Set Up Forwarding Profiles (Strata Cloud Manager Managed Deployments)

1. Navigate to the Forwarding Profiles page from Strata Cloud Manager.

   1. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeMobile Users ContainerMobile Users.
   2. Edit the settings in the Forwarding Profiles Setup section by selecting the gear icon.

2. (macOS and Windows agents only) Set up User Locations if you want to specify the location that a forwarding rule applies to. You can specify Internal Host Detection to apply the rule to users connected to your internal network, or specify source IP addresses for external locations like branch offices.

   User location detection occurs automatically when the agent loads a new forwarding profile, when you manually import a profile, or when network changes occur such as switching WiFi networks or changing IP addresses. The agent uses Internal Host Detection or source IP address matching to determine the current location, then applies the appropriate forwarding rules for that location.

   If enabled, the Internal Host Detection setting in the agent app settings takes precedence over the Internal Host Detection setting in forwarding profiles. Unlike the Internal Host Detection setting in the agent app settings, the Internal Host Detection rules in forwarding profiles don't suppress the tunnel.

   1. In the Forwarding Profiles Setup page, select User LocationsAdd User Location.

   2. Enter a meaningful Name for the user location that you want to add.
   3. Select Internal Host Detection for users on the internal corporate network, or select IP Addresses to steer traffic based on private IP addresses.

      • Internal Host Detection—Specify the IP Address and FQDN for your internal network. Only IPv4 addresses are supported.
        If enabled, the Internal Host Detection setting in the agent app settings takes precedence over the Internal Host Detection setting in forwarding profiles. Unlike the Internal Host Detection setting in the agent app settings, the Internal Host Detection rules in forwarding profiles don't suppress the tunnel.
      • IP Addresses—Provide one or more source IP addresses of endpoints. You must enter specific IPv4 addresses. You can also enter a subnet (using CIDR notation), such as 192.168.1.0/24.
        The source IP address here is the IP address assigned to the endpoints and not the egress IP address.

   4. Save the user location settings.
3. (macOS, Windows, and Linux agents only) Set up Source Applications if you want to steer traffic based on the application name.

   1. In the Forwarding Profiles Setup page, select Source ApplicationsAdd Source Application.

   2. Enter a meaningful Name for the application that you want to add.
   3. Click + in the Applications table and enter the complete path of the application. You can add one or more applications to the table.

      You will select these applications when setting up the forwarding rules in a forwarding profile. For example, to exclude application traffic, select Direct connectivity when configuring the forwarding rule. Traffic from these applications will be sent through the physical adapter on the endpoints rather than the tunnel (the virtual adapter). If you choose to include application traffic, select Best Available - Fail Safe (macOS and Windows agents only), Best Available - Fail Open, or your own configured connectivity option when configuring the forwarding rule.

      For example, to manage traffic from the Zoom application, add the following complete paths:

      • Windows endpoints: %AppData%\Roaming\Zoom\bin\Zoom.exe
      • macOS endpoints: /Applications/zoom.us.app/Contents/MacOS/zoom.us

      Wildcard Character Support

      (macOS and Windows agents only) For applications with dynamic installation locations, you can use a the asterisk (*) as a wildcard character to replace exactly one directory component in the path. You can include multiple wildcards throughout the path to handle various scenarios such as version-specific directories, user-specific installations, or architecture-dependent locations. To account for changing version numbers or user directories, you can place wildcards in the middle or end of a path (when you need to match any executable within a specific directory). Each wildcard must occupy an entire directory component and cannot be combined with other characters within the same component. The path must begin with a valid root directory on macOS or a drive letter on Windows, so you cannot start the path with a wildcard character.

      Valid Examples

      • /abc/v1/app
      • /*/bin/curl
      • /opt/*/Cellar/*/*/bin/wget
      • C:\Windows\System32\*
      • C:\Users\*\AppData\Roaming\Zoom\bin\*

      Invalid Examples

      • C:\Users\xyz\AppData\Roaming\Zoom\bin\zoom*
      • */bin/curl
      • C:\Users\**\AppData\Roaming\Zoom\bin\zoom.exe

      Be sure to specify valid paths. If you enter invalid paths, the forwarding rule won't be applied on the endpoint, even if some paths are valid.

      If you have a list of applications in a text file in comma-separated values format (.csv), you can Upload .csv File.
   4. Save the source application.
   5. Repeat these steps to add more source applications.
4. Set up Destinations if you want to create a split tunnel based on the destination domain or access routes.

   Prisma Access Agent cannot steer UDP traffic based on destination criteria on Windows endpoints. Any rule that uses the Destination object will not apply to UDP traffic on Windows endpoints.

