Add a Path Policy Rule
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Prisma SD-WAN Standard VPN
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Add a Path Policy Rule
Learn how to add a path policy rule in
Prisma SD-WAN
.Path policy rules define network paths for application sessions to leverage. Path Policy Rules
use network contexts, applications, destination zones, prefixes, ports, and
protocols. Layer 3 paths can be private or internet paths, VPN, or standard VPNs.
You can directly add policy rules to a simple path stack by clicking a simple path
stack and then clicking
Add Rule
. For advanced stacks, select
a stack, then a policy set within the stack, and then add policy rules to the policy
set.- Add a path policy rule to a simple path stack.
- Select.ManagePoliciesPathPath StacksSimpleSelect a StackAdd Rule
- Select an order for the rule.Policy rules follow explicit ordering and implicit ordering. In explicit ordering, each rule within a policy set has an order number that is used to explicitly order rules overriding an implicit order, a set of match criteria, and a set of actions. If two rules have the same order, then the rules follow implicit ordering wherein policy rules with more specific attributes get precedence over rules with less specific attributes.
- Enter aNamefor the policy rule, and optionally enter description and tags.
- Enter anorderbetween 1-65535 for the policy rule.An order of 1 indicates the highest priority for the policy rule. The default is 1024.
- (Optional)SelectDisable Ruleif you do not want the ION device to consider this rule.
- (Optional)Configure network contexts.
- On theNetwork Contextsscreen, select a previously configuredNetwork Contextor click the+icon to create a network context.
- (Optional)Configure Prefixes.On thePrefixestab, select aSource Prefixand aDestination Prefix.
- (Optional)Add users or user groups.On theUserstab, select aUserand/or aGroupfrom theUser/Groupdrop-down.
- (Optional)Select applications.On theAppstab, select the applications to apply the policy rule. You can select 256 applications for one policy rule.You can filter applications based on:
- For sites 6.0.1 or above—Select this option to view system applications from PANW, applications common to PANW andPrisma SD-WAN, and custom applications defined inPrisma SD-WAN.
- For sites below 6.0.1—Select this option to view legacy system applications inPrisma SD-WAN, applications common to PANW and Prisma SD-WAN, and custom applications defined inPrisma SD-WAN.
- For any site—Use this option to view applications common to PANW andPrisma SD-WANalong with custom applications defined inPrisma SD-WAN.
(Optional)You can check the type of application -System (PANW, CGX),System (CGX), orCustomby selecting the application first and then using the filters to view the type of application. - Configure paths.On thePathstab, chooseActive/Backup/L3 Failure Pathsfor the application from the drop-down list.Select anOverlayand aCircuit Categoryfor a path. You cannot repeat a combination of an overlay and a circuit category for a policy rule.You must configure an active path. You can optionally configure backup paths and L3 failure paths. You can configure an L3 failure path without configuring a backup path.In ION devices running 5.2.1 and higher versions, the default setting moves flows back to the active path in the policy as soon as the active path becomes available.
- Select Service and DC Groups.Select Service & DC Groups, and then select Active/Backup Service & DC Groups from the drop-down.If theRequiredcheck box is selected, traffic will always transit through the Service and DC Groups. If not selected, traffic may or may not transit through the Service and DC Groups per policy. You cannot selectRequired, if you have selected at least one direct path in thePathstab.
- Confirm the information displayed in theSummarytab and then clickSave & Exit.
- Add a path policy rule to an advanced path policy set.
- Select.ManagePoliciesPathPath StacksAdvancedSelect a StackAdd Rule
- Follow the steps above for adding a path policy rule to a simple policy stack.