Focus

Default Routes With Prisma Access Traffic Steering

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Traffic Steering in Prisma Access

Default Routes With Prisma Access Traffic Steering

Learn how default routes work in Prisma Access traffic steering.

Use the default route capability in Prisma Access to accept default routes being advertised from your CPE to service connections. You can use BGP or static routes to advertise the default route. Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma Access to route mobile user traffic through the best service connection for a given mobile user location. To enable service connections to accept default routes, specify Accept Default Route over Service Connections when you Configure Traffic Steering in Prisma Access.

After you enable default routes, your internet-bound traffic will be steered to service connections instead of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-bound traffic to the data center; for example, if you have a third-party security stack in your data center and you want the stack to perform additional screening or inspection.

Use the following guidelines when implementing default routes:

Default routes apply to mobile user deployments only; remote network connections operate normally with no change when you enable default routes.
You do not need to specify target service connections or traffic steering rules when you allow default routes, although they are supported for use with default routes.
When you specify the Accept Default Route over Service Connections setting, all Prisma Access service connections, with the exception of dedicated service connections, accept default routes and will use the routes in traffic steering decisions.
Before you enable this setting, make sure that your data centers are sending default routes; otherwise, routing through service connections will fail.
Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access receives the routes, it can then select the best service connection to use for the remote network location.
When you create service connections, use either static routes only or BGP only for the connections. Palo Alto Networks does not recommend mixing service connections that use BGP and static routes when using default routes.
Using default routes is supported with multitenant deployments.
Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a public identity provider (IdP) using the default route.

For more information and examples of implementing default routes with traffic steering, see Default Routes with Traffic Steering Example, Default Routes with Traffic Steering Direct to Internet Example, and Default Routes with Traffic Steering and Dedicated Service Connection Example.

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Traffic Steering in Prisma Access

Prisma Access Docs

Default Routes With Prisma Access Traffic Steering

Prisma Access Docs

Default Routes With Prisma Access Traffic Steering

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner