Service and Data Center Groups

Palo Alto Networks maps third-party services and data centers to allow flexibility when creating network policy rules to account for uniqueness across sites. For example, you may create a single network policy that directs all HTTP and SSL internet bound traffic through the primary cloud security service in the region if available. If the primary cloud service is not available, you may leverage the backup cloud security service in the region. You may have different primary and backup cloud security service endpoints based on your geographic location. The intent and the policy rules remains the same regardless of the site location.
The illustration below displays how endpoints, added to a group, are associated with a domain.
The domains are bound to a site, thus uniquely mapping third-party services or data centers to each site. You can map a group, with different endpoints, to one or more domains and map a domain to one or more sites.
A site can use only the endpoints configured in a group within a domain that is assigned to the site. The same group, however, can be in multiple domains with different service endpoints, which allows you to use the same policy across different sites utilizing different endpoints.

Recommended For You