Focus

Use Service Endpoint Groups in Policies

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Administration
Deployment
Incidents & Alerts
CloudBlades
Version
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
Reference
Release Notes
Version
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades

Use Prisma SD-WAN Data Center Endpoints

Configure Network Contexts

Use Service Endpoint Groups in Policies

Learn more about the use of service endpoint groups in policies.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Active Prisma SD-WAN license

You must define service endpoint groups before using a standard VPN in a policy rule. Each group can have one or more Prisma SD-WAN data centers or standard service endpoints. A group is used in policy rules. You must bind domain to sites to define mappings for endpoints to groups groups. This ensures the policy rules using the group is effective.

If you choose standard VPN as a path to allow traffic to transit through a standard endpoint, you must have a standard service and DC group defined with the appropriate endpoints associated.

There can be four combinations of active or backup groups that can be used in policies. You can select only one Palo Alto Networks group or one non-Palo Alto Networks group as an active or backup path in policies. The following table explains the combinations of the active or backup groups in policies.

Active Group	Backup Group	Example
Standard	Palo Alto Networks	Internet-bound SSL traffic from a branch site transits through the Cloud Security Service. If all standard VPN paths to any of the endpoints are not available, internet-bound SSL traffic transits through one of the Prisma SD-WAN data center endpoints assigned to that group using the Palo Alto Networks VPN.
Palo Alto Networks	Standard	Internet-bound SSL traffic from a branch site transits through one of the Prisma SD-WAN data center endpoints assigned to that group using the Palo Alto Networks VPNs. If all Palo Alto Networks VPNs to all of the data center endpoints in that group are unavailable, internet-bound SSL traffic transits through the Cloud Security Service using one of the standard VPN paths to any of the endpoints in the standard group.
Standard	Standard	Internet-bound SSL traffic from a branch site transits through the primary Cloud Security Service using one of the standard VPN paths to any of the endpoints in the primary Cloud Security Service group. If all standard VPNs are down to all endpoints in the primary group, the internet-bound SSL traffic transits through the backup Cloud Security Service using one of the standard VPN paths to the endpoints that are part of the backup group.
Palo Alto Networks	Palo Alto Networks	Internet-bound SSL traffic from a branch site transits through one of the Prisma SD-WAN data center endpoints assigned to the active group using the Palo Alto Networks VPNs. If all Palo Alto Networks VPNs to all of those endpoints are down, internet-bound SSL traffic transits through one of the Prisma SD-WAN data center endpoints assigned to the backup group using the Palo Alto Networks VPNs.

Use Prisma SD-WAN Data Center Endpoints

Configure Network Contexts

Prisma SD-WAN Docs

Use Service Endpoint Groups in Policies

Prisma SD-WAN Docs

Use Service Endpoint Groups in Policies

Activation & Onboarding

SASE

Visibility & Monitoring

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices