Prisma Access
Configure Forwarding Profiles to Manage Agent Traffic for Dynamic Privilege Access Agents
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Configure Forwarding Profiles to Manage Agent Traffic for Dynamic Privilege Access Agents
Forwarding profiles is a feature that provides a streamlined and unified method for
enforcing traffic from your endpoints.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Forwarding Profiles provides a single pane-of-glass to configure and
manage traffic forwarding rules and traffic enforcement, such as setting up
split tunnel settings and managing traffic outside of the tunnel connection.
Forwarding profiles improves on the disjointed configuration of traffic policies
experienced with other mobile access agents, and greatly extends the limit on
how many rules and entries that you can configure. By simplifying the related
configurations and improving clarity, you can focus on how you want endpoint
traffic to be routed and enforced.
The forwarding profile is a profile type that contains several logical and
ordered sections. These sections illustrate the various phases a connection
passes before the agent determines how the connection should be steered. This
organizational structure can help you understand why traffic is being routed a
certain way by presenting the ordered entries in each section. Within each
section, you can add, edit, remove, or reorder entries.
Once you set up the forwarding profiles, you can assign them to users or user
groups in the Agent Settings page.
Traffic forwarding rules are applied from the top down in the forwarding profile.
Therefore, configure the forwarding profile in a top-down manner, such as
configuring the most specific rules first and the least specific rules last.
Forwarding Rules
A forwarding profile consists of a set of traffic forwarding
rules that specify what source application or destination domain and destination IP
address traffic goes through the tunnel or outside the tunnel, whether to split DNS
traffic, and what traffic enforcement is in effect. Traffic that matches a rule is
forwarded to Prisma Access according to the traffic forwarding specifications.
The specifications in a forwarding rule are organized into the following
sections:
- Source Applications—Specifies the private or SaaS apps for which the rule applies to. When traffic from an endpoint matches the source app, the traffic is routed according to the forwarding rule.
- Destinations—Specifies the domains and IP addresses that the rule applies to. When traffic matches the destinations (specified as FQDNs or IP addresses), the traffic is routed according to the forwarding rule.
Traffic Enforcement
Each forwarding profile also contains traffic enforcement settings that allow you
to:
- Block all outbound traffic that does not match any forwarding rules
- Block outbound LAN access when the agent is connected to the tunnel
- Block inbound access when the agent is connected to the tunnel
To configure a forwarding profile, complete the following steps:
- Log in to Strata Cloud Manager as the Project Admin.
- Select ManageConfigurationNGFW and Prisma AccessOverview and expand the Configuration Scope to view the Snippets.
- Select the snippet that the Superuser admin assigned to you.You can also view the snippets that are not assigned to you, but you cannot interact with them, such as to change the configuration.
- Select ObjectsDynamic Privilege Access to open the Dynamic Privilege Access settings.
- Select Forwarding Profiles and edit the Forwarding Profiles Setup.
- Set up Source Applications if you want to create split tunnels based on the SaaS or public cloud application name.
- In the Forwarding Profiles Setup page, select Source ApplicationsAdd Source Application.
- Enter a meaningful Name for the application that you want to add.
- Click + in the Applications table and enter the complete path of the application. You can add one or more applications to manage whether to exclude or include the application traffic in the tunnel.If you choose to exclude application traffic (by selecting Direct connectivity in the forwarding rule), traffic from these applications is sent through the physical adapter on the endpoints rather than the tunnel (the virtual adapter).If you choose to include application traffic (by selecting Tunnel connectivity in the forwarding rule), traffic from these applications is routed to Prisma Access, even if it meets the exclude traffic criteria.For example, to manage traffic from the Zoom application, add the following complete paths:
- Windows endpoints: %AppData%\Roaming\Zoom\bin\Zoom.exe
- macOS endpoints: /Applications/zoom.us.app/Contents/MacOS/zoom.us
If you have a list of applications in a text file in comma-separated values format (.csv), you can Upload .csv File. - Save the source application.
- Repeat these steps to add more source applications.
- Set up Destinations if you want to create split tunnels based on the destination domain or access routes.
- In the Forwarding Profiles Setup page, select DestinationsAdd Destination.
- Enter a meaningful Name for the destination that you want to add.
- Add a destination by specifying the domain name, access route, or both.
- To add a destination domain, click + in
the FQDNs table and enter the FQDN for
the destination domain. You can optionally add a port. If you do
not specify a port, all ports for the specified domain are
subjected to the forwarding rule. You can add one or more
domains for traffic management.If you choose to exclude traffic based on the domain name (by selecting Direct connectivity in the forwarding rule), traffic from the domain is sent through the physical adapter on the endpoints rather than the tunnel (the virtual adapter).If you choose to include traffic based on the domain name (by selecting Tunnel connectivity in the forwarding rule), traffic from the domain is routed to Prisma Access, even if it meets the exclude traffic criteria.
