Use Groups in Network Policy Rules
Table of Contents
Expand all | Collapse all
-
- QoS CIR Support For Aggregate Bandwidth
- Prisma Access for Networks Non-Aggregate Bandwidth Licensing
- IPSec Termination Nodes Within Prisma
- IPSec Termination Node Logic (Panorama Managed)
- Determine Region Bandwidth Utilization
- Determine IPSec Termination Nodes Method #1 (Remote Networking On-Boarding)
- Determine IPSec Termination Nodes Method #2 (Panorama API Method)
- IPSec Termination Node Conventions and Tag Nomenclature
-
- Onboard a Non-ECMP Enabled Site
- Set Additional Information Tag
- Configure BGP
- Assign Interface-Level Tags for Non-ECMP Sites
- Prisma Access for Networks Region List
- Prisma Access CloudBlade Tag Information
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Use Groups in Network Policy Rules
- Enable, Pause, Disable, and Uninstall the Integration
-
- Understand Prisma SD-WAN and Prisma Access for Networks Integration
- Correlate Objects between Prisma SD-WAN and Panorama
- View Standard VPNs at a Site Level
- View Alerts and Alarms
- View Activity Charts
- Use the Device Toolkit
- Check Tunnel Status on Panorama
- Change Existing Panorama Serial Number Post CloudBlade Integration
Use Groups in Network Policy Rules
312 PIC
Before you can use a Standard VPN in a policy
rule, you need to have defined service endpoint groups. Each group
can have one or more Prisma SD-WAN data centers or standard service
endpoints. A group will be used in policy rules. The domain defining
the mappings for endpoints to groups must be assigned to a site
for the policy rules using the group to be effective.
There
can be four combinations of Active/Backup groups that can be used
in Policies. You may select just one Prisma SD-WAN group or one
non-Prisma SD-WAN group as an active or backup path in policies.
For example:
| Active Group | Backup Group | Example |
|---|---|---|
| Standard | Prisma SD-WAN | Internet-bound SSL traffic from a branch site will transit through the Cloud Security Service. In the event all standard VPN paths to any of the endpoints in the Primary Cloud Security Service group are not available, internet-bound SSL traffic will transit through one of the Prisma SD-WAN data center endpoints assigned to that group via the Prisma SD-WAN VPN. |
| Prisma SD-WAN | Standard | Internet-bound SSL traffic from a branch site will transit through one of the Prisma SD-WAN data center endpoints assigned to that group via the Prisma SD-WAN VPNs. In the event all Prisma SD-WAN VPNs to all of the Data Center endpoints in that group are unavailable, internet-bound SSL traffic will transit through the Cloud Security Service via one of the standard VPN paths to any of the endpoints in the standard group. |
| Standard | Standard | Internet-bound SSL traffic from a branch site will transit through the primary cloud security service via one of the standard VPN paths to any of the endpoints in the primary cloud security service group. In the event all standard VPNs are down to all endpoints in the primary group, the Internet bound SSL traffic will transit through the backup cloud security service via one of the standard VPN paths to the endpoints that are part of the backup group. |
| Prisma SD-WAN | Prisma SD-WAN | Internet-bound SSL traffic from a branch site will transit through one of the Prisma SD-WAN data center endpoints assigned to the active group via the Prisma SD-WAN VPNs. In the event all Prisma SD-WAN VPNs to all of those endpoints are down, internet-bound SSL traffic will transit through one of the Prisma SD-WAN data center endpoints assigned to the backup group via the Prisma SD-WAN VPNs. |
- From the Prisma SD-WAN web interface, navigate to Policies > Stacked Policies.
- Select Path > Path Sets.
- Select a Path Policy Set and an appropriate Path Policy
rule. On the Paths tab, select Standard VPN as either an Active or Backup path.You can mix Standard VPN with other available paths - private, public, direct or VPNs.
- Navigate to Service & DC Groups. Choose a group from either the Active or Backup drop-down lists.
- Save the policy rule.If standard VPN is used in a network policy, then you must have a standard Services and DC Group defined in the policy for the traffic to transit through that group. If not, traffic will be black-holed. If required is selected, traffic will always transit through the Services and DC Group. If not selected, traffic may or may not transit through the Services and DC Group per policy.