Traffic steering can process a wide variety of possible configurations; however, it is important
to understand how Prisma Access processes rules, so you can create rules that are
easy to maintain and manage. To help you create the rules that work best for your
deployment, follow these guidelines:
Prisma Access evaluates rules in the order that you create
them (from top to bottom). Specify more specific rules at the top
and more general rules at the bottom.
Create multiple rules with fewer matching criteria, instead
of creating fewer rules with multiple types of criteria. Creating
simpler rules both speeds up rule creation and makes it easier to
modify a rule.
Since you cannot move a rule up or down in a list after you
create it, carefully plan your rule order before you create the
rules.
Rules
that specify Any source address and User, Any source
destination and URL Category, and Any service
are not supported. Use more specific rules; for example, specify
a rule with Any source or destination traffic
and a service of service-http and service-https.
If
you are going to specify rules for users in the Source
User field, make sure that Prisma Access can distinguish
between users if the same username is shared between users who authenticate
locally and users who authenticate using LDAP by authenticating
LDAP users in the format of domain/username and
authenticating local users in the format of username (without
the domain name).
If you have configured an on-premises next-generation firewall as a master device, you can
auto-populate user and group information for mobile user device groups in
traffic steering and security policy rules by selecting , clicking the gear icon to edit the Settings, and selecting the
Master Device in the Device Group area. While this
populates the master device in every device group, it only populates the user
and group information for mobile users in security policy rules.
If
an EDL (type IP List) is used in a Traffic Steering Rule, and the
EDL source URL of the EDL is updated to a URL that is not accessible,
Prisma Access may continue to use the cached IP list from the previous
URL.
Prisma
Access bypasses Traffic Steering for rules with a service type of
HTTP or HTTPS if you use an application override policy for TCP
ports 80 and 443.
In addition, traffic steering does not work
for URLs from URL categories referenced in the traffic steering
rule if you have configured an application override policy for TCP
ports 80 or 443.
You
can specify destination IP addresses and URL categories in the same
rule. If you do, Prisma Access uses a logical OR to process the
destination criteria in the rule, but processes the URLs and URL
category traffic based on TCP ports 80 and 8080 for HTTP and TCP port
443 for HTTPS.
For a rule with IP addresses and URL categories,
traffic matches the rule if either the IP address or the URL category matches,
but processes the URL category traffic based on ports 80, 443, and
8080 only. Palo Alto Networks does not recommend creating a rule
of this type; instead, create simpler rules.
For this example, create the rules from the most specific to
the least specific, as shown in the following screenshot. Do not
add the rule that allows all HTTP and HTTPS traffic first, or Prisma
Access would direct all HTTP and HTTPS traffic to the non-dedicated connection
without evaluating any of the other rules.