   1. In the Forwarding Profiles Setup page, select DestinationsAdd Destination.

      Prisma Access Agent also offers predefined destination domains, such as Okta SAML Authentication Domains, Azure SAML Authentication Domains, Microsoft Client Authentication Domains, and Video Traffic so that you can easily create forwarding rules for these destination domains.
   2. Enter a meaningful Name for the destination that you want to add.
   3. Add a destination by specifying the domain name, access route, or both.

      • (macOS, Windows, and Linux agents only) To add a destination domain, click + in the FQDNs table and enter the FQDN for the destination domain. You can optionally add a port. If you don't specify a port, all ports for the specified domain are subjected to the forwarding rule. You can add one or more domains for traffic management.
        You can enter alphanumeric characters for the FQDN. You can also specify a wildcard domain by including a wildcard character (*) in the FQDN. However, the wildcard must appear only once and must be the first character of the string, and a period must follow the wildcard.

        The following are valid FQDN examples:

        • example.com (exact domain)
        • *.local (wildcard domain)

        The following FQDN examples are not valid:

        • .example.com (missing characters before the first period)
        • *example.com (missing period after the wildcard)
        • my*.example.* (only one wildcard allowed and it must appear at the start of the string)
        • *.example.*.com (wildcard not allowed in middle of string)

        Prisma Access Agent will check whether your FQDN entry is valid or not. For invalid domain inputs, the "Invalid FQDN format" message appears.

        If you add a port, the port can only contain positive numbers. The range is 1-65535.
        You will select these destinations when setting up the forwarding rules in a forwarding profile. For example, to exclude traffic based on the domain name, select Direct connectivity when configuring the forwarding rule. Traffic from the domain will be sent through the physical adapter on the endpoints rather than the tunnel (the virtual adapter). If you choose to include traffic based on the domain name, select Best Available - Fail Safe (macOS and Windows agents only), Best Available - Fail Open, or your own configured connectivity option when configuring the forwarding rule. Traffic from the domain is routed to Prisma Access, even if it meets the excluded traffic criteria.

      • To add an access route, click + in the IP Addresses table and enter a destination subnet. You can add one or more access routes for traffic management.
        (macOS and Windows agents only) For IPv6 addresses, you can enter:

        • Single IPv6 addresses using standard notation (for example, 2001:0db8:85a3::)
        • IPv6 subnets using CIDR notation (for example, 2001:0db8:85a3::/48)
        For IPv4 addresses, you can a wildcard character (*) in the IP address, but the wildcard must not appear in the middle of the IP address. Once a wildcard is used, all the following octets must also be wildcards.

        The following are some examples of valid IPv4 addresses:

        • 1.2.3.4 (exact IP address)
        • 1.4.3.* (wildcard IP address)
        • 1.*.*.*
        • *.*.*.* (full wildcard IP address)
        • 1.2.3.4/32 (exact IP address followed by CIDR)

        The following are examples of an invalid IPv4 address:

        • 1.2.3.300 (each byte must be 0-255)
        • 3.3.3.3/255.255.255.256 (invalid subnet mask)

        Prisma Access Agent will check whether your IP address entry is valid or not. For invalid inputs, a message appears indicating that the IP address is not valid.

        In some cases (such as 1.2.*.4 and 7.7.7.7/33), the configuration validator will allow the entry, but the agent will ultimately reject it because the entry does not adhere to a supported format. In this case, the agent will reject the forwarding profile rule and fall back to the fail-safe mode, forwarding all traffic to the tunnel.
        If you don't include or exclude routes or applications, every request is routed through the tunnel. Also, all traffic is inspected and subjected to policy enforcement whenever users connect to Prisma Access.
        When you define split tunnel traffic to exclude access routes (by selecting Direct connectivity in the forwarding rule), these routes are sent through the physical adapter on the endpoint instead of being sent through the virtual adapter (the tunnel). This way, you can send latency-sensitive or high-bandwidth traffic outside of the tunnel, while all other traffic is routed through the tunnel for inspection and policy enforcement by the gateway.
        When you define split tunnel traffic to include access routes (by selecting Best Available - Fail Safe (macOS and Windows agents only), Best Available - Fail Open, or your own configured connectivity option in the forwarding rule), the gateway pushes these routes to the remote users’ endpoints to specify what traffic these endpoints can send through the tunnel.
        Specify exclude routes that are more specific than include routes; otherwise, you might exclude more traffic than intended.
        If you have a list of IP addresses in a text file in .csv format, you can Upload .csv File.

   4. Save the destinations.
   5. Repeat these steps to add more destinations.
5. Set up Connectivity options to direct traffic based on the connectivity method.

