Use Traffic Forwarding Rules with Service Connections

Use traffic forwarding rules, and enable outgoing internet, for Prisma Access service connections.
Prisma Access allows you to create traffic forwarding rules that use policy-based forwarding (PBF) to redirect mobile user and remote network internet traffic to service connections, instead of egressing directly from a remote network connection or mobile user location.
You can create traffic forwarding rules based on source or destination IP addresses or FQDNs. You can also specify URLs, or add a custom URL object, for destination traffic.
You cannot use traffic forwarding with multi-tenant deployments or with hot potato routing.

Traffic Forwarding Rules with Service Connections Overview

In standard Prisma Access deployments, a service connection provides access to internal network resources, such as authentication services in your headquarters or data center. Since service connections process internal traffic, no internet access is required. Prisma Access expands the scope of service connections that allows you to redirect mobile user or remote network traffic to a third-party security stack for further processing before being sent to the internet.
You can use traffic forwarding rules with service connections with mobile user deployments, remote network deployments, or a combination of both.
The following examples show two types of traffic forwarding deployments.
  • The following figure provides an example of a security stack that is deployed from the cloud, and you want to have traffic sent to the example.com website to be directed to this security stack. This stack is located outside of your organization’s internal network; for this reason, you don’t want this service connection to process any internal network traffic.
    To enable this deployment, you create a service connection with a traffic forwarding rule in Panorama that forwards traffic to the example.com website to a service connection you created for this purpose. To configure this service connection to only process forwarded traffic and prevent internal network traffic from using this service connection, select the
    Dedicated for PBF Only
    check box when you set up traffic forwarding rules.
    The service connection sends traffic to the security stack, which performs additional processing on the traffic before sending it to the internet. All other internet-directed traffic egresses normally from the mobile user location or remote network connection.
    Selecting the
    Dedicated for PBF Only
    check box causes Prisma Access to change the zone for the service connections used in this rule from Trust to Untrust, because this location is not part of your organization’s network. Make sure that you check zone mapping and security policies for remote networks and mobile users and modify them as required to accommodate this change.
    Prisma Access applies traffic forwarding rules to ports 80, 8080, and 443 only.
    security-stack-with-prisma-access.png
  • The following figure provides an example of a security stack being deployed in your organization’s network. In this case, it is an on-premise stack located at your organization’s headquarters. You can use this service connection for internal traffic as well as redirected traffic.
    To enable this deployment, you create a service connection with a traffic forwarding rule in Panorama, but deselect the
    Dedicated for PBF Only
    check box when you set up traffic forwarding, and configure the security stack to forward traffic to the internet after processing. With this deployment, the zone does not change from Trust, and you would also set the traffic going to example.com in the Trust zone.
    security-stack-with-prisma-access-internal-only.png

