Traffic Steering in Prisma Access
Focus
Focus

Traffic Steering in Prisma Access

Table of Contents

Traffic Steering in Prisma Access

Learn about how traffic steering works with Prisma Access.
In standard Prisma Access deployments, a service connection provides access to internal network resources, such as authentication services and private apps in your headquarters or data center. Service connections process internal traffic, where no internet access is required. In some cases, you might want to redirect internet-bound traffic to the data center. Traffic steering allows you to redirect mobile user or remote network traffic to a service connection before being sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a combination of both. Use traffic steering to direct internet-bound network traffic based on many criteria including IP addresses, Custom URL categories, service type (HTTP or HTTPS), User-ID, Dynamic Address Groups (DAGs) and IP-based External Dynamic Lists (EDLs).
There are two action types supported with traffic steering:
  • Forward to the target—Use the criteria in traffic steering rules to forward internet-bound traffic through a target you create that uses one or more service connections.
  • Forward to the internet—Use the criteria in traffic steering rules to directly forward traffic from its source (mobile user location or remote network connection) to the internet, without being forwarded to a service connection.
If you forward to a target, you can choose to create two types of target groups: dedicated and non-dedicated.
  • A service connection that is used only for traffic steering-related traffic is a dedicated service connection. To set a service connection to be used as a dedicated service connection, select Dedicated for Traffic Steering Only when you Configure Traffic Steering in Prisma Access in Panorama.
    You might want to configure a dedicated service connection if you use a third-party security stack that is outside of your organization’s internal network to process traffic before it is sent to a public SaaS application or the internet. Because the security stack is not a part of your organization’s network, you don’t want this service connection to process any internal network traffic.
  • A service connection that is used for traffic steering and for standard service connection-related traffic (such as traffic going to an authentication server in the data center) is a non-dedicated service connection.
Setting a service connection as a dedicated service connection causes the following changes to your deployment:
  • The zone for all service connections associated with this target changes from Trust to Untrust. Check your zone mapping and Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections to make sure that your network reflects this change.
  • Service connections that are configured as dedicated service connections do not participate in BGP routing, either internally or externally.
  • If your dedicated service connection uses BGP, the BGP status shows as Not Enabled when you open the status page (PanoramaCloud ServiceStatusMonitorService Connection), select a region, then select the Status tab. To check the BGP status of a service connection, check the service connections configuration page (PanoramaCloud ServicesConfigurationService Connection).
  • By default, the service connections apply source NAT to the forwarded traffic. The source IP address is the User-ID Agent Address of the service connection (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address), which is taken from the Infrastructure Subnet (PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure).
    You can disable source NAT and use your organization’s source IP addresses for the dedicated service connection; to do so, select Disable Source NAT for Dedicated SC when you Add a target in the Target Service Connections for Traffic Steering area.