Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Use traffic steering and default routing to steer internet-bound traffic to specific service connections.
Prisma Access allows you to create traffic steering rules to specify targets for internet-bound traffic from mobile users and remote network connections. You can specify the traffic to be redirected to a service connection before sending to the internet, or you can specify the traffic to directly egress to the internet. This functionality is known as
Traffic Steering
.
Alternatively, you can configure Prisma Access to accept a default route from your CPE to Prisma Access so that Prisma Access forwards internet-bound mobile user traffic to the best service connection in your deployment.
The following sections provide an overview of default routes and traffic steering, as well as the steps you take to configure it.

Default Routes

Starting with Prisma Access 1.7, you can configure Prisma Access to accept default routes being advertised from your CPE to service connections. You can use BGP or static routes to advertise the default route. Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma Access to route mobile user traffic through the best service connection for a given mobile user location. To enable service connections to accept default routes, specify
Accept Default Route over Service Connections
when you configure global settings for service connections.
After you enable default routes, your internet-bound traffic will be steered to service connections instead of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-bound traffic to the data center; for example, if you have a third-party security stack in your data center and you want the stack to perform additional screening or inspection.
Use the following guidelines when implementing default routes:
  • Default routes apply to mobile user deployments only; remote network connections operate normally with no change when you enable default routes.
  • You do not need to specify target service connections or traffic steering rules when you allow default routes, although they are supported for use with default routes. See Traffic Steering Examples for examples of using default routes with traffic steering.
  • When you specify the
    Accept Default Route over Service Connections
    setting, all Prisma Access service connections, with the exception of dedicated service connections, accept default routes and will use the routes in traffic forwarding decisions.
  • Before you enable this setting, make sure that your data centers are sending default routes; otherwise, routing through service connections will fail.
  • Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access receives the routes, it can then select the best service connection to use for the remote network location.
  • When you create service connections, use either static routes only or BGP only for the connections. Palo Alto Networks does not recommend mixing service connections that use BGP and static routes when using default routes.
  • Using default routes is supported with multi-tenant deployments.
  • Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a public identity provider (IdP) using the default route.
For more information and examples of implementing default routes with traffic steering, see Traffic Steering Examples.

Traffic Steering

In standard Prisma Access deployments, a service connection provides access to internal network resources, such as authentication services and private apps in your headquarters or data center. Service connections process internal traffic, where no internet access is required. In some cases, you might want to redirect internet-bound traffic to the data center. Traffic steering allows you to redirect mobile user or remote network traffic to a service connection before being sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a combination of both. Use traffic steering to direct internet-bound network traffic based on many criteria including IP addresses, URLs, Custom URL categories, service type (HTTP or HTTPS), User-ID, Dynamic Address Groups (DAGs) and IP-based External Dynamic Lists (EDLs).
Traffic steering is not supported with multi-tenant deployments.
There are two action types supported with traffic steering:
  • Forward to the target
    —Use the criteria in traffic steering rules to forward internet-bound traffic through a target you create that uses one or more service connections.
  • Forward to the internet
    —Use the criteria in traffic steering rules to directly forward traffic from its source (mobile user location or remote network connection) to the internet, without being forwarded to a service connection.
If you forward to a target, you can choose to created two types of target groups: dedicated and non-dedicated.
  • A service connection that is used only for traffic steering-related traffic is a
    dedicated service connection
    . To set a service connection to be used as a dedicated service connection, select
    Dedicated for PBF Only
    when you configure traffic steering in Panorama.
    You might want to configure a dedicated service connection if you use a third-party security stack that is outside of your organization’s internal network to process traffic before it is sent to a public SaaS application or the internet. Because the security stack is not a part of your organization’s network, you don’t want this service connection to process any internal network traffic.
  • A service connection that is used for traffic steering and for standard service connection-related traffic (such as traffic going to an authentication server in the data center) is a
    non-dedicated service connection
    .
Setting a service connection as a dedicated service connection causes the following changes to your deployment:
  • The service connections apply source NAT to the forwarded traffic. The source IP address is the is the
    EBGP Router
    address of the service connection (
    Panorama
    Cloud Services
    Status
    Network Details
    Service Connection
    EBGP Router
    ), which is taken from the Infrastructure Subnet (
    Panorama
    Cloud Services
    Status
    Network Details
    Service Infrastructure
    ).
  • The zone for all service connections associated with this target changes from Trust to Untrust. Check your zone mapping and security policies to make sure that your network reflects this change.
  • Service connections that are configured as dedicated service connections do not participate in BGP routing, either internally or externally.
  • If your dedicated service connection uses BGP, the BGP status shows as
    Not Enabled
    when you open the status page (
    Panorama
    Cloud Service
    Status
    Monitor
    Service Connection
    ), select a region, then select the Status tab. To check the BGP status of a service connection, check the service connections configuration page (
    Panorama
    Cloud Services
    Configuration
    Service Connection
    ).

