>
    Default Routes With Prisma Access Traffic Steering
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Prisma Access Service Connection Advanced Deployments
    6. Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections
    7. Default Routes With Prisma Access Traffic Steering
    Download PDF
    Prisma Access

    Default Routes With Prisma Access Traffic Steering

    Table of Contents

    Default Routes With Prisma Access Traffic Steering

    Learn how default routes work in Prisma Access traffic steering.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Use the default route capability in Prisma Access to accept default routes being advertised from your CPE to service connections. You can use BGP or static routes to advertise the default route. Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma Access to route mobile user traffic through the best service connection for a given mobile user location. To enable service connections to accept default routes, specify Accept Default Route over Service Connections when you Configure Traffic Steering in Prisma Access.
    After you enable default routes, your internet-bound traffic will be steered to service connections instead of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-bound traffic to the data center; for example, if you have a third-party security stack in your data center and you want the stack to perform additional screening or inspection.
    Use the following guidelines when implementing default routes:
    • Default routes apply to mobile user deployments only; remote network connections operate normally with no change when you enable default routes.
    • You do not need to specify target service connections or traffic steering rules when you allow default routes, although they are supported for use with default routes.
    • When you specify the Accept Default Route over Service Connections setting, all Prisma Access service connections, with the exception of dedicated service connections, accept default routes and will use the routes in traffic steering decisions.
    • Before you enable this setting, make sure that your data centers are sending default routes; otherwise, routing through service connections will fail.
    • Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access receives the routes, it can then select the best service connection to use for the remote network location.
    • When you configure service connections, use either static routes only or BGP only for the connections. Palo Alto Networks does not recommend mixing service connections that use BGP and static routes when using default routes.
    • (For Prisma Access (Managed by Panorama) deployments only) Using default routes is supported with multitenant deployments.
    • Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a public identity provider (IdP) using the default route.
    For more information and examples of implementing default routes with traffic steering, see Default Routes with Traffic Steering Example, Default Routes with Traffic Steering Direct to Internet Example, and Default Routes with Traffic Steering and Dedicated Service Connection Example.

    © 2025 Palo Alto Networks, Inc. All rights reserved.