Use Groups in Network Policy Rules
Lets see how to use groups in Network policy rules.
Before you can use a Standard VPN in
a policy rule, you need to define service endpoint groups. Each
group can have one or more Prisma SD-WAN data centers or Standard
VPN service endpoints. A group will be used in policy rules. The
domain defining the mappings for endpoints to groups must be assigned
to a site for the policy rules using the group to be effective.
For more information, refer to Managing Services and Data Center
Groups.
There can be four combinations of Active/Backup
groups that can be used in Policies. You may select just one Prisma
SD-WAN group or one non-Prisma SD-WAN group as an active or backup
path in policies. For example:
Active Group | Backup Group | Example |
Standard VPN | Prisma SD-WAN | Internet-bound SSL traffic from a branch site
will transit through the Cloud Security Service. In the event all Standard
VPN paths to any of the endpoints in the Primary Cloud Security
Service group are not available, internet-bound SSL traffic will
transit through one of the Prisma SD-WAN data center endpoints assigned
to that via the Prisma SD-WAN VPN. |
Prisma SD-WAN | Standard VPN | Internet-bound SSL traffic from a branch site
will transit through one of the Prisma SD-WAN data center endpoints assigned
to that group via the Prisma SD-WANs.In the event all Prisma SD-WAN
VPNs to all of the Data Center endpoints in group are unavailable, internet-bound
SSL traffic will transit through the Cloud Security Service via
one of the Standard VPN paths to any of the endpoints in the Standard
VPN group. |
Standard VPN | Standard VPN | Internet-bound SSL traffic from a branch site
will transit through the primary cloud security service via one
of the Standard VPN paths to any of the endpoints in the primary
cloud security service group. In the event all Standard VPNs are
down to all endpoints in the primary group, the Internet bound SSL
traffic will transit through the backup cloud security service via
one of the Standard VPN paths to the endpoints that are part of
the backup group. |
Prisma SD-WAN | Prisma SD-WAN | Internet-bound SSL traffic from a branch site
will transit through one of the Prisma SD-WAN data center endpoints assigned
to the active group via the VPNs. In the event all Prisma SD-WAN
VPNs to all of those endpoints are down,internet-bound SSL traffic
will transit through one of the Prisma SD-WAN data center endpoints
assigned to the backup group via the Prisma SD-WAN VPNs. |