Traffic Steering in Prisma Access
Learn about how traffic steering works with Prisma Access.
Where Can I Use This? | What Do I Need? |
In standard Prisma Access deployments, a service connection provides
access to internal network resources, such as authentication services
and private apps in your headquarters or data center. Service connections
process internal traffic, where no internet access is required.
In some cases, you might want to redirect internet-bound traffic
to the data center. Traffic steering allows you to redirect mobile
user or remote network traffic to a service connection before being
sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a
combination of both. Use traffic steering to direct internet-bound network traffic based
on many criteria including IP addresses, users, URLs,
custom URL categories, service type (HTTP or
HTTPS),
User-ID,
dynamic address groups (DAGs), dynamic user
groups (DUGs), and IP-based
external dynamic lists (EDLs).
There are two action types supported with traffic steering:
Forward to the target—Use the
criteria in traffic steering rules to forward internet-bound traffic
through a target you create that uses one or more service connections.
Forward to the internet—Use the criteria
in traffic steering rules to directly forward traffic from its source
(mobile user location or remote network connection) to the internet,
without being forwarded to a service connection.
If you forward to a target, you can choose to create two types
of target groups: dedicated and non-dedicated.
A service connection that is used only for traffic steering-related traffic is a
dedicated
service connection. To set a service connection to be used as a
dedicated service connection, select
Dedicated for Traffic Steering
Only when you
Configure Traffic Steering in Prisma Access in Panorama. Select
Dedicated for PBF Only when you’re setting up a
traffic steering rule in
Strata Cloud Manager.
You
might want to configure a dedicated service connection if you use
a third-party security stack that is outside of your organization’s
internal network to process traffic before it is sent to a public
SaaS application or the internet. Because the security stack is
not a part of your organization’s network, you don’t want this service
connection to process any internal network traffic.
A service connection that is used for traffic steering and
for standard service connection-related traffic (such as traffic going
to an authentication server in the data center) is a non-dedicated
service connection.
Setting a service connection as a dedicated service connection
causes the following changes to your deployment:
(For Prisma Access (Managed by Strata Cloud Manager) deployments only) The service connections apply
source NAT to the forwarded traffic. The source IP address is the
EBGP Router address of the service connection, which
is taken from the Infrastructure Subnet.
Service connections that are configured as dedicated service
connections do not participate in BGP routing, either internally
or externally.
(For Prisma Access (Managed by Panorama) deployments only) If your dedicated service
connection uses BGP, the BGP status shows as Not Enabled
when you open the status page (), select a region, then select the Status tab. To check the BGP
status of a service connection, check the service connections configuration page ().
(For Prisma Access (Managed by Panorama) deployments only) By default, the service connections
apply source NAT to the forwarded traffic. The source IP address is the
User-ID Agent Address of the service connection (), which is taken from the Infrastructure Subnet ().
(For Prisma Access (Managed by Panorama) deployments only) You can disable source NAT and use your
organization’s source IP addresses for the dedicated service connection; to do
so, select Disable Source NAT for Dedicated SC when you
Add a target in the Target Service
Connections for Traffic Steering area.