Traffic Steering Requirements
Focus
Focus

Traffic Steering Requirements

Table of Contents

Traffic Steering Requirements

Describes the requirements you need to deploy traffic steering.
Before you implement traffic steering in your Prisma Access deployment, make sure that your network environment has the following infrastructure requirements:
  • Prisma Access must be able to connect to the IPSec-capable CPE (such as a router or SD-WAN device) that your organization uses to terminate the service connection, and the IP address for the device must be reachable from Prisma Access.
    You create a service connection using standard IPSec and IKE cryptographic profiles between the stack location and Prisma Access. You can use static routes, BGP, or a combination or both when you create a service connection and use traffic steering. If you use default routes with traffic steering, Palo Alto Networks recommends that you use either BGP only or static routes only. If you use static routing, specify the public IP address used by the organization’s CPE as the Peer Address when you create an IKE gateway.
  • Prisma Access might not match the first few packets of a URL from a URL category in a traffic steering rule, which means that the first few packets of a network session (for example, a TCP handshake) might not match the rule. Palo Alto Networks recommends that, for URLs you use in traffic steering rules, you create a security policy rule to allow them through the Untrust zone so that the handshake can complete when a new session begins.
  • If you are using this configuration with a security stack, the stack location must be reachable from the service connection by a standard IPSec tunnel configuration.
Use the following guidelines when configuring traffic steering:
  • You can specify up to 1,000 URLs (aggregated) in a traffic steering configuration, including regular and wildcard (*.example.com) URLs in custom URL categories.
  • Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
    If you have custom URL categories that are not used in traffic steering rules, Prisma Access does not change the URLs in those categories.
  • Use all lower-case URLs when you enter URLs in a custom URL category.
  • You can configure a maximum of 100 traffic steering rules.
  • If you have primary and backup tunnels configured, traffic steering using traffic steering rules will not work after a failover from the primary (active) to the backup tunnel. Default Routes With Prisma Access Traffic Steering works in a failover scenario with primary and backup tunnels.