Use Service Endpoint Groups in Policies
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Prisma SD-WAN Standard VPN
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Use Service Endpoint Groups in Policies
Learn more about the use of service endpoint groups in
policies.
You must define service endpoint groups
before using a standard VPN in a policy rule. Each group can have
one or more
Prisma SD-WAN
data centers or standard service endpoints.
A group is used in policy rules. You must bind domain to sites to
define mappings for endpoints to groups groups.
This ensures the policy rules using the group is effective.If you choose standard VPN as a path to allow traffic to transit
through a standard endpoint, you must have a standard service and
DC group defined with the appropriate endpoints associated.
There can be four combinations of active or backup
groups that can be used in policies. You can select only one Palo
Alto Networks group or one non-Palo Alto Networks group as an active
or backup path in policies. The following table explains the combinations
of the active or backup groups in policies.
Active Group | Backup Group | Example |
|---|---|---|
Standard | Palo Alto Networks | Internet-bound SSL traffic from a branch site
transits through the Cloud Security Service. If all standard VPN paths
to any of the endpoints are not available, internet-bound SSL traffic transits
through one of the Prisma SD-WAN data center endpoints assigned
to that group using the Palo Alto Networks VPN. |
Palo Alto Networks | Standard | Internet-bound SSL traffic from a branch site
transits through one of the Prisma SD-WAN data center endpoints
assigned to that group using the Palo Alto Networks VPNs. If all
Palo Alto Networks VPNs to all of the data center endpoints in that group
are unavailable, internet-bound SSL traffic transits through the
Cloud Security Service using one of the standard VPN paths to any
of the endpoints in the standard group. |
Standard | Standard | Internet-bound SSL traffic from a branch site
transits through the primary Cloud Security Service using one of
the standard VPN paths to any of the endpoints in the primary Cloud Security
Service group. If all standard VPNs are down to all endpoints in
the primary group, the internet-bound SSL traffic transits through
the backup Cloud Security Service using one of the standard VPN
paths to the endpoints that are part of the backup group. |
Palo Alto Networks | Palo Alto Networks | Internet-bound SSL traffic from a branch site
transits through one of the Prisma SD-WAN data center endpoints
assigned to the active group using the Palo Alto Networks VPNs.
If all Palo Alto Networks VPNs to all of those endpoints are down, internet-bound
SSL traffic transits through one of the Prisma SD-WAN data center
endpoints assigned to the backup group using the Palo Alto Networks
VPNs. |