Describes the requirements you need to deploy traffic
Where Can I Use
What Do I Need?
Before you implement traffic steering in your
make sure that your network environment has the following infrastructure
must be able to connect to the IPSec-capable
CPE (such as a router or SD-WAN device) that your organization uses
to terminate the service connection, and the IP address for the
device must be reachable from
You create a
service connection using standard IPSec and IKE cryptographic profiles
between the stack location and
. You can use static
routes, BGP, or a combination or both when you configure a service
connection and use traffic steering. If you use default routes
with traffic steering, Palo Alto Networks recommends that you use
either BGP only or static routes only. If you use static routing,
specify the public IP address used by the organization’s CPE as
Access might not match the first few packets of a URL from a URL
category in a traffic steering rule, which means that the first
few packets of a network session (for example, a TCP handshake)
might not match the rule. Palo Alto Networks recommends that, for
URLs you use in traffic steering rules, you create a security policy
rule to allow them through the Untrust zone so that the handshake
can complete when a new session begins.
If you are using this configuration with a security stack,
the stack location must be reachable from the service connection
by a standard IPSec tunnel configuration.
Use the following guidelines when configuring traffic steering:
You can specify up to 1,000 URLs (aggregated) in a traffic
steering configuration, including regular and wildcard (*.example.com)
URLs in custom URL categories.
Access prepends an asterisk to URLs in custom URL categories, if
you use this category in a traffic steering rule. If you use the
same URL category policies for both traffic steering and other security
policy rules, these changes apply to both the traffic steering rules
and other security policy rules.
If you have custom URL categories
that are not used in traffic steering rules,
not change the URLs in those categories.
Use all lower-case URLs when you enter URLs in a custom URL
You can configure a maximum of 100 traffic steering rules.
If you have primary and backup tunnels configured, traffic
steering using traffic steering rules will not work after a failover
from the primary (active) to the backup tunnel. Default Routes With Prisma Access Traffic Steering works in
a failover scenario with primary and backup tunnels.