Traffic Steering Requirements

Before you implement traffic steering in your Prisma Access deployment, make sure that your network environment has the following infrastructure requirements:
  • Prisma Access must be able to connect to the IPSec-capable CPE (such as a router or SD-WAN device) that your organization uses to terminate the service connection, and the IP address for the device must be reachable from Prisma Access.
    You create a service connection using standard IPSec and IKE cryptographic profiles between the stack location and Prisma Access. You can use static routes, BGP, or a combination or both when you create a service connection and use traffic steering. If you use default routes with traffic steering, Palo Alto Networks recommends that you use either BGP only or static routes only. If you use static routing, specify the public IP address used by the organization’s CPE as the
    Peer Address
    when you create an IKE gateway.
  • Prisma Access might not match the first few packets of a URL in a policy-based forwarding rule, which means that the first few packets of a network session (for example, a TCP handshake) might not match the rule. Palo Alto Networks recommends that, for URLs that you use in traffic steering rules, you create a security policy rule to allow them through the Untrust zone so that the handshake can complete when a new session begins.
  • If you are using this configuration with a security stack, the stack location must be reachable from the service connection by a standard IPSec tunnel configuration.
Use the following guidelines when configuring traffic steering:
  • You can specify up to 1,000 URLs (aggregated) in a traffic steering configuration, including wild card (*.example.com) URLs.
    This number includes both manually entered URLs, wild card URLs, and URLs that are entered in a custom URL category.
  • Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
    If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.
  • Use all lower-case URLs when you enter URLs in a traffic forwarding rule and when you add URLs in a custom URL category.
  • You can configure a maximum of 100 traffic forwarding rules.
  • Traffic steering is not supported in a multi-tenant deployment.
  • If you have primary and backup tunnels configured, traffic steering using policy-based forwarding rules will not work after a failover from the primary (active) to the backup tunnel. Default routing works in a failover scenario with primary and backup tunnels.

Traffic Steering Examples

The following sections describes different types of traffic steering deployments.

Default Route Example

The following example shows a sample Prisma Access deployment the following components:
  • Two Prisma Access mobile user locations; one in the United States (US) and one in Europe (EU).
  • Two Prisma Access service connections; one in the US and one in the EU, with both data centers sending default routes to the service connections (
    Accept Default Route over Service Connections
    is enabled).
  • Two data centers; one in the US and one in the EU.
    Each data center has a 3rd-party security stack; for this reason, you want all internet-bound traffic to go through the data center before egressing to the internet.
When a mobile user sends data center traffic, Prisma Access checks its routing tables, determines the closest service connection, and forwards the traffic to that service connection. In the following example, Prisma Access sends data center traffic from the mobile users in the US to Service Connection and traffic from the mobile users in the EU to Service Connection 2.
Use non-dedicated service connections with default routes; dedicated service connections do not participate in BGP routing, so they cannot receive BGP advertisements from the HQ or data center.
traffic-steering-default-route-example.png
To enable default routes, select
Accept Default Route over Service Connections
when you configure traffic steering settings. After you configure this setting and commit and push your changes, Prisma Access sends internet-bound traffic over the service connections.
traffic-steering-accept-default-routes.png

