Prisma Access
Configure Traffic Steering in Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Configure Traffic Steering in Prisma Access
Configure traffic steering in the Prisma Access deployment.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Traffic steering allows you to configure Prisma Access Access to create traffic
steering rules to specify targets for internet-bound traffic from mobile users and
remote network connections. You can specify the traffic to be redirected to a
service connection before sending to the internet, or you can specify the traffic to
directly egress to the internet. Configure traffic steering for your Prisma Access
deployment by completing the following steps.
Configure Traffic Steering in Prisma Access (Strata Cloud Manager)
Configure traffic steering in the Prisma Access deployment.
In Prisma Access deployments, a service connection provides access to internal
network resources, such as authentication services and private apps in your
headquarters or data center. Service connections process internal traffic, where no
internet access is required. In some cases, you might want to redirect
internet-bound traffic to the data center. Traffic steering allows you to redirect
mobile user or remote network traffic to a service connection before being sent to
the internet. Configure traffic steering for your Prisma Access deployment by
completing the following steps.
- Onboard your service connections, mobile users and remote networks, as applicable to your deployment.
- Go to WorkflowsPrisma Access SetupService ConnectionsAdvanced Settings.
- Configure the Traffic Steering rules.
- (Optional, mobile user deployments only) Allow Prisma Access to accept and install the default route advertised over one or more service connections from the CPE by clicking the gear icon to open the Settings and selecting Accept Default Route over Service Connections.Default routes have guidelines that you must follow when using them; for example, default routes are supported for mobile user deployments only and have no effect on remote network deployments. Be sure to review these guidelines before implementing default routes with traffic steering.
- (Optional) Allow Prisma Access to send certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP) traffic directly to the internet by selecting Send CRL/OCSP traffic to internet directly.Select this choice if you have an OCSP or CRP server in the public internet and you want to send that traffic directly to the internet using the untrust zone. If you do not select this choice, Prisma Access sends this traffic to the service connection.Be sure that you have upgraded your Prisma Access deployment to a minimum version of 5.1.1 before selecting Send CRL/OCSP traffic to internet directly.
- Create rules for the target you created and apply them to the target.
- Add Rule.
- Enter a unique Name for the rule.
- In the Source area:
- Specify the list of users to match. You can Match Any User, Match Pre-logon, Match known-user, Match unknown, or Add Users and select the user or users to match.
- Select Source Address Entities. You can
select one or more of the following objects:
- An IP address
- An address group
- An External Dynamic List (EDL) using IP addresses or URLs
- Specify the list of users to match.
- In the Destination area specify one of the following Destination Address Entities, or select Any to have traffic processed by the rules in the URL Category field:
- An IP address
- An address group
- An External Dynamic List (EDL) using IP addresses or URLs
- Specify a URL Category.If you create a custom URL category, enter URLs in all lower case. Traffic steering supports custom URL and predefined URL categories.You can use wildcards with the URLs in URL categories. The following wildcard formats are supported:
- *.example.com
- *.fqdn.example.com
The following formats are not supported:- *
- *.*
- *example.com
- example.com/ (trailing slashes in URLs are not supported in URL categories that are used with Traffic Steering)
- example.com/path (only domain names are supported)
- *fqdn.example.com
- fqdn.example.*
Use the following guidelines when configuring destination options:- If you specify a URL category, Prisma Access only matches HTTP and HTTPS traffic, even when service is set to Any.
- Do not create a custom URL category with a type of Category Match.
- Specify a Service type and Add Service.Specify service-http to forward HTTP traffic and specify service-https to specify HTTPS traffic. Select Match Any Service to forward traffic of any service type.
- Create a service connection group and specify an Action.
- Create New or Manage a group and give it a unique Name.
- Specify the Service Connection or service
connections to use with the target.Palo Alto Networks does not recommend using multiple service connections (whether dedicated or non-dedicated) in a target service connection group that is referenced in a traffic steering rule. In addition, a given service connection can only exist in one target and you cannot add a single service connection to two different targets.
