Prisma Access Traffic Steering Rule Guidelines
Focus
Focus
Prisma Access

Prisma Access Traffic Steering Rule Guidelines

Table of Contents

Prisma Access
Traffic Steering Rule Guidelines

Learn about the guidelines you need to follow when you configure
Prisma Access
traffic steering.
Where Can I Use This?
What Do I Need?
  • Panorama
  • Prisma Access
    license
Traffic steering can process a wide variety of possible configurations; however, it is important to understand how
Prisma Access
processes rules, so you can create rules are easy to maintain and manage. To help you create the rules that work best for your deployment, follow these guidelines:
  • Prisma Access
    evaluates rules in the order that you create them (from top to bottom). Specify more specific rules at the top and more general rules at the bottom.
  • Create multiple rules with fewer matching criteria, instead of creating fewer rules with multiple types of criteria. Creating simpler rules both speeds up rule creation and makes it easier to modify a rule.
  • Since you cannot move a rule up or down in a list after you create it, carefully plan your rule order before you create the rules.
  • Rules that specify
    Any
    source address and User,
    Any
    source destination and URL Category, and
    Any
    service are not supported. Use more specific rules; for example, specify a rule with
    Any
    source or destination traffic and a service of
    service-http
    and
    service-https
    .
  • If you are going to specify rules for users in the
    Source User
    field, make sure that
    Prisma Access
    can distinguish between users if the same username is shared between users who authenticate locally and users who authenticate using LDAP by authenticating LDAP users in the format of
    domain/username
    and authenticating local users in the format of
    username
    (without the domain name).
  • If you have configured an on-premises next-generation firewall as a master device, you can auto-populate user and group information for mobile user device groups in traffic steering and security policy rules by selecting
    Panorama
    Cloud Services
    Configuration
    Mobile Users
    , clicking the gear icon to edit the Settings, and selecting the
    Master Device
    in the Device Group area. While this populates the master device in every device group, it only populates the user and group information for mobile users in security policy rules.
  • If an EDL (type IP List) is used in a Traffic Steering Rule, and the EDL source URL of the EDL is updated to a URL that is not accessible,
    Prisma Access
    may continue to use the cached IP list from the previous URL.
  • Prisma Access bypasses Traffic Steering for rules with a service type of HTTP or HTTPS if you use an application override policy for TCP ports 80 and 443.
    In addition, traffic steering does not work for URLs from URL categories referenced in the traffic steering rule if you have configured an application override policy for TCP ports 80 or 443.
  • You can specify destination IP addresses and URL categories in the same rule. If you do,
    Prisma Access
    uses a logical OR to process the destination criteria in the rule, but processes the URLs and URL category traffic based on TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS.
    For a rule with IP addresses and URL categories, traffic matches the rule if either the IP address or the URL category matches, but processes the URL category traffic based on ports 80, 443, and 8080 only. Palo Alto Networks does not recommend creating a rule of this type; instead, create simpler rules.
For example, you want to enforce the following rules for your network traffic:
  • You have an internal HTTP server with an IP address of 10.1.1.1 in the data center, and you want to direct internal HTTP and HTTPS traffic to this server. The IP address of the server is 10.1.1.1.
    Traffic to this server should not go to the internet and should be processed internally; therefore, choose a non-dedicated target for this traffic, because this type of target processes both internal and internet-bound traffic.
  • You want office365.com traffic to be routed directly to the internet.
  • You want traffic from *.example.com or any traffic defined in a custom URL category of
    custom-social-networking
    to be routed to a dedicated connection.
  • You want any other HTTP and HTTPS traffic to use the same non-dedicated service connection target as that used for the internal HTTP server.
For this example, create the rules from the most specific to the least specific, as shown in the following screenshot. Do not add the rule that allows all HTTP and HTTPS traffic first, or Prisma Access would direct all HTTP and HTTPS traffic to the non-dedicated connection without evaluating any of the other rules.

Recommended For You