When you deploy Prisma® Access Agent in environments with existing remote access solutions, you can configure bypass rules to enable both agents to coexist on an endpoint. The bypass functionality enables Prisma Access Agent to ignore specific traffic, enabling third-party agents to handle designated connections while Prisma Access continues to secure other traffic according to your forwarding profile rules.

Multiple remote access agents on the same endpoint typically create conflicts when they attempt to control network routing and DNS resolution simultaneously. These conflicts manifest as connectivity failures, DNS resolution issues, and routing table conflicts that can disrupt employee productivity.

You configure bypass rules within Forwarding Profiles using the same interface where you define tunnel, proxy, direct, and block actions for traffic. When you select Bypass as the action for specific traffic, Prisma Access Agent will not intercept or modify those connections, enabling other remote access solutions to process the bypassed traffic according to their own routing configurations.

Bypass rules support three traffic handling configurations: both network traffic and DNS queries, DNS queries only, or network traffic only. When you configure traffic for bypass, third-party agents process the connections if they are active and configured to handle the designated traffic. If no third-party agent is present or configured to handle the traffic, the system sends the traffic to the tunnel (if present) or directly to its destination if the tunnel is not present. The bypass functionality maintains consistent behavior regardless of which agent connects first.

Before configuring bypass rules, ensure that you have:

Follow the instructions to configure bypass rules within Forwarding Profiles in Strata Cloud Manager Managed Prisma Access or Panorama Managed Prisma Access or NGFW deployments.