Default Routes with Traffic Steering Direct to Internet Example

The following example shows you using more granular control for external SaaS application-bound traffic. In this case, you want to send Office 365 traffic to egress to the internet directly from the mobile user location, instead of sending it to the data center for further processing. Use traffic steering along with default routes for this configuration.
traffic-steering-default-route-direct-to-internet.png
To allow Prisma Access to route Office 365 traffic directly to the internet, perform the following actions:
  • Create an EDL (
    Object
    External Dynamic Lists
    ) with IP addresses that match the Office 365 addresses.
  • Create a Custom URL category (
    Objects
    Custom Objects
    URL Category
    ) with URLs that match Office 365 URL.
  • create create traffic forwarding rules and specify the EDL and URL category you created as destination match criteria with an
    Action
    of
    Forward to the internet
    .
This configuration sends Office 365 traffic directly to the internet, while other internet-bound traffic is sent to the data center for further processing before egressing to the internet.
traffic-steering-forward-to-internet.png

Default Routes with Traffic Steering and Dedicated Service Connection Example

In this example, in addition to the previous configuration, you have a third-party internet security service, and you want to send traffic from box.com to be processed by the security service before egressing to the internet. You do not want to send any other internet-bound traffic to the security service; for this reason, you create a dedicated service connection for the box.com traffic. After your configuration is complete, Prisma Access sends *.box.com destination traffic to the stack.
traffic-steering-default-route-three-traffic-paths.png
To enable this deployment, you perform the following actions in the Traffic Steering tab:
  • Create a Target Service Connection group that assigns one or more service connections to the target and select
    Dedicated for PBF Only
    , which makes the target service connection or connections dedicated.
    If you create a target with more than one service connection, Prisma Access chooses the best service connection to forward the internet-bound traffic.
    traffic-steering-example-target-service-connection.png
  • Create a policy-based-forwarding rule that forwards traffic to the URL. The following screenshot shows the traffic destination being assigned a wildcard URL *.box.com.
    traffic-steering-example-pbf-rule.png
  • Create an
    Action
    in the forwarding rule of
    Forward to the target
    and specify the target group name you created (
    dedicated
    in this case).
    traffic-steering-forward-to-internet-2.png

Traffic Forwarding Rule Guidelines

Traffic steering can process a wide variety of possible configurations; however, it is important to understand how Prisma Access processes rules, so you can create rules are easy to maintain and manage. To help you create the rules that work best for your deployment, follow these guidelines:
  • Prisma Access evaluates rules in the order that you create them (from top to bottom). Specify more specific rules at the top and more general rules at the bottom.
  • Palo Alto Networks recommends that you create multiple rules with fewer matching criteria, instead of creating fewer rules with multiple types of criteria. Creating simpler rules both speeds up rule creation and makes it easier to modify a rule.
  • Since you cannot move a rule up or down in a list after you create it, carefully plan your rule order before you create the rules.
  • Rules that specify
    Any
    source address and User,
    Any
    source destination, URL, and URL Category, and
    Any
    service are not supported. Use more specific rules; for example, specify a rule with
    Any
    source or destination traffic and a service of
    service-http
    and
    service-https
    .
  • You can specify destination IP addresses, URLs, and URL categories in the same rule. If you do, Prisma Access uses a logical OR to process the destination criteria in the rule, but processes the URLs and URL category traffic based on TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS.
    For a rule with IP addresses, URLs and URL categories, traffic matches the rule if either the IP address, the URL, or the URL category matches, but processes the URL and URL category traffic based on ports 80, 443, and 8080 only. Palo Alto Networks does not recommend creating a rule of this type; instead, create simpler rules.
For example, you want to enforce the following rules for your network traffic:
  • You have an internal HTTP server with an IP address of 10.1.1.1 in the data center, and you want to direct internal HTTP and HTTPS traffic to this server. The IP address of the server is 10.1.1.1.
    Traffic to this server should not go to the internet and should be processed internally; therefore, choose a non-dedicated target for this traffic, because this type of target processes both internal and internet-bound traffic.
  • You want office365.com traffic to be routed directly to the internet.
  • You want traffic from *.example.com or any traffic defined in a custom URL category of
    custom-social-networking
    to be routed to a dedicated connection.
  • You want any other HTTP and HTTPS traffic to use the same non-dedicated service connection target as that used for the internal HTTP server.
For this example, create the rules from the most specific to the least specific, as shown in the following screenshot. Do not add the rule that allows all HTTP and HTTPS traffic first, or Prisma Access would direct all HTTP and HTTPS traffic to the non-dedicated connection without evaluating any of the other rules.
traffic-steering-rule-examples.png

