Traffic Steering with Service Connections (Cloud Management)

Use traffic forwarding rules, and enable outgoing internet, for Prisma Access service connections.
Prisma Access allows you to create traffic steering rules to specify targets for internet-bound traffic from mobile users and remote network connections. You can specify the traffic to be redirected to a service connection before sending to the internet, or you can specify the traffic to directly egress to the internet. This functionality is known as
Traffic Steering
.
Alternatively, you can configure Prisma Access to accept a default route from your CPE to Prisma Access so that Prisma Access forwards internet-bound mobile user traffic to the best service connection in your deployment.
Read on to learn about:
  • Accepting Default Routes
  • How Traffic Steering Works
  • Traffic Steering Requirements

Accept Default Routes

You can configure Prisma Access to accept default routes being advertised from your CPE to service connections. You can use BGP or static routes to advertise the default route. Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma Access to route mobile user traffic through the best service connection for a given mobile user location. To enable service connections to accept default routes, specify
Accept Default Route over Service Connections
(
Service Connections
Service Connection Setup
Advanced Settings
Traffic Steering
).
After you enable default routes, your internet-bound traffic will be steered to service connections instead of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-bound traffic to the data center; for example, if you have a third-party security stack in your data center and you want the stack to perform additional screening or inspection.
Use the following guidelines when implementing default routes:
  • Default routes apply to mobile user deployments only; remote network connections operate normally with no change when you enable default routes.
  • You do not need to specify target service connections or traffic steering rules when you allow default routes, although they are supported for use with default routes.
  • When you specify the
    Accept Default Route over Service Connections
    setting, all Prisma Access service connections, with the exception of dedicated service connections, accept default routes and will use the routes in traffic forwarding decisions.
  • Before you enable this setting, make sure that your data centers are sending default routes; otherwise, routing through service connections will fail.
  • Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access receives the routes, it can then select the best service connection to use for the remote network location.
  • When you add service connections, use either static routes only or BGP only for the connections. Palo Alto Networks does not recommend mixing service connections that use BGP and static routes when using default routes.
  • Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a public identity provider (IdP) using the default route.

Traffic Steering

In standard Prisma Access deployments, a service connection provides access to internal network resources, such as authentication services and private apps in your headquarters or data center. Service connections process internal traffic, where no internet access is required. In some cases, you might want to redirect internet-bound traffic to the data center. Traffic steering allows you to redirect mobile user or remote network traffic to a service connection before being sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a combination of both. Use traffic steering to direct internet-bound network traffic based on many criteria including IP addresses, users, URLs, custom URL categories, service type (HTTP or HTTPS), dynamic address groups (DAGs), dynamic user groups (DUGs), and IP-based external dynamic lists.
There are two action types supported with traffic steering:
  • Forward to the target
    —Use the criteria in traffic steering rules to forward internet-bound traffic through a target you create that uses one or more service connections.
  • Forward to the internet
    —Use the criteria in traffic steering rules to directly forward traffic from its source (mobile user location or remote network connection) to the internet, without being forwarded to a service connection.
If you forward to a target, you can choose to create two types of target groups: dedicated and non-dedicated.
  • A service connection that is used only for traffic steering-related traffic is a
    dedicated service connection
    . To set a service connection to be used as a dedicated service connection, select
    Dedicated for PBF Only
    when you’re setting up a traffic steering rule.
    You might want to configure a dedicated service connection if you use a third-party security stack that is outside of your organization’s internal network to process traffic before it is sent to a public SaaS application or the internet. Because the security stack is not a part of your organization’s network, you don’t want this service connection to process any internal network traffic.
  • A service connection that is used for traffic steering and for standard service connection-related traffic (such as traffic going to an authentication server in the data center) is a
    non-dedicated service connection
    .
Setting a service connection as a dedicated service connection causes the following changes to your deployment:
  • The service connections apply source NAT to the forwarded traffic. The source IP address is the is the
    EBGP Router
    address of the service connection, which is taken from the Infrastructure Subnet.
  • The zone for all service connections associated with this target changes from Trust to Untrust.
  • Service connections that are configured as dedicated service connections do not participate in BGP routing, either internally or externally.

Traffic Steering Requirements

Before you implement traffic steering in your Prisma Access deployment, make sure that your network environment has the following infrastructure requirements:
  • Prisma Access must be able to connect to the IPSec-capable CPE (such as a router or SD-WAN device) that your organization uses to terminate the service connection, and the IP address for the device must be reachable from Prisma Access.
    You create a service connection using standard IPSec and IKE cryptographic profiles between the stack location and Prisma Access. You can use static routes, BGP, or a combination or both when you create a service connection and use traffic steering. If you use default routes with traffic steering, Palo Alto Networks recommends that you use either BGP only or static routes only. If you use static routing, specify the public IP address used by the organization’s CPE as the
    Peer Address
    when you create an IKE gateway.
  • Prisma Access might not match the first few packets of a URL in a policy-based forwarding rule, which means that the first few packets of a network session (for example, a TCP handshake) might not match the rule. Palo Alto Networks recommends that, for URLs that you use in traffic steering rules, you create a security policy rule to allow them through the Untrust zone so that the handshake can complete when a new session begins.
  • If you are using this configuration with a security stack, the stack location must be reachable from the service connection by a standard IPSec tunnel configuration.
Use the following guidelines when configuring traffic steering:
  • You can specify up to 1,000 URLs (aggregated) in a traffic steering configuration, including wild card (*.example.com) URLs.
    This number includes both manually entered URLs, wild card URLs, and URLs that are entered in a custom URL category.
  • Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
    If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.
  • Use all lower-case URLs when you enter URLs in a traffic forwarding rule and when you add URLs in a custom URL category.
  • You can configure a maximum of 100 traffic forwarding rules.
  • Traffic steering is not supported in a multi-tenant deployment.
  • If you have primary and backup tunnels configured, traffic steering using policy-based forwarding rules will not work after a failover from the primary (active) to the backup tunnel. Default routing works in a failover scenario with primary and backup tunnels.

Recommended For You