When the IPsec Tunnels are active from the
site to the Prisma Access Regions, the next step is to modify policies
to send traffic down these tunnels. To begin this process, we must modify
Service and Data center groups and configure these groups in policy.
When
making policy configurations, remember that the ION devices makes
intelligent per-app selections using the network policies to chain
multiple different path options together in Active-Active and Active-Backup
modes.
Example:
- Application A: Take Standard VPN
direct to Prisma Access.
- Application B: Take Standard VPN direct to Prisma Access, Backup
to Direct Internet.
- Application C: Use only Direct Internet.
The Prisma
SD-WAN secure Application Fabric (AppFabric) enables granular controls
for virtually unlimited number of policy permutations down to the
sub-application level. Here are some of the most common examples
of how a traffic policy can be configured per-application:
- Send
all internet-bound traffic from a set of branches to Prisma Access.
(Blanket Suspect list)
- Send all internet traffic direct to the internet except for
certain applications needing additional inspection or security.
(Suspect list - Safelist)
- Send all internet-bound traffic from a set of branches to Prisma
Access except for specific known applications. (Suspect list - Safelist)
In
order to modify application policy, the following steps should be
performed. They are detailed in the following sections:
