Focus

Prisma Access

Enable Routing for Your Remote Network

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

Set up IPSec Tunnels Prisma Access

Onboard Multiple Remote Networks

Enable Routing for Your Remote Network

Configure routing settings for your remote network.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access license

In order for Prisma Access to route traffic to your remote networks, you must provide routing information for the subnetworks that you want to secure using Prisma Access. You can do this in several ways. You can either define a static route to each subnetwork at the remote network site, or configure BGP between your service connection locations and Prisma Access, or use a combination of both methods.

If you configure both static routes and enable BGP, the static routes take precedence. While it might be convenient to use static routes if you have just a few subnetworks at your remote network locations, in a large deployment with many remote networks with overlapping subnets, BGP will enable you to scale more easily.

Static Routes—To enable static routes to and from your remote site to Prisma Access, identify the subnetworks or individual IP addresses at the remote site that you want Prisma Access to secure (for both inbound and outbound traffic). The subnetworks at each site must not overlap with each other, with the IP pools that you designated for Prisma Access for Users, or with the infrastructure subnet.
BGP—If you want to enable BGP to dynamically route traffic to and from your remote network, you will need to provide the BGP information for the eBGP router at your branch:
- Branch Router Autonomous System (AS) Number—The AS to which the eBGP router at the remote network belongs. This is called the Peer AS.
- Router ID—The IP address assigned as the Router ID of the eBGP router on the remote network. This is called the Peer Address.
If you configure both static routes and BGP routing, the static routes take precedence.

Here’s how to configure routing settings for your remote network site.

To add or adjust routing settings, go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessRemote Networks and add or edit a remote network site.
Configure static routes.

If you are using static routes to route traffic to and from your branch, Add the IP subnets or IP addresses that you want to secure at the branch. Note that if you make any changes to the IP subnets on your branch, you must manually update the static routes.
Configure dynamic routing.
To use dynamic routing to advertise your branch subnets, Enable BGP for Dynamic Routing and then configure the following settings:
- Do Not Export Routes—Prevent Prisma Access from forwarding routes into your remote network.
  By default, Prisma Access advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.
  
  Because Prisma Access does not send BGP advertisements, if you select this option you must configure static routes on your on-premises equipment to establish routes back to Prisma Access.
- Peer IP Address—Enter the Peer IP Address assigned as the Router ID of the eBGP router on the remote network.
- Peer AS—Enter the Peer AS, which is the autonomous system (AS) for your network.
  You must use an RFC 6996-compliant BGP Private AS number.
- Local IP Address—Enter the IP address that Prisma Access uses as its Local IP Address for BGP.
  A local address is only required if your remote site device requires it for BGP peering to be successful. Make sure the address you specify does not conflict or overlap with IP addresses in the infrastructure subnet or subnets in the remote network.
- Secret—Enter a Secret password to authenticate BGP peer communications and then Confirm Secret.

Troubleshoot Site Connections

To troubleshoot your remote network, go to the remote network setup (ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessRemote Networks), select the remote network for which you want to troubleshoot, and Edit the routing preferences.

Set up IPSec Tunnels Prisma Access

Onboard Multiple Remote Networks

Prisma Access Docs

Enable Routing for Your Remote Network

Prisma Access Docs

Enable Routing for Your Remote Network

Troubleshoot Site Connections

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner