Default Routes With Prisma Access Traffic Steering
Learn how default routes work in Prisma Access traffic
steering.
Use the default route capability in Prisma Access to
accept default routes being advertised from your CPE to service
connections. You can use BGP or static routes to advertise the default
route. Prisma Access uses BGP to advertise these routes over multiple
service connections, which allows Prisma Access to route mobile
user traffic through the best service connection for a given mobile
user location. To enable service connections to accept default routes,
specify
Accept Default Route over Service Connections when
you
Configure Traffic Steering in Prisma Access.
After you enable default routes, your internet-bound traffic
will be steered to service connections instead of egressing from
the mobile user locations. This functionality can be useful if you
want to redirect internet-bound traffic to the data center; for
example, if you have a third-party security stack in your data center
and you want the stack to perform additional screening or inspection.
Use the following guidelines when implementing default routes:
Default routes apply to mobile user deployments only;
remote network connections operate normally with no change when
you enable default routes.
You do not need to specify target service connections or
traffic steering rules when you allow default routes, although they
are supported for use with default routes.
When you specify the Accept Default Route over
Service Connections setting, all Prisma Access service
connections, with the exception of dedicated service connections,
accept default routes and will use the routes in traffic steering
decisions.
Before you enable this setting, make sure that your data
centers are sending default routes; otherwise, routing through service
connections will fail.
Palo Alto Networks recommends that all data centers advertise
a default route; when Prisma Access receives the routes, it can
then select the best service connection to use for the remote network
location.
When you
create service connections,
use either static routes only or BGP only for the connections. Palo
Alto Networks does not recommend mixing service connections that
use BGP and static routes when using default routes.
Prisma Access does not forward Clientless VPN, portal, or
gateway SAML authentication traffic to a public identity provider
(IdP) using the default route.