Examples of how default routes work with Prisma Access
traffic steering.
Where Can I Use
This?
What Do I Need?
Prisma Access (Managed by Panorama)
Prisma Access license
The following example shows a sample Prisma Access deployment
the following components:
Two Prisma Access mobile user locations; one in the United
States (US) and one in Europe (EU).
Two Prisma Access service connections; one in the US and
one in the EU, with both data centers sending default routes to
the service connections (Accept Default Route over Service
Connections is enabled).
Two data centers; one in the US and one in the EU.
Each
data center has a 3rd-party security stack; for this reason, you
want all internet-bound traffic to go through the data center before
egressing to the internet.
When a mobile user sends data center traffic, Prisma Access checks
its routing tables, determines the closest service connection, and
forwards the traffic to that service connection. In the following
example, Prisma Access sends data center traffic from the mobile
users in the US to Service Connection and traffic from the mobile
users in the EU to Service Connection 2.
Do not use service connections that are Dedicated
for Traffic Steering Only with default routes; dedicated
service connections do not participate in BGP routing, so they cannot
receive BGP advertisements from the HQ or data center.
To enable default routes, select Accept Default Route
over Service Connections when you configure traffic
steering settings. After you configure this setting and commit and
push your changes, Prisma Access sends internet-bound traffic over
the service connections.