>
    Strata Copilot
    Configure Third-Party Agent Coexistence with Bypass Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up Forwarding Profiles to Manage Agent Traffic
    6. Configure Third-Party Agent Coexistence with Bypass Rules
    Download PDF
    Prisma Access Agent

    Configure Third-Party Agent Coexistence with Bypass Rules

    Table of Contents

    Configure Third-Party Agent Coexistence with Bypass Rules

    Configure bypass rules in forwarding profiles to enable Prisma Access Agent coexistence with third-party remote access agents without routing conflicts.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum required Prisma Access Agent version: 25.7
    • macOS 14 and later or Windows 10 version 2024 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    When you deploy Prisma® Access Agent in environments with existing remote access solutions, you can configure bypass rules to enable both agents to coexist on an endpoint. The bypass functionality enables Prisma Access Agent to ignore specific traffic, enabling third-party agents to handle designated connections while Prisma Access continues to secure other traffic according to your forwarding profile rules.
    Multiple remote access agents on the same endpoint typically create conflicts when they attempt to control network routing and DNS resolution simultaneously. These conflicts manifest as connectivity failures, DNS resolution issues, and routing table conflicts that can disrupt employee productivity.
    You configure bypass rules within Forwarding Profiles using the same interface where you define tunnel, proxy, direct, and block actions for traffic. When you select Bypass as the action for specific traffic, Prisma Access Agent will not intercept or modify those connections, enabling other remote access solutions to process the bypassed traffic according to their own routing configurations.
    Bypass rules support three traffic handling configurations: both network traffic and DNS queries, DNS queries only, or network traffic only. When you configure traffic for bypass, third-party agents process the connections if they are active and configured to handle the designated traffic. If no third-party agent is present or configured to handle the traffic, the system sends the traffic to the tunnel (if present) or directly to its destination if the tunnel is not present. The bypass functionality maintains consistent behavior regardless of which agent connects first.
    Before configuring bypass rules, ensure that you have:
    • Administrative access to Strata Cloud Manager, Panorama, or your firewall management interface
    • Configured appropriate rules in the third-party agent to intercept the traffic
    • Identification of specific applications, destinations, or traffic types that should be handled by the third-party agent
    1. Navigate to the forwarding profiles setup page:
      • Strata Cloud Manager Managed Prisma Access deployments:
        1. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeMobile Users Container.
        2. Edit the settings in the Forwarding Profiles Setup section.
      • Panorama Managed Prisma Access deployments:
        1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
        2. Select ConfigurationForwarding Profiles
      • Panorama Managed NGFW deployments:
        1. Log in to Strata Cloud Manager as the administrator.
        2. Select ConfigurationForwarding Profiles
    2. Set up the Source Applications or Destinations for which you need to bypass traffic.
      For example, you can specify a Destination for a domain you want to bypass, or specify the IP addresses for the applications you want to bypass. You can also set up specific Source Applications that you want to bypass.
    3. Configure a forwarding profile where you want to specify bypass rules.
      1. Select an existing forwarding profile you want to modify or add a forwarding profile.
        For example:
      2. In the Forwarding Rules section, select an existing forwarding rule or Add a forwarding rule for the source application or destination you want to bypass.
      3. Specify the properties for the forwarding rule:
        1. Enable the forwarding rule.
        2. Enter a meaningful Name for the rule.
        3. Select the Source Application and Destination that you want to bypass.
          For example, you can bypass Any applications in the lab destination.
          On Windows endpoints, the bypass feature cannot steer UDP traffic based on destination criteria. This limitation prevents destination-based routing configurations for UDP traffic when using bypass rules with third-party agents on Windows systems.
        4. Select ConnectivityBypass.
        5. Select the Traffic Type to bypass (DNS, DNS + Network Traffic, or Network Traffic).
        6. Update the forwarding rule.
      4. Set the rule priority to ensure bypass rules are evaluated in the correct order relative to other forwarding rules. You can select a forwarding rule and move it up or down in the Forwarding Rules table.
      5. Select a Traffic Enforcement option if needed.
      6. Save your forwarding profile settings.
      7. Push the configuration to deploy the bypass rules to your Prisma Access Agent deployment.
    4. After deploying the configuration, verify that bypass rules are working correctly on and endpoint that has the bypass rule configuration.
      1. Use PACli commands on an endpoint to monitor traffic processing and confirm that bypassed traffic shows the Bypass connectivity in traffic logs.
        For example, you set up a forwarding rule to bypass the *.cnn.com destination and you want to verify the traffic from *.cnn.com is bypassed.
        1. On an endpoint, access cnn.com in a browser.
        2. In a command prompt or terminal on the endpoint, issue the following command to show the forwarding rules in a forwarding profile:
          pacli traffic show
          The following image is an example of a forwarding profile on Windows. Note the forwarding rule named cnn bypass rule.
        3. To show the details of the cnn bypass rule forwarding rule (rule 1 in the forwarding profile table), issue the following command:
          pacli traffic show 1
          The following is an example of the bypass forwarding rule:
        4. To check the traffic log for the DNS packets of *.cnn.com that got bypassed, run the following command:
          pacli traffic log | grep cnn.com
          The following is an example of the DNS packets of cnn.com that got filtered on Windows:
        5. To show the data connection for cnn.com that got bypassed:
          1. Run the curl command to transfer data from cnn.com. For example:
            curl cnn.com
          2. Grep the traffic log for the curl command: 
            pacli traffic log | grep curl
            In the command output, make sure the data connection is Bypass. For example:
      2. Verify that non-bypassed traffic continues to route through Prisma Access according to your other forwarding rules.
        Suppose that the traffic from the booking.com website is supposed to go through the tunnel according to your forwarding profiles configuration.
        1. Access the booking.com website on an endpoint.
        2. Issue the following command:
          pacli traffic log | grep booking.com
        3. In the command output, ensure that traffic from booking.com goes through the Tunnel. For example:

    © 2025 Palo Alto Networks, Inc. All rights reserved.