Learn about the guidelines you need to follow when you
configure Prisma Access traffic steering.
Traffic steering can process a wide variety of possible
configurations; however, it is important to understand how Prisma
Access processes rules, so you can create rules are easy to maintain
and manage. To help you create the rules that work best for your
deployment, follow these guidelines:
Prisma Access evaluates rules in the order that you create
them (from top to bottom). Specify more specific rules at the top
and more general rules at the bottom.
Create multiple rules with fewer matching criteria, instead
of creating fewer rules with multiple types of criteria. Creating
simpler rules both speeds up rule creation and makes it easier to
modify a rule.
Since you cannot move a rule up or down in a list after you
create it, carefully plan your rule order before you create the
rules.
Rules
that specify Any source address and User, Any source
destination and URL Category, and Any service
are not supported. Use more specific rules; for example, specify
a rule with Any source or destination traffic
and a service of service-http and service-https.
If
you are going to specify rules for users in the Source
User field, make sure that Prisma Access can distinguish
between users if the same username is shared between users who authenticate
locally and users who authenticate using LDAP by authenticating
LDAP users in the format of domain/username and
authenticating local users in the format of username (without
the domain name).
If
an EDL (type IP List) is used in a Traffic Steering Rule, and the
EDL source URL of the EDL is updated to a URL that is not accessible,
Prisma Access may continue to use the cached IP list from the previous
URL.
Prisma
Access bypasses Traffic Steering for rules with a service type of
HTTP or HTTPS if you use an application override policy for TCP
ports 80 and 443.
In addition, traffic steering does not work
for URLs from URL categories referenced in the traffic steering
rule if you have configured an application override policy for TCP
ports 80 or 443.
You
can specify destination IP addresses and URL categories in the same
rule. If you do, Prisma Access uses a logical OR to process the
destination criteria in the rule, but processes the URLs and URL
category traffic based on TCP ports 80 and 8080 for HTTP and TCP
port 443 for HTTPS.
For a rule with IP addresses and URL
categories, traffic matches the rule if either the IP address or
the URL category matches, but processes the URL category traffic
based on ports 80, 443, and 8080 only. Palo Alto Networks does not
recommend creating a rule of this type; instead, create simpler
rules.
For example, you want to enforce the following rules for your
network traffic:
You have an internal HTTP server with an IP address of
10.1.1.1 in the data center, and you want to direct internal HTTP
and HTTPS traffic to this server. The IP address of the server is
10.1.1.1.
Traffic to this server should not go to the internet
and should be processed internally; therefore, choose a non-dedicated
target for this traffic, because this type of target processes both
internal and internet-bound traffic.
You want office365.com traffic to be routed directly to the
internet.
You want traffic from *.example.com or any traffic defined
in a custom URL category of custom-social-networking to
be routed to a dedicated connection.
You want any other HTTP and HTTPS traffic to use the same
non-dedicated service connection target as that used for the internal
HTTP server.
For this example, create the rules from the most specific to
the least specific, as shown in the following screenshot. Do not
add the rule that allows all HTTP and HTTPS traffic first, or Prisma
Access would direct all HTTP and HTTPS traffic to the non-dedicated
connection without evaluating any of the other rules.