Prisma Access for No Default Route Networks
Focus
Focus
Prisma Access

Prisma Access for No Default Route Networks

Table of Contents

Prisma Access for No Default Route Networks

Learn about using Prisma Access for no default route networks.
Where Can I Use This?What Do I Need?
  • Prisma Access
  • Prisma Access license

What Is a No Default Route Network?

A no default route network is a network that does not have a default route configured. When a network does not have a default route configured, it drops packets destined to unknown destinations. Enterprises often use no default route networks to restrict access for their users. If a device on a no default route network needs to access a certain destination (IP address or subnet), the administrator will need to manually configure a route for that destination. Enterprises also require restricted and secure internet access for the users, servers, and devices on a no default route branch network.
There are a few reasons why someone might want to configure a no default route network:
  • Improve security by blocking outbound malicious and DDoS traffic to random destinations from compromised endpoints on the network, which protects against denial-of-service attacks and other malicious traffic.
  • Improve the performance of routing devices by reducing the number of routes to process.
  • Implement routing policies that meet the specific needs of users by configuring specific routes for specific destinations.

No Default Route Network Considerations

When securing internet traffic from a no default network, enterprises must clearly evaluate users, endpoints, servers, and devices in the branch network that could be talking to the internet.
In no default route branches, there could be devices with a variety of different operating systems, multiuser or shared endpoints such as VDIs, and headless devices such as Servers and IoT devices. Internet traffic from all these devices require security. It's critical to have a solution that covers all these use cases, provides flexibility with different connectivity methods, and offers a unified platform to consistently secure internet access regardless of the type of the device.

Deployment Recommendations for Securing Internet Access for No Default Route Networks

If you have a no default route network, here is our recommendation to secure internet traffic:
DevicesRecommendation
Windows, macOSGlobalProtect Agent in Proxy mode
ChromeOS, VDIsAgentless PAC files
iOS, AndroidAgentless PAC files
LinuxAgentless PAC files
ServersAgentless PAC files
IoT Devices (Proxy aware)Agentless PAC files
IoT Devices (Proxy unaware)Remote Networks (IPSec)

Key Considerations

When deploying GlobalProtect in a no default route network, consider these points:
  • Add a route on the perimeter device to route the user’s internet traffic to Prisma Access Explicit Proxy IP address.
  • Host the PAC file internally to forward the IdP URL and Prisma Access portal URL to the explicit proxy to allow GlobalProtect to connect to Portal and IdP.
  • Add internal DNS records to resolve Explicit Proxy, PAC file, and Prisma Access portal FQDN if the DNS server in the no default route network can’t resolve external FQDNs.
  • Configure DNAT for the internal Prisma Access Explicit Proxy IP address and Prisma Access Portal IP address to real Explicit Proxy IP address and Portal IP address.
For PAC-based deployments, there is no need to forward the Prisma Access portal URL to an explicit proxy and exclude it from the authentication settings in Prisma Access explicit proxy settings.