Zone Mapping and Security Policies for Forwarded Traffic

If you redirect traffic using a service connection to a security stack that is outside your internal network, the zones for the service connections that are used for the redirection change from
Trust
to
Untrust
. If you deploy your security stack as a part of your internal network, zones do not change from
Trust
. Because you use the service connection to egress internet traffic, you might need to make changes to your zone mapping or security policies. Since you cannot create zones or configure zone mapping for service connections, you make these changes to the mobile users and device groups instead. Complete the following steps to configure zone mapping for traffic forwarding.
These steps show a sample configuration; you can tailor this example to suit your deployment.
  1. Select
    Network
    Zones
    .
  2. Select the correct
    Template
    from the drop-down list (either
    Mobile_User_Template
    for mobile users or
    Remote_Network_Template
    for remote networks).
    If you have a mobile user and a remote network deployment, you need to perform these steps twice; once in the
    Mobile_User_Template
    and once in the
    Remote_Network_Template
    .
  3. Add
    two zones for your trusted and untrusted zones.
    This example creates two zones called
    Trust
    and
    Untrust
    .
    security-stack-create-zones.png
    security-stack-create-zones-2.png
  4. Create default policies for the zones you created.
    1. Select
      Policies
      Security
      Post Rules
      .
    2. Select the correct
      Device Group
      from the drop-down list (either
      Mobile_User_Device_Group
      for remote networks or
      Remote_Network_Device_Group
      for mobile users).
      If you have a mobile user and remote network deployment, you need to perform these steps twice; once in the
      Mobile_User_Device_Group
      and once in the
      Remote_Network_Device_Group
      .
    3. Add
      a default policy to use for Trust zone-to-Trust zone traffic.
      This policy allows
      Any
      traffic to pass for all
      Source
      ,
      User
      ,
      Destination
      ,
      Application
      , and
      Service/URL Category
      traffic.
      security-stack-trust-to-trust.png
    4. Add
      a default policy to use for Trust zone-to-Untrust zone traffic, using the same parameters you used for the Trust-to-Trust policy.
      When complete, you have two security policies, one for Trust-to-Trust traffic and one for Trust-to-Untrust traffic.
      security-stack-policies.png
  5. Define Zone Mapping for the remote networks, mobile users, or both, as required for your deployment.
    1. Set the zone mapping for the remote networks, mobile users, or both.
      • For mobile users, select
        Panorama
        Cloud Services
        Configuration
        Mobile Users
        .
      • For remote networks, select
        Panorama
        Cloud Services
        Configuration
        Remote Networks
        .
    2. Click the gear icon next to
      Zone Mapping
      to edit the settings.
      security-stack-set-zone-mapping.png
    3. Set the
      Zone Mapping
      for your deployment, moving the zone for trusted traffic to the
      Trusted Zones
      and the zone for untrusted traffic to the
      Untrusted Zones
      ; then, click
      OK
      .
      security-stack-zone-mapping.png

Requirements to Forward Traffic to Service Connections

If you are forwarding traffic from remote network or mobile user traffic to service connections, make sure that your network environment has the following infrastructure requirements:
  • Prisma Access must be able to connect to the IPSec-capable device (such as a router or SD-WAN device) that your organization uses to terminate the service connection. The IP address for the device must be reachable from Prisma Access.
    You create a service connection using standard IPSec and IKE cryptographic profiles between the stack location and Prisma Access. You can use static routes, BGP, or a combination or both when you create a service connection. If you use static routing, specify the public IP address used by the organization’s IPSec-capable device as the
    Peer Address
    when you create an IKE gateway.
  • If you are using this configuration with a security stack, the stack location must be reachable from the service connection by a standard IPSec tunnel configuration.
Also note the following limits for traffic forwarding rules:
  • You can configure a maximum of 2,000 wild card (*.example.com) URLs.
    This number includes both manually entered URLs and URLs that are entered in a custom URL category.
  • You can configure a maximum of 100 traffic forwarding rules.