Zone Mapping and Security Policies for Dedicated Connections

If you create a target that uses a dedicated service connection, the zone for the dedicated service connection changes from
Trust
to
Untrust
(non-dedicated service connection targets do not change their zones). Since you cannot create zones or configure zone mapping for service connections, you make zone mapping and security policy changes for dedicated service connections to the mobile users and device groups instead. Complete the following steps to configure zone mapping for dedicated connections.
These steps show a sample configuration; you can tailor this example to suit your deployment.
  1. Select
    Network
    Zones
    .
  2. Select the correct
    Template
    from the drop-down list (either
    Mobile_User_Template
    for mobile users or
    Remote_Network_Template
    for remote networks).
    If you have a mobile user and a remote network deployment, you need to perform these steps twice; once in the
    Mobile_User_Template
    and once in the
    Remote_Network_Template
    .
  3. Add
    two zones for your trusted and untrusted zones.
    This example creates two zones called
    Trust
    and
    Untrust
    .
    traffic-steering-create-zones.png
    security-stack-create-zones-2.png
  4. Create default policies for the zones you created.
    1. Select
      Policies
      Security
      Post Rules
      .
    2. Select the correct
      Device Group
      from the drop-down list (either
      Mobile_User_Device_Group
      for remote networks or
      Remote_Network_Device_Group
      for mobile users).
      If you have a mobile user and remote network deployment, you need to perform these steps twice; once in the
      Mobile_User_Device_Group
      and once in the
      Remote_Network_Device_Group
      .
    3. Add
      a default policy to use for Trust zone-to-Trust zone traffic.
      This policy allows
      Any
      traffic to pass for all
      Source
      ,
      User
      ,
      Destination
      ,
      Application
      , and
      Service/URL Category
      traffic.
      traffic-steering-trust-to-trust.png
    4. Add
      a default policy to use for Trust zone-to-Untrust zone traffic, using the same parameters you used for the Trust-to-Trust policy.
      When complete, you have two security policies, one for Trust-to-Trust traffic and one for Trust-to-Untrust traffic.
      traffic-steering-policies.png
  5. Define Zone Mapping for the remote networks, mobile users, or both, as required for your deployment.
    1. Set the zone mapping for the remote networks, mobile users, or both.
      • For mobile users, select
        Panorama
        Cloud Services
        Configuration
        Mobile Users
        .
      • For remote networks, select
        Panorama
        Cloud Services
        Configuration
        Remote Networks
        .
    2. Click the gear icon next to
      Zone Mapping
      to edit the settings.
      traffic-steering-set-zone-mapping.png
    3. Set the
      Zone Mapping
      for your deployment, moving the zone for trusted traffic to the
      Trusted Zones
      and the zone for untrusted traffic to the
      Untrusted Zones
      ; then, click
      OK
      .
      traffic-steering-zone-mapping.png