- (Optional) Use a dedicated service connection to steer traffic to a third-party security stack or cloud that is not on your premises and does not need to participate in routing. To set a service connection to be used as a dedicated service connection, select Dedicated for Traffic Steering Only.Dedicated service connections change their zones and are marked as an Untrust Zone for security policy rules.Deselect Dedicated for Traffic Steering Only if you will send both normal service connection-related and traffic steering traffic through the service connection; with this choice, the zone for the service connection remains as Trust.
- Disable source NAT for Dedicated service connections by
selecting, select Disable Source NAT for Dedicated
SC. Source NAT is enabled by default (the
checkbox is deselected). If you disable source NAT, Prisma Access uses your organization’s source IP addresses for the dedicated service connection. If you enable source NAT, Prisma Access uses the EBGP Router address of the service connection (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionEBGP Router) as the source IP address, even after the traffic egresses from the dedicated service connection.
- Save your changes.
- Forward traffic to the specified service connection target, or send the traffic directly to the internet without going through the service connection.
- To have Prisma Access forward traffic to a service connection target, select Forward to the target; then select the Target Service Connection Group.Specify this choice if you have traffic you need to send to your existing or legacy environment because of SaaS application allow list limitations, or if you want to create a traffic flow to direct specified internet traffic back to your on-premises network.
- To have Prisma Access forward traffic directly to the internet without first sending it to a service connection, select Forward to the internet.Specify this choice if you are sending a default route to Prisma Access and you want to steer some traffic directly to the internet.
- Push Config to save your changes.
Configure Traffic Steering in Prisma Access (Panorama)
Configure traffic steering in the Prisma Access deployment.
- Onboard your service connections, mobile users and remote networks, as applicable to your deployment.
- Select PanoramaCloud ServicesConfigurationTraffic Steering.
- (Optional, mobile user deployments only) Allow Prisma Access to accept and install the default route advertised over one or more service connections from the CPE by clicking the gear icon to open the Settings and selecting Accept Default Route over Service Connections.Default routes have guidelines that you must follow when using them; for example, default routes are supported for mobile user deployments only and have no effect on remote network deployments. Be sure to review these guidelines before implementing default routes with traffic steering.
- (Optional) Allow Prisma Access to send certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP) traffic directly to the internet by selecting Send CRL/OCSP traffic to internet directly.Select this choice if you have an OCSP or CRP server in the public internet and you want to send that traffic directly to the internet using the untrust zone. If you do not select this choice, Prisma Access sends this traffic to the service connection.Be sure that you have upgraded your Prisma Access deployment to a minimum version of 5.1.1 before selecting Send CRL/OCSP traffic to internet directly.
- (Optional) Create a target group and assign a service connection to it.
- In the Target Service Connections for Traffic Steering area, Add a group and give it a Group Name.
- Add a Target for the traffic, specifying the Service Connection to use with the target; then, click OK.Palo Alto Networks does not recommend using multiple service connections (whether dedicated or non-dedicated) in a target service connection group that is referenced in a traffic steering rule. In addition, a given service connection can only exist in one target and you cannot add a single service connection to two different targets.
- Choose whether to make the service connections associated with this target a dedicated service connection.
- You can use a dedicated service connection to steer traffic to a third-party security stack or cloud that is not on your premises and does not need to participate in routing. To set a service connection to be used as a dedicated service connection, select Dedicated for Traffic Steering Only.Dedicated service connections change their zones.
- Deselect Dedicated for Traffic Steering Only if you will send both normal service connection-related and traffic steering traffic through the service connection; with this choice, the zone for the service connection remains as Trust.
- Choose whether to enable or disable source NAT.To disable source NAT for Dedicated service connections, select Disable Source NAT for Dedicated SC. Source NAT is enabled by default (the check box is deselected).If you disable source NAT, Prisma Access uses your organization’s source IP addresses for the dedicated service connection. If you enable source NAT, Prisma Access uses the EBGP Router address of the service connection (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionEBGP Router) as the source IP address, even after the traffic egresses from the dedicated service connection.
