Enhance Prisma Access Agent traffic enforcement by blocking all non-TCP and non-UDP traffic when the agent is connected to the tunnel. This feature expands Prisma Access Agent protocol coverage by implementing controls to block all non-TCP and non-UDP traffic in kernel mode, providing an option to enforce security policy for these protocol types.

When you enable this feature in your Prisma Access Agent deployment, the system blocks non-TCP and non-UDP traffic while the tunnel is active. This applies to protocols like ICMP, GRE, IPSec, and other IP-based protocols, ensuring these protocols can’t bypass your security policy. You can optionally allow ICMP traffic for network troubleshooting while still blocking other non-TCP and non-UDP traffic.

This capability supports organizations that need strict traffic control for specific projects or users by ensuring that non-TCP and non-UDP traffic gets blocked when the agent is connected. The feature integrates with existing Prisma Access Agent forwarding profiles and rules, enhancing your security posture without disrupting current configurations.

You can configure the feature with two primary options: blocking all non-TCP and non-UDP traffic when connected to the tunnel, and optionally allowing ICMP traffic for troubleshooting purposes. The ICMP allowance option becomes available only when you enable the primary blocking feature, providing flexibility for network diagnostics while maintaining security controls.