Create a Service Connection to Use with Traffic Forwarding Rules

To use traffic forwarding rules with Prisma Access service connections, you first onboard your mobile users and remote networks. You then provide connectivity for the service connection between Prisma Access and the IPSec-capable device on the other side of the service connection.
  1. Onboard your mobile users and remote networks, as applicable for your deployment.
    You can deploy with mobile user deployments, remote network deployments, or a combination of both.
    Prisma Access provides you with predefined IPSec templates for some common IPSec and SD-WAN devices. If the IPSec-capable device that terminates the service connection’s IPSec tunnel is in that list, you can use those predefined templates for that device, which simplifies IPSec tunnel creation; otherwise, create new IKE and IPSec cryptographic profiles as described in this task.
  2. Create IKE and IPSec crypto profiles and an IKE gateway for the service connection.
    You will use these profiles to provide connectivity between Prisma Access and the IPSec-capable device on the other side of the service connection.
    1. Select
      Network
      Network Profiles
      IKE Crypto
      Add
      and
      Add
      an IKE crypto profile for the IPSec tunnel.
      Make sure you have specified the
      Template
      of
      Service_Conn_Template
      before starting this task.
    2. Give the profile a name and specify IKE settings.
      Make a note of these settings; you specify the same settings when you configure the IPSec-capable device on the other side of the service connection.
      security-stack-ike-crypto-configure.png
    3. Select
      Network
      Network Profiles
      IPSec Crypto
      Add
      and
      Add
      a new IPSec crypto profile.
    4. Specify a name for the profile and specify IPSec crypto parameters.
      Make a note of these parameters; you specify these same parameters when you configure the IPSec-capable device on the other side of the service connection.
      security-stack-ipsec-crypto.png
    5. Select
      Network
      Network Profiles
      IKE Gateways
      and
      Add
      a new IKE gateway.
    6. Specify a
      Name
      ,
      Version
      ,
      Peer IP Address Type
      , and
      Authentication
      , and specify a
      Peer Identification
      that will be synchronized with the IPSec device on the other side of the service connection.
      You can choose a
      Peer IP Address Type
      of either
      IP
      or
      Dynamic.
      • If you select
        IP
        , specify the public IP address of the IPSec-capable device on the other side of the service connection.
      • Select
        Dynamic
        if the peer IP address or FQDN value is unknown.
        When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation.
      Make a note of the of the
      User FQDN (email address)
      or
      IP address
      that you use for the
      Peer Identification
      . In addition, if you use a pre-shared key for authentication, make a note of the
      Pre-Shared key
      that you use; you must match these settings when you configure the IPSec-capable device on the other side of the service connection.
      security-stack-ike-gateway-configure-general.png
    7. Click the
      Advanced Options
      tab, specify the
      IKE Crypto Profile
      you just created, and make sure that
      Enable Passive Mode
      is selected.
      Optionally,
      Enable NAT Traversal
      . Enabling NAT traversal allows the negotiation to occur even if the other side of the service connection is behind NAT.
      security-stack-ike-gateway-configure-advanced.png
    8. Select
      Network
      IPSec Tunnels
      and
      Add
      an IPSec tunnel.
    9. Select the
      IKE Gateway
      and
      IPSec Crypto Profile
      you created earlier in this task.
      security-stack-ipsec-tunnel-configure-general.png
    10. (
      Optional
      ) Select the
      Proxy IDs
      tab and make sure that 0.0.0.0/0 (the default proxy ID for route-based VPNs) is present.
      This proxy ID ensures that all prefixes in the VPN use this IPSec tunnel.
      nuage-ipsec-tunnel-configure-proxy-ids.png
  3. Onboard a service connection to use as the connection between Prisma Access and the IPSec-capable device.
    Be sure to specify the
    IPSec Tunnel
    you created in this procedure.
  4. Save
    and
    Commit
    your changes.
  5. On your IPSec-capable device on the other side of the service connection, configure an IPSec tunnel that connects to the in Prisma Access, using the public IP address used by that device, and commit the change on that device so that the tunnel can be established.

