Default Routes With Prisma Access Traffic Steering

Prisma Access

Default Routes With Prisma Access Traffic Steering

Table of Contents

Default Routes With Prisma Access Traffic Steering

Learn how default routes work in Prisma Access traffic steering.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
Use the default route capability in Prisma Access to accept default routes being advertised from your CPE to service connections. You can use BGP or static routes to advertise the default route. Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma Access to route mobile user traffic through the best service connection for a given mobile user location. To enable service connections to accept default routes, specify
Accept Default Route over Service Connections
when you Configure Traffic Steering in Prisma Access.
After you enable default routes, your internet-bound traffic will be steered to service connections instead of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-bound traffic to the data center; for example, if you have a third-party security stack in your data center and you want the stack to perform additional screening or inspection.
Use the following guidelines when implementing default routes:
  • Default routes apply to mobile user deployments only; remote network connections operate normally with no change when you enable default routes.
  • You do not need to specify target service connections or traffic steering rules when you allow default routes, although they are supported for use with default routes.
  • When you specify the
    Accept Default Route over Service Connections
    setting, all Prisma Access service connections, with the exception of dedicated service connections, accept default routes and will use the routes in traffic steering decisions.
  • Before you enable this setting, make sure that your data centers are sending default routes; otherwise, routing through service connections will fail.
  • Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access receives the routes, it can then select the best service connection to use for the remote network location.
  • When you configure service connections, use either static routes only or BGP only for the connections. Palo Alto Networks does not recommend mixing service connections that use BGP and static routes when using default routes.
  • Using default routes is supported with multitenant deployments.
  • Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a public identity provider (IdP) using the default route.

Recommended For You