Use Traffic Forwarding Rules with Service Connections
Use traffic forwarding rules, and enable outgoing internet, for Prisma Access service connections.
Prisma Access allows you to create traffic forwarding rules that use policy-based forwarding (PBF) to redirect mobile user and remote network internet traffic to service connections, instead of egressing directly from a remote network connection or mobile user location.
You can create traffic forwarding rules based on source or destination IP addresses or FQDNs. You can also specify URLs, or add a custom URL object, for destination traffic.
Traffic forwarding is not supported with multi-tenant deployments.
Traffic Forwarding Rules with Service Connections Overview
In standard Prisma Access deployments, a service connection provides access to internal network resources, such as authentication services in your headquarters or data center. Since service connections process internal traffic, no internet access is required. Prisma Access expands the scope of service connections that allows you to redirect mobile user or remote network traffic to a third-party security stack for further processing before being sent to the internet.
You can use traffic forwarding rules with service connections with mobile user deployments, remote network deployments, or a combination of both.
The following examples show two types of traffic forwarding deployments.
- The following figure provides an example of a security stack that is deployed from the cloud, and you want to have traffic sent to the example.com website to be directed to this security stack. This stack is located outside of your organization’s internal network; for this reason, you don’t want this service connection to process any internal network traffic.To enable this deployment, you create a service connection with a traffic forwarding rule in Panorama that forwards traffic to the example.com website to a service connection you created for this purpose. To configure this service connection to only process forwarded traffic and prevent internal network traffic from using this service connection, select theDedicated for PBF Onlycheck box when you set up traffic forwarding rules.The service connection sends traffic to the security stack, which performs additional processing on the traffic before sending it to the internet. All other internet-directed traffic egresses normally from the mobile user location or remote network connection.Selecting theDedicated for PBF Onlycheck box causes Prisma Access to change the zone for the service connections used in this rule from Trust to Untrust, because this location is not part of your organization’s network. Make sure that you check zone mapping and security policies for remote networks and mobile users and modify them as required to accommodate this change.Prisma Access applies traffic forwarding rules to ports 80, 8080, and 443 only.
- The following figure provides an example of a security stack being deployed in your organization’s network. In this case, it is an on-premise stack located at your organization’s headquarters. You can use this service connection for internal traffic as well as redirected traffic.To enable this deployment, you create a service connection with a traffic forwarding rule in Panorama, but deselect theDedicated for PBF Onlycheck box when you set up traffic forwarding, and configure the security stack to forward traffic to the internet after processing. With this deployment, the zone does not change from Trust, and you would also set the traffic going to example.com in the Trust zone.
Zone Mapping and Security Policies for Forwarded Traffic
If you redirect traffic using a service connection to a security stack that is outside your internal network, the zones for the service connections that are used for the redirection change from
Untrust. If you deploy your security stack as a part of your internal network, zones do not change from
Trust. Because you use the service connection to egress internet traffic, you might need to make changes to your zone mapping or security policies. Since you cannot create zones or configure zone mapping for service connections, you make these changes to the mobile users and device groups instead. Complete the following steps to configure zone mapping for traffic forwarding.
These steps show a sample configuration; you can tailor this example to suit your deployment.
- Select the correctTemplatefrom the drop-down list (eitherMobile_User_Templatefor mobile users orRemote_Network_Templatefor remote networks).If you have a mobile user and a remote network deployment, you need to perform these steps twice; once in theMobile_User_Templateand once in theRemote_Network_Template.
- Addtwo zones for your trusted and untrusted zones.This example creates two zones calledTrustandUntrust.
- Create default policies for the zones you created.
- Select.PoliciesSecurityPost Rules
- Select the correctDevice Groupfrom the drop-down list (eitherMobile_User_Device_Groupfor remote networks orRemote_Network_Device_Groupfor mobile users).If you have a mobile user and remote network deployment, you need to perform these steps twice; once in theMobile_User_Device_Groupand once in theRemote_Network_Device_Group.
- Adda default policy to use for Trust zone-to-Trust zone traffic.This policy allowsAnytraffic to pass for allSource,User,Destination,Application, andService/URL Categorytraffic.
- Adda default policy to use for Trust zone-to-Untrust zone traffic, using the same parameters you used for the Trust-to-Trust policy.When complete, you have two security policies, one for Trust-to-Trust traffic and one for Trust-to-Untrust traffic.
- Define Zone Mapping for the remote networks, mobile users, or both, as required for your deployment.
