Traffic Steering in Prisma Access
Focus
Focus

Traffic Steering in Prisma Access

Table of Contents

Traffic Steering in Prisma Access

Learn about how traffic steering works with Prisma Access.
In standard Prisma Access deployments, a service connection provides access to internal network resources, such as authentication services and private apps in your headquarters or data center. Service connections process internal traffic, where no internet access is required. In some cases, you might want to redirect internet-bound traffic to the data center. Traffic steering allows you to redirect mobile user or remote network traffic to a service connection before being sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a combination of both. Use traffic steering to direct internet-bound network traffic based on many criteria including IP addresses, Custom URL categories, service type (HTTP or HTTPS), User-ID, Dynamic Address Groups (DAGs) and IP-based External Dynamic Lists (EDLs).
There are two action types supported with traffic steering:
  • Forward to the target
    —Use the criteria in traffic steering rules to forward internet-bound traffic through a target you create that uses one or more service connections.
  • Forward to the internet
    —Use the criteria in traffic steering rules to directly forward traffic from its source (mobile user location or remote network connection) to the internet, without being forwarded to a service connection.
If you forward to a target, you can choose to create two types of target groups: dedicated and non-dedicated.
  • A service connection that is used only for traffic steering-related traffic is a
    dedicated service connection
    . To set a service connection to be used as a dedicated service connection, select
    Dedicated for Traffic Steering Only
    when you Configure Traffic Steering in Prisma Access in Panorama.
    You might want to configure a dedicated service connection if you use a third-party security stack that is outside of your organization’s internal network to process traffic before it is sent to a public SaaS application or the internet. Because the security stack is not a part of your organization’s network, you don’t want this service connection to process any internal network traffic.
  • A service connection that is used for traffic steering and for standard service connection-related traffic (such as traffic going to an authentication server in the data center) is a
    non-dedicated service connection
    .
Setting a service connection as a dedicated service connection causes the following changes to your deployment:
  • The zone for all service connections associated with this target changes from Trust to Untrust. Check your zone mapping and Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections to make sure that your network reflects this change.
  • Service connections that are configured as dedicated service connections do not participate in BGP routing, either internally or externally.
  • If your dedicated service connection uses BGP, the BGP status shows as
    Not Enabled
    when you open the status page (
    Panorama
    Cloud Service
    Status
    Monitor
    Service Connection
    ), select a region, then select the Status tab. To check the BGP status of a service connection, check the service connections configuration page (
    Panorama
    Cloud Services
    Configuration
    Service Connection
    ).
  • By default, the service connections apply source NAT to the forwarded traffic. The source IP address is the
    User-ID Agent Address
    of the service connection (
    Panorama
    Cloud Services
    Status
    Network Details
    Service Connection
    User-ID Agent Address
    ), which is taken from the Infrastructure Subnet (
    Panorama
    Cloud Services
    Status
    Network Details
    Service Infrastructure
    ).
    You can disable source NAT and use your organization’s source IP addresses for the dedicated service connection; to do so, select
    Disable Source NAT for Dedicated SC
    when you
    Add
    a target in the
    Target Service Connections for Traffic Steering
    area.

Recommended For You