If you have a deployment where the HQ and
remote network location(s) are directly connected over a WAN link
and each of these locations is secured by Prisma Access, to ensure
optimal routing (with eBGP) you must:
Add a static
route to the eBGP router address. In addition to the default route
that sends all traffic to Prisma Access, you must add a static route locally
on the IPSec-capable device or router at the remote network(s).
Filter the routes that are advertised from the IPSec capable
device or router at HQ to the eBGP peers at other directly connected
locations. As a best practice, configure the BGP router at HQ to
only advertise routes that you want to allow across the WAN link;
you ensure that the eBGP router at HQ does not advertise the routes
it learns from Prisma Access to other remote network location(s)
secured by Prisma Access. In this example, the eBGP router at HQ
only advertises routes that employees from the branch office will
need to connect to the servers (subnets) at HQ.
following illustration shows a retail business with two paths to
the servers at the HQ location. One path is a WAN link that provides
direct connectivity for employees accessing servers at HQ, and the
other path secures traffic generated by other users at this location.
For example, traffic generated by customers accessing the retailer’s
website over Wifi or using the kiosk at the branch office to check
inventory. This traffic is sent through the tunnel to the remote
network and on to HQ.
Configure the routes that you want to advertise to another directly
connected location over the WAN link.
In this example, you need to configure this on the at HQ
location. If you have an on-premises Palo Alto Networks firewall
at the edge of the WAN link, you can set up route redistribution and configure which
BGP routes to export on