Filter the routes that are advertised from the IPSec capable device or router at
HQ to the eBGP peers at other directly connected locations. As a best practice,
configure the BGP router at HQ to only advertise routes that you want to allow
across the WAN link; you ensure that the eBGP router at HQ does not advertise
the routes it learns from
Prisma Access
to other remote network location(s)
secured by
Prisma Access
. In this example, the eBGP router at HQ only advertises
routes that employees from the branch office will need to connect to the servers
(subnets) at HQ.