Traffic Steering Requirements
Focus
Focus
Prisma Access

Traffic Steering Requirements

Table of Contents

Traffic Steering Requirements

Describes the requirements you need to deploy traffic steering.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
Before you implement traffic steering in your Prisma Access deployment, make sure that your network environment has the following infrastructure requirements:
  • Prisma Access must be able to connect to the IPSec-capable CPE (such as a router or SD-WAN device) that your organization uses to terminate the service connection, and the IP address for the device must be reachable from Prisma Access.
    You create a service connection using standard IPSec and IKE cryptographic profiles between the stack location and Prisma Access. You can use static routes, BGP, or a combination or both when you configure a service connection and use traffic steering. If you use default routes with traffic steering, Palo Alto Networks recommends that you use either BGP only or static routes only. If you use static routing, specify the public IP address used by the organization’s CPE as the Peer Address when you create an IKE gateway.
  • Prisma Access might not match the first few packets of a URL from a URL category in a traffic steering rule, which means that the first few packets of a network session (for example, a TCP handshake) might not match the rule. Palo Alto Networks recommends that, for URLs you use in traffic steering rules, you create a security policy rule to allow them through the Untrust zone so that the handshake can complete when a new session begins.
  • If you are using this configuration with a security stack, the stack location must be reachable from the service connection by a standard IPSec tunnel configuration.
Use the following guidelines when configuring traffic steering:
  • You can specify up to 1,000 URLs (aggregated) in a traffic steering configuration, including regular and wildcard (*.example.com) URLs in custom URL categories.
    This number includes both manually entered URLs, wild card URLs, and URLs that are entered in a custom URL category.
  • Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a traffic steering rule. If you use the same URL category policies for both traffic steering and other security policy rules, these changes apply to both the traffic steering rules and other security policy rules.
    If you have custom URL categories that are not used in traffic steering rules, Prisma Access does not change the URLs in those categories.
  • Use all lower-case URLs when you enter URLs in a traffic forwarding rule and when you add URLs in a custom URL category.
  • You can configure a maximum of 100 traffic forwarding rules.
  • If you have primary and backup tunnels configured, traffic steering using traffic steering rules will not work after a failover from the primary (active) to the backup tunnel. Default Routes With Prisma Access Traffic Steering works in a failover scenario with primary and backup tunnels.