   Prisma Access Agent provides predefined connectivity options when users are using the best available location but the tunnel and proxy (if enabled) are not available or the traffic type is unsupported (such as IPv6 traffic).

   • (macOS and Windows agents only) Best Available - Fail Safe—Connect to the nearest gateway or Prisma Access location but block access if the user can’t connect to the tunnel and proxy (when enabled) or the traffic type is unsupported, such as proxy-only UDP traffic.
   • Best Available - Fail Open—Connect to the nearest gateway or Prisma Access location but allow access even if the user can’t connect to the tunnel and proxy (when enabled) or the traffic type is unsupported, such as proxy-only UDP traffic.

   To set up a custom connectivity option:

   1. In the Forwarding Profiles Setup page, select ConnectivityAdd Connectivity.

   2. Enter a meaningful Name for the connectivity option you want to add.
   3. (Strata Cloud Manager only) Select TypePrisma Access Agent.
   4. Configure the Connectivity Methods. By default, only the Tunnel connectivity method is enabled, but you can also send traffic to a proxy or send DNS traffic to Advanced DNS Security Resolver as a fallback connection if the tunnel is disconnected (macOS and Windows agents only).

      • Tunnel—Directs traffic through the tunnel
      • (macOS and Windows agents only) Proxy—Directs traffic to the proxy
      • (macOS and Windows agents only) ADNS—Directs DNS traffic to Advanced DNS Security Resolver if the tunnel is disconnected. You can enable ADNS only if Tunnel is enabled.

      (macOS and Windows agents only) Usage:

      • To direct internet traffic only through the tunnel, enable Tunnel and disable Proxy.
      • To direct internet traffic only to the proxy, disable Tunnel and enable Proxy.
      • To direct internet traffic to the proxy only when the tunnel is disconnected or unavailable, enable both Tunnel and Proxy. Prisma Access Agent will send traffic through the tunnel, and if the tunnel becomes disconnected, will send traffic to the proxy.
      • To direct DNS traffic to Advanced DNS Security Resolver in the event the tunnel gets disconnected, enable both Tunnel and ADNS.
   5. (macOS and Windows agents only) Select a Fallback behavior if the user is not connected using the specified connectivity method. You can prevent access (Block) or allow access (Direct).

      For agents on iOS, Android, and ChromeOS, the fallback behavior is defined by the mobile device management (MDM) configuration.
   6. Save your connectivity settings.
   7. Repeat these steps to add more connectivity settings.
6. Create a forwarding profile that allows or excludes traffic based on the source applications, user location, destination, or connectivity options that you defined.

   1. From the Forwarding Profiles Setup page, add a forwarding profile.

      Select Forwarding ProfilesAdd Forwarding ProfilePrisma Access Agent.

   2. Enter a meaningful Name for the forwarding profile.
   3. Add one or more forwarding rules.

      The Forwarding Rules table shows the rules that make up the forwarding profile. By default, all forwarding profiles contain the following rules:

      • (macOS and Windows agents only) The Video Streaming forwarding rule, which sends all network traffic from video streaming apps outside the tunnel (direct connectivity). By excluding lower risk video streaming traffic (such as YouTube and Netflix) from the tunnel, you can decrease bandwidth consumption on the gateway.
      • The Default forwarding rule, which sends all DNS and network traffic through the tunnel. Any new rules that you add are placed above the default rule. You cannot delete or move the default forwarding rule, but you can disable it or change its Connectivity setting.
      • An implicit forwarding rule for basic endpoint connectivity that allows traffic such as DHCP, loopback, Prisma Access Agent Endpoint Manager, ADEM, and Remote Browser Isolation (RBI) traffic. The implicit forwarding rule is not displayed and cannot be changed.

      For macOS, Windows, and Linux agents, traffic forwarding rules are applied from the top down in the forwarding profile. This means that when Prisma Access Agent receives a connection request, it evaluates the forwarding rules from the top to the bottom of the Forwarding Rules table. The agent matches the connection against each rule's criteria. When all criteria in a rule match, the agent applies that rule's connectivity method to route the traffic. If a rule does not match, the agent continues evaluating the next rule in the table until it finds a match or reaches the default rule. Therefore, configure the forwarding profile in a top-down manner, such as configuring the most specific rules first and the least specific rules last.

      For mobile agents such as iOS, Android, and ChromeOS, rules will be consolidated top-down based on the destination to determine the access route for traffic forwarding.
   4. Enter the specifications for the forwarding rule.

      1. Enable the rule.
      2. Enter a meaningful Name for the rule.
      3. (macOS, Windows, and Linux agents only) Select a Source Application that you defined previously. If you select Any, the forwarding rule will apply to traffic from any source applications.
         The rule will match only if the specified source application makes the connection.
      4. (macOS and Windows agents only) (Prisma Access Agent 26.2) Select a User Location. If you did not set up a user location or if you allow the rule to match any user location, select Any.
         The rule will match only if an endpoint is connected to the specified user location.
         For Prisma Acces Agents earlier than version 26.2, any forwarding rules with a user location setting other than Any will be disabled by the Endpoint Manager. Running the pacli traffic logs command will show the verdict:

         [rule name]- disabled, The agent does not support user location

      5. Select a Destination. If you select Any, the forwarding rule will apply to traffic from any destination domain or IP address.
         The rule will match only if the traffic matches the specified destination domain or IP address.
         Prisma Access Agent cannot steer UDP traffic based on destination criteria on Windows endpoints. Any rule that uses the Destination object will not apply to UDP traffic on Windows endpoints.
      6. Select a Connectivity option that you configured, or select one of the following predefined connectivity options to handle traffic that matches the selected user location, application, or destination:
         • Direct—Sends the matching traffic outside of the tunnel. All matching traffic is sent directly to the physical adapter on the endpoint without inspection.
         • Block—Blocks all matching traffic at the endpoint.
         • (macOS and Windows agents only) Bypass— Bypasses the matching traffic to allow third-party agents on endpoints to process the connections if they are active and configured to handle the designated traffic. If no third-party agent is present or configured to handle the traffic, the system sends the traffic to the tunnel (if present) or directly to its destination if the tunnel is not present.
         • (macOS and Windows agents only) Best Available - Fail Safe—Connects to the nearest gateway or Prisma Access location but blocks all matching traffic when the tunnel and proxy (if configured) are down or for unsupported traffic types.
         • Best Available - Fail Open—Connects to the nearest gateway or Prisma Access location but allows the matching traffic to go directly to its destination when the tunnel and proxy (if configured) are down or for unsupported traffic types.
      7. Select the Traffic Type:
         Specify whether to use split DNS to allow users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
         • DNS—Includes or excludes rules that are applied only to DNS traffic and not to network application traffic. All network application traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
         • DNS + Network Traffic—Ensures that the split tunnel based on the destination domain you specified for inclusions or exclusions are applied to the DNS traffic and the associated network application traffic for that domain.
         • Network Traffic—Includes or excludes rules that are applied only to network application traffic and not to DNS traffic. All DNS traffic goes through the tunnel regardless of the split tunnel based on the destination domain that you specified for inclusions or exclusions.
         For Windows agents, the DNS + Network Traffic split tunnel option is not supported for source application-based split tunnel rules. If you set up split tunneling to include or exclude traffic from the tunnel based on application names and select DNS + Network Traffic, DNS query packets for excluded and included apps will not honor the split tunnel rule.
   5. Click Add to save the forwarding rule.

      The rule is added to the Forwarding Rules table. You can add multiple rules to the forwarding profile.

   6. In the Forwarding Rules table, adjust the priority of the rules in a top-down manner, such that the most specific rules go first and the least specific rules go last in the table. You can select the checkbox next to a rule and select Move Up or Move Down.
7. (macOS and Windows agents only) Configure the Traffic Enforcement options to determine how you want traffic to be enforced.

   • Block outbound LAN access when connected to the tunnel—When enabled, the agent blocks direct access to the local network when the agent is connected to the tunnel.
     Blocking access to your local network causes all traffic from being sent to the local adapter. In addition, your users won't be able to access resources on the local subnet, such as printers. Split tunnel traffic based on access route, destination domain, and application still works as expected.
     If you disable this option, your end users can access local resources without requiring them to first connect to Prisma Access using the Prisma Access Agent. The default setting is disabled.
   • Block inbound access when connected to the tunnel—When enabled, the agent blocks all inbound connections from the tunnel. The default setting is disabled.
   • Block Non-TCP and Non-UDP based traffic when connected to tunnel—When enabled, the agent blocks all non-TCP and non-UDP traffic including ICMP, GRE, IGMP, and IPSec protocols while connected to the tunnel. TCP and UDP traffic steering will adhere to the forwarding rules configured above. The default is disabled.
     For details, refer to Configure Traffic Enforcement for Non-TCP and Non-UDP Protocols.
   • Allow ICMP for troubleshooting—When enabled, the agent blocks all non-TCP and non-UDP traffic except ICMP. This configuration allows ICMP traffic while blocking all other Layer 3 protocols like GRE and IPSec. This option is available only if you enable Block Non-TCP and Non-UDP based traffic when connected to tunnel. The default is disabled.
8. Save your forwarding profile.
9. Push the configuration by selecting Push ConfigPush. This action will make your forwarding profile available for selection in the Agent Settings page.