- Set the zone mapping for the remote networks, mobile users, or both.
- For mobile users, select.PanoramaCloud ServicesConfigurationMobile Users
- For remote networks, select.PanoramaCloud ServicesConfigurationRemote Networks
- Click the gear icon next toZone Mappingto edit the settings.
- Set theZone Mappingfor your deployment, moving the zone for trusted traffic to theTrusted Zonesand the zone for untrusted traffic to theUntrusted Zones; then, clickOK.
Requirements to Forward Traffic to Service Connections
If you are forwarding traffic from remote network or mobile user traffic to service connections, make sure that your network environment has the following infrastructure requirements:
- Prisma Access must be able to connect to the IPSec-capable device (such as a router or SD-WAN device) that your organization uses to terminate the service connection. The IP address for the device must be reachable from Prisma Access.You create a service connection using standard IPSec and IKE cryptographic profiles between the stack location and Prisma Access. You can use static routes, BGP, or a combination or both when you create a service connection. If you use static routing, specify the public IP address used by the organization’s IPSec-capable device as thePeer Addresswhen you create an IKE gateway.
- If you are using this configuration with a security stack, the stack location must be reachable from the service connection by a standard IPSec tunnel configuration.
Also note the following limits for traffic forwarding rules:
- You can configure a maximum of 2,000 wild card (*.example.com) URLs.This number includes both manually entered URLs and URLs that are entered in a custom URL category.
- You can configure a maximum of 100 traffic forwarding rules.
Create a Service Connection to Use with Traffic Forwarding
- You can deploy with mobile user deployments, remote network deployments, or a combination of both.Prisma Access provides you with predefined IPSec templates for some common IPSec and SD-WAN devices. If the IPSec-capable device that terminates the service connection’s IPSec tunnel is in that list, you can use those predefined templates for that device, which simplifies IPSec tunnel creation; otherwise, create new IKE and IPSec cryptographic profiles as described in this task.
- Create IKE and IPSec crypto profiles and an IKE gateway for the service connection.You will use these profiles to provide connectivity between Prisma Access and the IPSec-capable device on the other side of the service connection.
- SelectandNetworkNetwork ProfilesIKE CryptoAddAddan IKE crypto profile for the IPSec tunnel.Make sure you have specified theTemplateofService_Conn_Templatebefore starting this task.
- Give the profile a name and specify IKE settings.Make a note of these settings; you specify the same settings when you configure the IPSec-capable device on the other side of the service connection.
- SelectandNetworkNetwork ProfilesIPSec CryptoAddAdda new IPSec crypto profile.
- Specify a name for the profile and specify IPSec crypto parameters.Make a note of these parameters; you specify these same parameters when you configure the IPSec-capable device on the other side of the service connection.
- SelectandNetworkNetwork ProfilesIKE GatewaysAdda new IKE gateway.
- Specify aName,Version,Peer IP Address Type, andAuthentication, and specify aPeer Identificationthat will be synchronized with the IPSec device on the other side of the service connection.You can choose aPeer IP Address Typeof eitherIPorDynamic.
Make a note of the of theUser FQDN (email address)orIP addressthat you use for thePeer Identification. In addition, if you use a pre-shared key for authentication, make a note of thePre-Shared keythat you use; you must match these settings when you configure the IPSec-capable device on the other side of the service connection.
- If you selectIP, specify the public IP address of the IPSec-capable device on the other side of the service connection.
- SelectDynamicif the peer IP address or FQDN value is unknown.When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation.
- Click theAdvanced Optionstab, specify theIKE Crypto Profileyou just created, and make sure thatEnable Passive Modeis selected.Optionally,Enable NAT Traversal. Enabling NAT traversal allows the negotiation to occur even if the other side of the service connection is behind NAT.
- SelectandNetworkIPSec TunnelsAddan IPSec tunnel.
- Select theIKE GatewayandIPSec Crypto Profileyou created earlier in this task.
- (Optional) Select theProxy IDstab and create a default route for all local and remote prefixes.Creating this route ensures that all prefixes in the VPN use this IPSec tunnel.
- Onboard a service connection to use as the connection between Prisma Access and the IPSec-capable device.Be sure to specify theIPSec Tunnelyou created in this procedure.
- SaveandCommityour changes.
- On your IPSec-capable device on the other side of the service connection, configure an IPSec tunnel that connects to the in Prisma Access, using the public IP address used by that device, and commit the change on that device so that the tunnel can be established.