Create Traffic Forwarding Rules for the Service Connection

After you create the service connection, create and configure traffic forwarding rules (PBF rules) in the service connection settings to specify the traffic to send to the service connection.
Use the following steps to specify traffic to send to the service connection:
  • Create a target that associates a group you create with a service connection.
  • Create one or more traffic forwarding rules for the target and specify the traffic that you want to send to the service connection.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    .
  2. Click the gear icon in the
    Settings
    area to edit the settings.
    service-setup-settings.png
  3. Click the
    Traffic Forwarding
    tab.
  4. Create a group and assign a service connection to it.
    1. In the
      Target Service Connections for Traffic Forwarding
      area,
      Add
      a group and give it a
      Group Name
      .
    2. Add
      a
      Target
      for the traffic, specifying the
      Service Connection
      to use with the target and click
      OK
      .
      You can specify multiple service connections for a single target as long as they are in different locations; however, Prisma Access allows only one service connection location per target. If you specify multiple targets, Prisma Access forwards traffic to the service connection with the shortest path.
      security-stack-pbf-target.png
    3. Choose whether this connection is on your organization’s network.
      • Select
        Dedicated for PBF Only
        if you are deploying this service connection for a device that is not on your organization’s network (for example, a cloud-based device). Prisma Access uses this service connection for PBF traffic only.
        Selecting
        Dedicated for PBF Only
        causes the following changes to your deployment:
        • The service connections apply source NAT to the forwarded traffic. The source IP address is one of the IP addresses from the infrastructure subnet (
          Panorama
          Cloud Services
          Status
          Service Infrastructure
          Infrastructure Subnet
          ).
        • The zone for all service connections changes from Trust to Untrust. Check your zone mapping and security policies to make sure that your network reflects this change.
      • Deselect
        Dedicated for PBF Only
        if the device is on your organization’s network. You can then process internal network traffic on this service connection as well as forwarded traffic.
  5. Create rules for the target you created and apply them to the target.
    1. In the
      Traffic Forwarding Rules
      area,
      Add
      a traffic forwarding rule.
    2. in the
      General
      tab,
      Name
      the traffic forwarding rule.
    3. In the
      Source
      tab, specify a
      Source
      FQDN or IP address that the source traffic must match, or select
      Any
      to have all traffic go to this target.
      You can either manually specify an FQDN or IP address, or you can specify an address object you created in Panorama (
      Objects
      Addresses
      ).
      If you use address objects, make them
      Shared
      to share them with all device groups in Prisma Access.
    4. In the
      Destination
      tab, specify the following values:
      • In the
        Destination
        area, specify a
        Destination
        FQDN, IP address, or shared address object.
        Leave
        Any
        selected to pass all traffic to be processed by the rules in the
        URL
        area. If you specify rules in the
        Destination
        and the
        URL
        areas, Prisma Access processes the rules in the
        Destination
        area first.
      • In the
        URL
        area, enter a
        URL
        or shared custom URL category you created in Panorama (
        Objects
        Custom Objects
        URL Category
        ) to specify URLs for the traffic forwarding rule.
        If you create a
        URL Category
        , make sure that you configure it as
        Shared
        .
        You can also enter wildcard URLs (for example, *.example.com).
        Leave
        Any
        selected to pass all HTTP and HTTPS traffic with this rule.
        Use the following guidelines when configuring destination options:
        • Selecting
          Any
          in the URL area of the
          Destination
          tab overrides any selections you make in the Destination area and changes those selections to
          Any
          . To have Prisma Access use the redirect options you select in the Destination area, specify those options in the Destination area; then, enter either an asterisk (
          *
          ) or one or more specific FQDNs in the URL area.
        • If you have Prisma Access direct all HTTP and HTTPS traffic to the service connection, determine if you have HTTP or HTTPS traffic that should instead use the service connection to travel to an internal destination (for example, an HTTPS server in your organization’s headquarters). To prevent Prisma Access from redirecting internal HTTP or HTTPS traffic, configure another traffic rule for the internal HTTP and HTTPS traffic, specify the
          Destination
          as the IP address of the internal server, and deselect
          Forward
          in the
          Action
          tab, which prevents this traffic from egressing from the service connection.
      security-stack-pbf-destination.png
    5. In the
      Action
      tab, select the
      Group Name
      that you want to apply to the traffic forwarding rule.
    6. Enable or disable forwarding for the selected traffic.
      • To enable forwarding for the rules you specify for this traffic, leave
        Forward
        selected.
      • To prevent Prisma Access from forwarding traffic for the rules you specify to a service connection, and ensure that this traffic always uses its normal egress path from a remote network connection or mobile user location, deselect
        Forward
        .
        For example, select *.example2.com in the
        Destination
        tab and deselect the
        Forward
        check box in the
        Action
        tab to make sure that any remote network or mobile user traffic to *.example2.com follows its normal egress path.
      security-stack-pbf-action.png
    7. Click
      OK
      to save your changes.
  6. Commit your changes locally to make them active in Panorama.
    You only have to perform this step if your configuration includes mobile users; skip this step if your configuration only includes Prisma Access for remote networks with no mobile user configuration.
    1. Select
      Commit
      Commit to Panorama
      .
    2. Make sure that the device groups, templates, and template stacks are part of the
      Commit Scope
      .
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      your changes.
  7. Commit and push your changes to make them active in Prisma Access.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope.
    2. Select
      Prisma Access
      , then select
      Service Setup
      ,
      Remote Networks
      , and
      Mobile Users
      .
      multi-tenant-push-scope-selection.png
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      and
      Push
      your changes.

Recommended For You