- Create rules for the target you created and apply them to the target.
- In the Traffic Steering Rules area, Add a traffic steering rule.
- in the General tab, Name the traffic steering rule.
- In the Source tab, specify rules for source traffic.
- In the Source Address field, specify one or more of the following objects, or select Any to have traffic from any source go to this target:
- An IP address
- An address object that you created in Panorama (ObjectsAddresses)
- An External Dynamic List (EDL) using IP addresses or URLs
- In the Source User field, specify rules for source user traffic. You can specify the following user information:
- UsersEnter users in either the domain/user or the user@domain format.
- User groupsUse full distinguished names (DNs) when entering user groups.
- Users configured on Panorama (DeviceLocal User DatabaseUsers)
- User groups configured on Panorama (DeviceLocal User DatabaseUser Groups)
If you use address objects, DAGs, EDLs, users, or user groups, specify them as Shared to share them with all device groups in Prisma Access. In addition, do not enter 0.0.0.0/0 in address objects, DAGs, or EDLs; instead, enter 0.0.0.0/0 directly in the rule.Prisma Access automatically populates users from the mobile users device group only. - In the Destination tab, specify the following values:
- In the Destination area, specify one of the following criteria, or select Any to have traffic processed by the rules in the URL Category field:
- An IP address or prefix
- An address object that you created in Panorama (ObjectsAddresses)
- An IP address-based External Dynamic List (EDL)
Do not enter 0.0.0.0/0 in address objects, DAGs, or EDLs; instead, enter 0.0.0.0/0 directly in the rule.Leave Any selected to pass all traffic to be processed by the rules in the URL Category area. If you specify rules in the Destination, and URL Category areas, Prisma Access processes the rules in the Destination category first. - In the URL Category field, enter a custom URL category (ObjectsCustom ObjectsURL Category) When you create a custom URL category, enter URLs in all lower case. Traffic steering supports custom URL and predefined URL categories.You can use wildcards with the URLs in URL categories. The following wildcard formats are supported:
- *.example.com
- *.fqdn.example.com
The following formats are not supported:- *
- *.*
- *example.com
- example.com/ (trailing slashes in URLs are not supported in URL categories that are used with Traffic Steering)
- example.com/path (only domain names are supported)
- *fqdn.example.com
- fqdn.example.*
URLs in custom URL categories use the same URL pattern matching as that used by next-generation firewalls.
Use the following guidelines when configuring destination options:- If you specify a URL category, Prisma Access only matches HTTP and HTTPS traffic, even when service is set to Any.
- Do not create a custom URL category with a type of Category Match.
- Do not create a custom URL category with the name Custom_URL_Category_TFR because, for deployments that are migrated from Prisma Access 1.7 to 2.0, URLs entered in the URL area from 1.7 are moved to a custom URL category named Custom_URL_Category_TFRnumber, where number is a number appended to the custom URL category.
- In the Service tab, specify a service type.Specify service-http to forward HTTP traffic and specify service-https to specify HTTPS traffic. Select Any to forward traffic of any service type.
- In the Action tab, select the Target Group Name that you want to apply to the traffic steering rule.
- Forward traffic to the specified service connection target, or send the traffic directly to the internet without going through the service connection.
- To have Prisma Access forward traffic to a service connection target, select Forward to the target; then select the Target Group Name.
- To have Prisma Access forward traffic directly to the internet without first sending it to a service connection, select Forward to the internet.
- Click OK to save your changes.
- Optional Specify additional traffic steering rules.Prisma Access processes multiple rules in the order that you create them (from top to bottom).
- Commit and push your changes to make them active in Prisma Access.
- Select CommitCommit and Push and Edit Selections in the Push Scope.
- Select Prisma Access, then select Service Setup, Remote Networks, and Mobile Users.
- Click OK to save your changes to the Push Scope.
- Commit and Push your changes.