Configure Traffic Steering

Configure traffic steering for your deployment by completing the following steps.
  1. (
    Existing Traffic forwarding deployments only
    ) If you were using rules to forward traffic to service connections before the Cloud Services 1.7 was released, make a note of the changes that Prisma Access applies after you upgrade the plugin.
    • For URLs in rules, including URLs in custom URL categories, Prisma Access makes the following changes during the upgrade to 1.7:
      • Prisma Access no longer supports URLs with wildcards using the format *example.com, *fqdn.example.com, or fqdn.example.*. If you have any URLs in this format, Prisma Access notes them after the upgrade and asks you to change them.
      • Prisma Access prepends existing URLs in rules with
        *.
        For example, Prisma Access prepends a URL of example.com with *.example.com, which means that URLs of example.com, www.example.com, and fqdn.example.com match a URL of example.com.
      • Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
        If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access does not change the URLs in those categories.
      • For existing URLs in rules with wildcards, Prisma Access adds a URL with no wildcards. For example, for a URL of *.example.com, Prisma Access adds a URL of example.com so that URLs of example.com match as well as www.example.com and fqdn.example.com.
      • Prisma Access adds
        service-http
        and
        service-https
        in the
        Service
        tab to URLs. Prisma Access continues to use only TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS to process URLs.
      • Prisma Access moves custom URL categories from the
        URL
        area to the
        URL Category
        area.
    • Service connections that are part of a traffic forwarding target group with configuration set to
      Dedicated for PBF only
      no longer participate in static and BGP routing. You must ensure that there are no routable networks behind the service connections that are included in this type of target group.
  2. Onboard your service connections, mobile users and remote networks, as applicable to your deployment.
  3. Select
    Panorama
    Cloud Services
    Configuration
    Traffic Steering
    .
  4. (
    Optional, mobile user deployments only
    ) Allow Prisma Access to accept and install the default route advertised over one or more service connections from the CPE by clicking the gear icon to open the Settings and selecting
    Accept Default Route over Service Connections
    .
    traffic-steering-accept-default-routes.png
    Default routes have specific guidelines that you must follow when using them; for example, default routes are supported for mobile user deployments only and have no effect on remote network deployments. Be sure to review these guidelines before implementing default routes with traffic steering.
  5. (
    Optional
    ) Create a target group and assign a service connection to it.
    1. In the
      Target Service Connections for Traffic Forwarding
      area,
      Add
      a group and give it a
      Group Name
      .
    2. Add
      a
      Target
      for the traffic, specifying the
      Service Connection
      to use with the target; then, click
      OK
      .
      You can specify multiple service connections for a single target as long as they are in different locations and Prisma Access will select the best service connection to use. However, a given service connection can only exist in one target and you cannot add a single service connection to two different targets.
      traffic-steering-target-service-connections.png
    3. Choose whether to make the service connections associated with this target a dedicated service connection.
      • You can use a dedicated service connection to steer traffic to a third-party security stack or cloud that is not on your premises and does not need to participate in routing. To set a service connection to be used as a dedicated service connection, select
        Dedicated for PBF Only
        .
        Dedicated service connections change their zones; see Traffic Steering for details.
      • Deselect
        Dedicated for PBF Only
        if you will send both normal service connection-related and traffic steering traffic through the service connection; with this choice, the zone for the service connection remains as Trust.
  6. Create rules for the target you created and apply them to the target.
    1. In the
      Traffic Forwarding Rules
      area,
      Add
      a traffic forwarding rule.
    2. in the
      General
      tab,
      Name
      the traffic forwarding rule.
    3. In the
      Source
      tab, specify rules for source traffic.
      • In the
        Source Address
        field, specify one or more of the following objects, or select
        Any
        to have traffic from any source go to this target:
      • In the
        Source User
        field, specify rules for source user traffic. You can specify the following user information:
        • Users
          Enter users in either the
          domain
          /
          user
          or the
          user
          @
          domain
          format.
        • User groups
          Use full distinguished names (DNs) when entering user groups.
