in the forwarding profile. Therefore, configure the forwarding profile in a top-down manner, such as configuring the most specific rules first and the least specific rules last.
    4. Enter the specifications for the forwarding rule.
      1. Enter a Name for the rule.
      2. Select a Source Application that you defined previously. If you select Any, the forwarding rule will apply to traffic from any source applications.
        The rule will match only if the specified source application makes the connection.
      3. Select a Destination. If you select Any, the forwarding rule will apply to traffic from any destination domain or IP address.
        The rule will match only if the connection destination matches the specified destination domain or IP address.
      4. Select a Connectivity option that you configured, or select one of the following predefined connectivity options:
        • Direct—Sends the traffic outside of the tunnel. All traffic for the selected application or destination is sent directly to the physical adapter on the endpoint without inspection.
        • Block—Blocks traffic at the endpoint.
        • Best Available - Fail Safe—Connects to the nearest gateway but blocks all traffic when the tunnel is down or for unsupported traffic types.
        • Best Available - Fail Open—Connects to the nearest gateway but allows traffic to go directly to its destination when the tunnel is down or for unsupported traffic types. This is the default.
      5. Select the Traffic Type:
        Specify whether to use split DNS to allow users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
        • DNS—Includes or excludes rules that are applied only to DNS traffic and not to network application traffic. All network application traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
        • DNS + Network Traffic—Ensures that the split tunnel based on the destination domain you specified for inclusions or exclusions are applied to the DNS traffic and the associated network application traffic for that domain. This is the default.
        • Network Traffic—Includes or excludes rules that are applied only to network application traffic and not to DNS traffic. All DNS traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
        For Windows agents, the DNS + Network Traffic split tunnel option is not supported for source application-based split tunnel rules. If you set up split tunneling to include or exclude traffic from the tunnel based on application names and select DNS + Network Traffic, DNS query packets for excluded and included apps will not honor the split tunnel rule.
    5. Click Add to save the forwarding rule.
  7. Configure the Traffic Enforcement options to determine how you want traffic to be enforced.
    • Block outbound LAN access when connected to the tunnel—When enabled, blocks direct access to the local network when the agent is connected to the tunnel.
      Blocking access to your local network causes all traffic from being sent to the local adapter. In addition, your users won't be able to access resources on the local subnet, such as printers. Split tunnel traffic based on access route, destination domain, and application still works as expected.
      If you disable this option, your end users can access local resources without requiring them to first connect to Prisma Access using the Prisma Access Agent.
    • Block inbound access when connected to the tunnel—When enabled, blocks all inbound connections from the tunnel.
  8. On Panorama managed deployments, Create your forwarding profile.
  9. Push the configuration by selecting Push ConfigPush. This action will make your forwarding profile available for selection in the Prisma Access Agent Setup page.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.