Traffic Steering in Prisma Access
Learn about how traffic steering works with Prisma Access.
In standard Prisma Access deployments, a service connection
provides access to internal network resources, such as authentication
services and private apps in your headquarters or data center. Service
connections process internal traffic, where no internet access is
required. In some cases, you might want to redirect internet-bound
traffic to the data center. Traffic steering allows you to redirect mobile
user or remote network traffic to a service connection before being
sent to the internet.
There are two action types supported with traffic steering:
Forward to the target—Use the
criteria in traffic steering rules to forward internet-bound traffic
through a target you create that uses one or more service connections.
Forward to the internet—Use the criteria
in traffic steering rules to directly forward traffic from its source
(mobile user location or remote network connection) to the internet,
without being forwarded to a service connection.
If you forward to a target, you can choose to create two types
of target groups: dedicated and non-dedicated.
A service connection that is used only for traffic steering-related
traffic is a
dedicated service connection. To set a service
connection to be used as a dedicated service connection, select
Dedicated
for Traffic Steering Only when you
Configure Traffic Steering in Prisma Access in Panorama.
You
might want to configure a dedicated service connection if you use
a third-party security stack that is outside of your organization’s
internal network to process traffic before it is sent to a public
SaaS application or the internet. Because the security stack is
not a part of your organization’s network, you don’t want this service
connection to process any internal network traffic.
A service connection that is used for traffic steering and
for standard service connection-related traffic (such as traffic
going to an authentication server in the data center) is a non-dedicated
service connection.
Setting a service connection as a dedicated service connection
causes the following changes to your deployment:
Service connections that are configured as dedicated service
connections do not participate in BGP routing, either internally
or externally.
If
your dedicated service connection uses BGP, the BGP status shows
as Not Enabled when you open the status page (), select a region, then select
the Status tab. To check the BGP status of a service connection,
check the service connections configuration page ().
By default, the service connections apply source NAT to the
forwarded traffic. The source IP address is the User-ID
Agent Address of the service connection (), which is taken from the Infrastructure
Subnet ().
You
can disable source NAT and use your organization’s source IP addresses
for the dedicated service connection; to do so, select Disable
Source NAT for Dedicated SC when you Add a
target in the Target Service Connections for Traffic
Steering area.