        • Users configured on Panorama (
          Device
          Local User Database
          Users
          )
        • User groups configured on Panorama (
          Device
          Local User Database
          User Groups
          )
      If you use address objects, DAGs, EDLs, users, or user groups, specify them as
      Shared
      to share them with all device groups in Prisma Access.
      Prisma Access automatically populates users from the mobile users device group only.
    4. In the
      Destination
      tab, specify the following values:
      • In the
        Destination
        area, specify one of the following criteria, or select
        Any
        to have traffic processed by the rules in the
        URL
        and
        URL Category
        fields:
        Leave
        Any
        selected to pass all traffic to be processed by the rules in the
        URL
        and
        URL Category
        areas. If you specify rules in the
        Destination
        ,
        URL
        , and
        URL Category
        areas, Prisma Access processes the rules in the following order:
        1. Destination
        2. URL
      • In the
        URL
        area, enter URLs. Enter URLs in all lower case. Prisma Access uses only TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS to process URLs.
        You can use wildcards with URLs. The following wildcard formats are supported:
        • *.example.com
        • *.fqdn.example.com
        The following formats are not supported:
        • *example.com
        • *fqdn.example.com
        • fqdn.example.*
        URLs entered in the URL area for traffic forwarding rules do not use the same URL pattern matching that is used by next-generation firewalls. Instead, they use the pattern matching as described in the following table.
        URL Entered in URL Area
        URL Matches the Following Patterns
        example.com
        • example.com
        • www.example.com
        • *.example.com
        *.example.com
        • example.com
        • www.example.com
        • *.example.com
        fqdn.example.com
        • fqdn.example.com
        • www.fqdn.example.com
        • *.fqdn.example.com
        *.fqdn.example.com
        • fqdn.example.com
        • www.fqdn.example.com
        • *.fqdn.example.com
      • In the
        URL Category
        field, enter a custom URL category (
        Objects
        Custom Objects
        URL Category
        ) When you create a custom URL category, enter URLs in all lower case. Traffic steering supports custom URL categories only.
        Wildcards for URL categories follow next-generation firewall guidelines. If you create a
        URL Category
        , make sure that you configure it as
        Shared
        .
      Use the following guidelines when configuring destination options:
      • Selecting
        Any
        in the URL area of the
        Destination
        tab overrides any selections you make in the Destination area and changes those selections to
        Any
        .
      • If you specify a URL or URL category, Prisma Access only matches HTTP and HTTPS traffic, even when service is set to Any.
      traffic-steering-pbf-rules-destination.png
    5. In the
      Service
      tab, specify a service type.
      Specify
      service-http
      to forward HTTP traffic and specify
      service-https
      to specify HTTPS traffic. Select
      Any
      to forward traffic of any service type.
    6. In the
      Action
      tab, select the
      Target Group Name
      that you want to apply to the traffic forwarding rule.
    7. Forward traffic to the specified service connection target, or send the traffic directly to the internet without going through the service connection.
      • To have Prisma Access forward traffic to a service connection target, select
        Forward to the target
        ; then select the
        Target Group Name
        .
      • To have Prisma Access forward traffic directly to the internet without first sending it to a service connection, select
        Forward to the internet
        .
      traffic-steering-pbf-rules-action.png
    8. Click
      OK
      to save your changes.
  7. Optional
    Specify additional traffic steering rules.
    Prisma Access processes multiple rules in the order that you create them (from top to bottom).
  8. Commit your changes locally to make them active in Panorama.
    You only have to perform this step if your configuration includes mobile users; skip this step if your configuration only includes Prisma Access for remote networks with no mobile user configuration.
    1. Select
      Commit
      Commit to Panorama
      .
    2. Make sure that the device groups, templates, and template stacks are part of the
      Commit Scope
      .
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      your changes.
  9. Commit and push your changes to make them active in Prisma Access.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope.
    2. Select
      Prisma Access
      , then select
      Service Setup
      ,
      Remote Networks
      , and
      Mobile Users
      .
      multi-tenant-push-scope-selection.png
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      and
      Push
      your changes.

Recommended For You