Edit Application Network Path Policy Rules
Focus
Focus

Edit Application Network Path Policy Rules

Table of Contents

Edit Application Network Path Policy Rules

Lets see how to edit application network path policy rules in Prisma SD-WAN Azure CloudBlade integration.
Once the CloudBlade configures the appropriate Standard objects within Prisma SD-WAN and Azure, the administrator can reference the path (Standard VPN) and service group (Azure) within application network policies. The ION devices will make intelligent per-app path selections using the network policies to chain multiple path options together in Active-Active and Active-Backup modes.
Example:
Application A: Take Standard VPN to Azure as the only path option.
Application B: Active Standard VPN to Azure; Backup Prisma SD-WAN VPN
Application C: Active Prisma SD-WAN VPN; Backup Standard VPN to Azure
The Prisma SD-WAN secure Application Fabric (AppFabric) enables granular controls for virtually unlimited number of policy permutations down to the sub-application level. Below is an example of how to configure a path policy rule to use the Standard VPN to Azure. For a more in-depth description of how to configure path policies, Standard groups, and domains, refer to the Prisma SD-WAN.
From Stacked Policies, select the Path tab, and choose a policy set of interest.Within the policy set, click add policy rule and define the following - Name, destination prefixes or apps of interest (or a combination of both apps and prefixes), active and backup paths, and service and DC group.
We will use a destination prefix-based rule in this example since we have already defined a path prefix representing all of our Azure subnets. Also, we will only use a Standard VPN path to the Standard Azure group. If the Standard VPN goes down, traffic destined to any of those prefixes will have no available paths. We could have specified alternate active or backup paths such as the Prisma SD-WAN VPN to the Data Center site(s).
If Standard VPN is used in a network policy, then you must have a Standard Services and DC Group defined in the policy for the traffic to transit through that group. If not, traffic will be black-holed.
If Required is selected, traffic will always transit through the Services and DC Group. If not selected, traffic may or may not transit through the Services and DC Group as per the paths allowed.