- To add an access route, click + in the
IP Addresses table and enter a
destination subnet. You can add one or more access routes for
traffic management. Do not include wildcard characters in the IP address. Wildcards in IP addresses are not supported in forwarding profiles.If you do not include or exclude routes or applications, every request is routed through the tunnel (without a split tunnel). Also, all traffic is inspected and subjected to policy enforcement whenever users connect to Prisma Access.When you define split tunnel traffic to exclude access routes (by selecting Direct connectivity in the forwarding rule), these routes are sent through the physical adapter on the endpoint instead of being sent through the tunnel via the virtual adapter (the tunnel). By excluding split tunnel traffic by access routes, you can send latency-sensitive or high-bandwidth traffic outside of the tunnel, while all other traffic is routed through the tunnel for inspection and policy enforcement by the Prisma Access gateway.When you define split tunnel traffic to include access routes (by selecting Tunnel connectivity in the forwarding rule), the Prisma Access gateway pushes these routes to the remote users’ endpoints to specify what traffic these endpoints can send through the tunnel.Specify excluded routes that are more specific than included routes; otherwise, you might exclude more traffic than intended.If you have a list of IP addresses in a text file in .csv format, you can Upload .csv File.
- To add a destination domain, click + in
the FQDNs table and enter the FQDN for
the destination domain. You can optionally add a port. If you do
not specify a port, all ports for the specified domain are
subjected to the forwarding rule. You can add one or more
domains for traffic management.
- Save the destinations.
- Repeat these steps to add more destinations.
- Create a forwarding profile that allows or excludes traffic based on the source applications or destinations that you configured.
- To add a forwarding profile, select Forwarding ProfilesAdd Forwarding ProfilePrisma Access Agent.To edit a forwarding profile, select the name of the profile in the Forwarding Profiles table.
- Enter a meaningful Name for the forwarding profile.
- Add a forwarding rule.The Forwarding Rules table shows the rules that make up the forwarding profile. All forwarding profiles contain the Default forwarding rule, which sends all DNS and network traffic through the tunnel. Any new rules that you add are placed above the default rule. You cannot delete or move the default forwarding rule, but you can change its Connectivity setting.
- Enter the specifications for the forwarding rule.
- Enable the rule.
- Enter a Name for the rule.
- Select the Source Application that you
defined previously. If you select Any,
the forwarding rule will apply to traffic from any source
applications.The rule will match only if the connection is made by the specified source application.
- Select a User Location. If you did not
set up a user location or if you allow the rule to match any
user location, select Any. (Does not
apply to Dynamic Privilege
Access enabled agents.)The rule will match only if an endpoint is connected to the user location that you specify.
- Select a Destination that you defined
previously. If you select Any, the
forwarding rule will apply to traffic from any destination
domain or IP address.The rule will match only if the connection destination matches the specified destination domain or IP address.
- Select the Connectivity:
- Direct—Sends the traffic outside of the tunnel. All traffic for the selected application or destination is sent directly to the physical adapter on the endpoint without inspection.
- Tunnel—Sends the traffic through the tunnel. All traffic going to the selected application or destination is sent through the tunnel to Prisma Access for inspection and policy enforcement.
- Select the Traffic Type:Specify whether to use split DNS to allow users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
- DNS + Network Traffic—Ensures that the split tunnel based on the destination domain you specified for inclusions or exclusions are applied to the DNS traffic and the associated network application traffic for that domain.
- Network Traffic—Includes or excludes rules that are applied only to network application traffic and not to DNS traffic. All DNS traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
For Windows agents, the DNS + Network Traffic split tunnel option is not supported for application-based split tunnel rules. If you set up split tunneling to include or exclude traffic from the tunnel based on application names and select DNS + Network Traffic, DNS query packets for excluded and included apps will not honor the split tunnel rule.
- Add the forwarding rule.The rule is added to the Forwarding Rules table. You can add multiple rules to the forwarding profile.
- Configure the Traffic Enforcement options to determine how you want traffic to be enforced.Be sure that to deselect all these options as they are not recommended for Dynamic Privilege Access.
- Block all other unmatched outbound connections—When enabled, blocks all connections that do not match any of the forwarding rules. The traffic will not be sent through the tunnel.
- Block outbound LAN access when connected to the
tunnel—When enabled, blocks direct access to the local
network when the agent is connected to the tunnel. Blocking access to your local network causes all traffic from being sent to the local adapter. In addition, your users won't be able to access resources on the local subnet, such as printers. Split tunnel traffic based on access route, destination domain, and application still works as expected.If you disable this option, your end users can access local resources without requiring them to first connect to Prisma Access using the Prisma Access Agent.
- Block inbound access when connected to the tunnel—When enabled, blocks all inbound connections from the tunnel.
- Save your forwarding profile.
- Push the configuration by selecting Push ConfigPush. This action will make your forwarding profile available for selection in the Agent Settings page.