Prisma Access Traffic Steering Rule Guidelines
Focus
Focus

Prisma Access Traffic Steering Rule Guidelines

Table of Contents

Prisma Access Traffic Steering Rule Guidelines

Learn about the guidelines you need to follow when you configure Prisma Access traffic steering.
Traffic steering can process a wide variety of possible configurations; however, it is important to understand how Prisma Access processes rules, so you can create rules are easy to maintain and manage. To help you create the rules that work best for your deployment, follow these guidelines:
  • Prisma Access evaluates rules in the order that you create them (from top to bottom). Specify more specific rules at the top and more general rules at the bottom.
  • Create multiple rules with fewer matching criteria, instead of creating fewer rules with multiple types of criteria. Creating simpler rules both speeds up rule creation and makes it easier to modify a rule.
  • Since you cannot move a rule up or down in a list after you create it, carefully plan your rule order before you create the rules.
  • Rules that specify Any source address and User, Any source destination and URL Category, and Any service are not supported. Use more specific rules; for example, specify a rule with Any source or destination traffic and a service of service-http and service-https.
  • If you are going to specify rules for users in the Source User field, make sure that Prisma Access can distinguish between users if the same username is shared between users who authenticate locally and users who authenticate using LDAP by authenticating LDAP users in the format of domain/username and authenticating local users in the format of username (without the domain name).
  • If you have configured an on-premises next-generation firewall as a master device, you can auto-populate user and group information for mobile user device groups in traffic steering and security policy rules by selecting PanoramaCloud ServicesConfigurationMobile Users, clicking the gear icon to edit the Settings, and selecting the Master Device in the Device Group area. While this populates the master device in every device group, it only populates the user and group information for mobile users in security policy rules.
  • If an EDL (type IP List) is used in a Traffic Steering Rule, and the EDL source URL of the EDL is updated to a URL that is not accessible, Prisma Access may continue to use the cached IP list from the previous URL.
  • Prisma Access bypasses Traffic Steering for rules with a service type of HTTP or HTTPS if you use an application override policy for TCP ports 80 and 443.
    In addition, traffic steering does not work for URLs from URL categories referenced in the traffic steering rule if you have configured an application override policy for TCP ports 80 or 443.
  • You can specify destination IP addresses and URL categories in the same rule. If you do, Prisma Access uses a logical OR to process the destination criteria in the rule, but processes the URLs and URL category traffic based on TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS.
    For a rule with IP addresses and URL categories, traffic matches the rule if either the IP address or the URL category matches, but processes the URL category traffic based on ports 80, 443, and 8080 only. Palo Alto Networks does not recommend creating a rule of this type; instead, create simpler rules.
For example, you want to enforce the following rules for your network traffic:
  • You have an internal HTTP server with an IP address of 10.1.1.1 in the data center, and you want to direct internal HTTP and HTTPS traffic to this server. The IP address of the server is 10.1.1.1.
    Traffic to this server should not go to the internet and should be processed internally; therefore, choose a non-dedicated target for this traffic, because this type of target processes both internal and internet-bound traffic.
  • You want office365.com traffic to be routed directly to the internet.
  • You want traffic from *.example.com or any traffic defined in a custom URL category of custom-social-networking to be routed to a dedicated connection.
  • You want any other HTTP and HTTPS traffic to use the same non-dedicated service connection target as that used for the internal HTTP server.
For this example, create the rules from the most specific to the least specific, as shown in the following screenshot. Do not add the rule that allows all HTTP and HTTPS traffic first, or Prisma Access would direct all HTTP and HTTPS traffic to the non-dedicated connection without evaluating any of the other rules.