Prisma Access
Configure Traffic Steering in Prisma Access
Table of Contents
Configure Traffic Steering in Prisma Access
Prisma Access
Configure traffic steering in the
Prisma Access
deployment.Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
Traffic steering allows you to configure
Prisma Access
Access to create traffic steering rules to specify targets for internet-bound
traffic from mobile users and remote network connectons. You can
specify the traffic to be redirected to a service connecton before
sending to the internet, or you can specify the traffic to directly
egress to the internet. Configure traffic steering for your Prisma
Access deployment by completing the following steps. - Onboard your service connections, mobile users and remote networks, as applicable to your deployment.
- Select .
- (Optional, mobile user deployments only) AllowPrisma Accessto accept and install the default route advertised over one or more service connections from the CPE by clicking the gear icon to open the Settings and selectingAccept Default Route over Service Connections.Default routes have guidelines that you must follow when using them; for example, default routes are supported for mobile user deployments only and have no effect on remote network deployments. Be sure to review these guidelines before implementing default routes with traffic steering.
- (Optional) Create a target group and assign a service connection to it.
- In theTarget Service Connections for Traffic Steeringarea,Adda group and give it aGroup Name.
- AddaTargetfor the traffic, specifying theService Connectionto use with the target; then, clickOK.Palo Alto Networks does not recommend using multiple service connections (whether dedicated or non-dedicated) in a target service connection group that is referenced in a traffic steering rule. In addition, a given service connection can only exist in one target and you cannot add a single service connection to two different targets.
- Choose whether to make the service connections associated with this target a dedicated service connection.
- You can use a dedicated service connection to steer traffic to a third-party security stack or cloud that is not on your premises and does not need to participate in routing. To set a service connection to be used as a dedicated service connection, selectDedicated for Traffic Steering Only.Dedicated service connections change their zones.
- DeselectDedicated for Traffic Steering Onlyif you will send both normal service connection-related and traffic steering traffic through the service connection; with this choice, the zone for the service connection remains as Trust.
- Choose whether to enable or disable source NAT.To disable source NAT for Dedicated service connections, selectDisable Source NAT for Dedicated SC. Source NAT is enabled by default (the check box is deselected).If you disable source NAT,Prisma Accessuses your organization’s source IP addresses for the dedicated service connection. If you enable source NAT,Prisma Accessuses theEBGP Routeraddress of the service connection () as the source IP address, even after the traffic egresses from the dedicated service connection.
- Create rules for the target you created and apply them to the target.
- In theTraffic Steering Rulesarea,Adda traffic steering rule.
- in theGeneraltab,Namethe traffic steering rule.
- In theSourcetab, specify rules for source traffic.
- In theSource Addressfield, specify one or more of the following objects, or selectAnyto have traffic from any source go to this target:
- An IP address
- An address object that you created in Panorama ()
- An External Dynamic List (EDL) using IP addresses or URLs
- In theSource Userfield, specify rules for source user traffic. You can specify the following user information:
- UsersEnter users in either thedomain/useror theuser@domainformat.
- User groupsUse full distinguished names (DNs) when entering user groups.
- Users configured on Panorama ()
- User groups configured on Panorama ()
If you use address objects, DAGs, EDLs, users, or user groups, specify them asSharedto share them with all device groups inPrisma Access. In addition, do not enter 0.0.0.0/0 in address objects, DAGs, or EDLs; instead, enter 0.0.0.0/0 directly in the rule.Prisma Access automatically populates users from the mobile users device group only. - In theDestinationtab, specify the following values:
- In theDestinationarea, specify one of the following criteria, or selectAnyto have traffic processed by the rules in theURL Categoryfield:
- An IP address or prefix
- An address object that you created in Panorama ()
- An IP address-based External Dynamic List (EDL)
Do not enter 0.0.0.0/0 in address objects, DAGs, or EDLs; instead, enter 0.0.0.0/0 directly in the rule.LeaveAnyselected to pass all traffic to be processed by the rules in theURL Categoryarea. If you specify rules in theDestination, andURL Categoryareas,Prisma Accessprocesses the rules in theDestinationcategory first. - In theURL Categoryfield, enter a custom URL category () When you create a custom URL category, enter URLs in all lower case. Traffic steering supports custom URL and predefined URL categories.You can use wildcards with the URLs in URL categories. The following wildcard formats are supported:
- *.example.com
- *.fqdn.example.com
The following formats are not supported:- *
- *.*
- *example.com
- example.com/ (trailing slashes in URLs are not supported in URL categories that are used with Traffic Steering)
- example.com/path(only domain names are supported)
- *fqdn.example.com
- fqdn.example.*
URLs in custom URL categories use the same URL pattern matching as that used by next-generation firewalls.
Use the following guidelines when configuring destination options:- If you specify a URL category,Prisma Accessonly matches HTTP and HTTPS traffic, even when service is set to Any.
- Do not create a custom URL category with a type ofCategory Match.
- Do not create a custom URL category with the nameCustom_URL_Category_TFRbecause, for deployments that are migrated fromPrisma Access1.7 to 2.0, URLs entered in the URL area from 1.7 are moved to a custom URL category namedCustom_URL_Category_TFRnumber, wherenumberis a number appended to the custom URL category.
- In theServicetab, specify a service type.Specifyservice-httpto forward HTTP traffic and specifyservice-httpsto specify HTTPS traffic. SelectAnyto forward traffic of any service type.
- In theActiontab, select theTarget Group Namethat you want to apply to the traffic steering rule.
- Forward traffic to the specified service connection target, or send the traffic directly to the internet without going through the service connection.
- To havePrisma Accessforward traffic to a service connection target, selectForward to the target; then select theTarget Group Name.
- To havePrisma Accessforward traffic directly to the internet without first sending it to a service connection, selectForward to the internet.
- ClickOKto save your changes.
- OptionalSpecify additional traffic steering rules.Prisma Accessprocesses multiple rules in the order that you create them (from top to bottom).
- Commit and push your changes to make them active in Prisma Access.
- Select andEdit Selectionsin the Push Scope.
- Select, then selectPrisma AccessService Setup,Remote Networks, andMobile Users.
- ClickOKto save your changes to the Push Scope.
- CommitandPushyour changes.