Create Traffic Forwarding Rules for the Service Connection
After you create the service connection, create and configure traffic forwarding rules (PBF rules) in the service connection settings to specify the traffic to send to the service connection.
Use the following steps to specify traffic to send to the service connection:
- Create a target that associates a group you create with a service connection.
- Create one or more traffic forwarding rules for the target and specify the traffic that you want to send to the service connection.
- Select.PanoramaCloud ServicesConfigurationService Setup
- Click the gear icon in theSettingsarea to edit the settings.
- Click theTraffic Forwardingtab.
- Create a group and assign a service connection to it.
- In theTarget Service Connections for Traffic Forwardingarea,Adda group and give it aGroup Name.
- AddaTargetfor the traffic, specifying theService Connectionto use with the target and clickOK.You can specify multiple service connections for a single target as long as they are in different locations; however, Prisma Access allows only one service connection location per target. If you specify multiple targets, Prisma Access forwards traffic to the service connection with the shortest path.
- Choose whether this connection is on your organization’s network.
- SelectDedicated for PBF Onlyif you are deploying this service connection for a device that is not on your organization’s network (for example, a cloud-based device). Prisma Access uses this service connection for PBF traffic only.SelectingDedicated for PBF Onlycauses the zone for all service connections to change from Trust to Untrust. Check your zone mapping and security policies to make sure that your network reflects this change.
- DeselectDedicated for PBF Onlyif the device is on your organization’s network. You can then process internal network traffic on this service connection as well as forwarded traffic.
- Create rules for the target you created and apply them to the target.
- In theTraffic Forwarding Rulesarea,Adda traffic forwarding rule.
- in theGeneraltab,Namethe traffic forwarding rule.
- In theSourcetab, specify aSourceFQDN or IP address that the source traffic must match, or selectAnyto have all traffic go to this target.You can either manually specify an FQDN or IP address, or you can specify an address object you created in Panorama ().ObjectsAddressesIf you use address objects, make themSharedto share them with all device groups in Prisma Access.
- In theDestinationtab, specify the following values:
- In theDestinationarea, specify aDestinationFQDN, IP address, or shared address object.LeaveAnyselected to pass all traffic to be processed by the rules in theURLarea. If you specify rules in theDestinationand theURLareas, Prisma Access processes the rules in theDestinationarea first.
- In theURLarea, enter aURLor shared custom URL category you created in Panorama () to specify URLs for the traffic forwarding rule.ObjectsCustom ObjectsURL CategoryIf you create aURL Category, make sure that you configure it asShared.You can also enter wildcard URLs (for example, *.example.com).LeaveAnyselected to pass all HTTP and HTTPS traffic with this rule.If you have Prisma Access direct all HTTP and HTTPS traffic to the service connection, determine if you have HTTP or HTTPS traffic that should instead use the service connection to travel to an internal destination (for example, an HTTPS server in your organization’s headquarters). To prevent Prisma Access from redirecting internal HTTP or HTTPS traffic, configure another traffic rule for the internal HTTP and HTTPS traffic, specify theDestinationas the IP address of the internal server, and deselectForwardin theActiontab, which prevents this traffic from egressing from the service connection.
- In theActiontab, select theGroup Namethat you want to apply to the traffic forwarding rule.
- Enable or disable forwarding for the selected traffic.
- To enable forwarding for the rules you specify for this traffic, leaveForwardselected.
- To prevent Prisma Access from forwarding traffic for the rules you specify to a service connection, and ensure that this traffic always uses its normal egress path from a remote network connection or mobile user location, deselectForward.For example, select *.example2.com in theDestinationtab and deselect theForwardcheck box in theActiontab to make sure that any remote network or mobile user traffic to *.example2.com follows its normal egress path.
- ClickOKto save your changes.
- Commit your changes locally to make them active in Panorama.You only have to perform this step if your configuration includes mobile users; skip this step if your configuration only includes Prisma Access for remote networks with no mobile user configuration.
- Select.CommitCommit to Panorama
- Make sure that the device groups, templates, and template stacks are part of theCommit Scope.
- ClickOKto save your changes to the Push Scope.
- Commityour changes.
- Commit and push your changes to make them active in Prisma Access.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope.
- SelectPrisma Access, then select the tenant you created,Service Setup,Remote Networks, andMobile Users.
- ClickOKto save your changes to the Push Scope.
- CommitandPushyour changes.
Recommended For You
Recommended videos not found.