Enable Routing for Your Remote Network
Focus
Focus
Prisma Access

Enable Routing for Your Remote Network

Table of Contents

Enable Routing for Your Remote Network

Configure routing settings for your remote network.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
In order for
Prisma Access
to route traffic to your remote networks, you must provide routing information for the subnetworks that you want to secure using
Prisma Access
. You can do this in several ways. You can either define a static route to each subnetwork at the remote network site, or configure BGP between your service connection locations and
Prisma Access
, or use a combination of both methods.
If you configure both static routes and enable BGP, the static routes take precedence. While it might be convenient to use static routes if you have just a few subnetworks at your remote network locations, in a large deployment with many remote networks with overlapping subnets, BGP will enable you to scale more easily.
  • Static Routes
    —To enable static routes to and from your remote site to
    Prisma Access
    , identify the subnetworks or individual IP addresses at the remote site that you want
    Prisma Access
    to secure (for both inbound and outbound traffic). The subnetworks at each site must not overlap with each other, with the IP pools that you designated for
    Prisma Access
    for Users, or with the infrastructure subnet.
  • BGP
    —If you want to enable BGP to dynamically route traffic to and from your remote network, you will need to provide the BGP information for the eBGP router at your branch:
    • Branch Router Autonomous System (AS) Number
      —The AS to which the eBGP router at the remote network belongs. This is called the
      Peer AS
      .
    • Router ID
      —The IP address assigned as the Router ID of the eBGP router on the remote network. This is called the
      Peer Address
      .
    If you configure both static routes and BGP routing, the static routes take precedence.
Here’s how to configure routing settings for your remote network site.
  • To add or adjust routing settings, go to
    Manage
    Service Setup
    Remote Networks
    and add or edit a remote network site.
    If you're using Strata Cloud Manager, go to
    Workflows
    Prisma Access
    Setup
    Remote Networks
    and add or edit a remote network site.
  • Configure static routes.
    If you are using static routes to route traffic to and from your branch,
    Add
    the IP subnets or IP addresses that you want to secure at the branch. Note that if you make any changes to the IP subnets on your branch, you must manually update the static routes.
  • Configure dynamic routing.
    To use dynamic routing to advertise your branch subnets,
    Enable BGP for Dynamic Routing
    and then configure the following settings:
    • Do Not Export Routes
      —Prevent
      Prisma Access
      from forwarding routes into your remote network.
      By default,
      Prisma Access
      advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent
      Prisma Access
      from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.
      Because
      Prisma Access
      does not send BGP advertisements, if you select this option you must configure static routes on your on-premises equipment to establish routes back to Prisma Access.
    • Peer IP Address
      —Enter the Peer IP Address assigned as the Router ID of the eBGP router on the remote network.
    • Peer AS
      —Enter the Peer AS, which is the autonomous system (AS) for your network.
      You must use an RFC 6996-compliant BGP Private AS number.
    • Local IP Address
      —Enter the IP address that
      Prisma Access
      uses as its Local IP Address for BGP.
      A local address is only required if your remote site device requires it for BGP peering to be successful. Make sure the address you specify does not conflict or overlap with IP addresses in the infrastructure subnet or subnets in the remote network.
    • Secret
      —Enter a Secret password to authenticate BGP peer communications and then
      Confirm Secret
      .

Troubleshoot Site Connections

For troubleshooting purposes, you can now view the routing table for a remote network site or service connection site. Find the
Routing Information
button on the remote networks or service connection dashboard.

Recommended For You