>
    Windows Forwarding Profiles Considerations
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up Forwarding Profiles to Manage Agent Traffic
    6. Windows Forwarding Profiles Considerations
    Download PDF
    Prisma Access Agent

    Windows Forwarding Profiles Considerations

    Table of Contents

    Windows Forwarding Profiles Considerations

    Forwarding profiles for Windows Prisma Access Agents have specific behaviors for DNS source application rules and UDP destination rules that require alternative approaches.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Windows 10 version 2024 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    When configuring forwarding profiles for the Prisma Access Agent on Windows endpoints, there are two specific behaviors to consider. These behaviors require adjustments to your traffic forwarding rules to ensure proper traffic routing and policy enforcement.
    • DNS Traffic with Source Application Rules
      For DNS traffic on Windows endpoints, forwarding rules that use the source application (for example, Chrome) as a condition won’t work correctly. Instead of following your rule, the DNS traffic will be handled according to the Default rule (last rule) action.
      For combined rules that include both data and DNS traffic with source application criteria, the data portion will match correctly while the DNS portion will not.
      To avoid this issue, configure DNS traffic rules using destination-based criteria rather than source application matching for Windows deployments.
      The agent automatically includes implicit rules that direct outgoing DNS traffic to the Prisma Access Agent Manager (EPM) and gateways from all processes to use the physical network adapter rather than routing through the tunnel.
    • UDP Traffic with Destination-Based Rules
      Outgoing UDP traffic rules configured with destination-based criteria won’t match connections on Windows endpoints. These connections will be handled by the Default rule instead of your intended forwarding profile rule.
      To avoid this issue, use source application-based rules when configuring forwarding profiles for UDP traffic on Windows endpoints.
      This behavior only affects traffic tunneling and redirection. Enforcement rules based on destination criteria will still function correctly for UDP traffic. TCP and DNS traffic are not affected by this behavior.

    © 2025 Palo Alto Networks, Inc. All rights reserved.