https://live.paloaltonetworks.com/t5/prisma-access-discussions/configuring-prisma-access-remote-networks-and-service/m-p/421504#M212 <P>Hi everyone,&nbsp;</P><P>&nbsp;</P><P>I wanted to know what would be the challenges to deploy Service Connection and Remote Networks on the same device/site and what would be the best solution or workaround as per PAN best practices</P><P>&nbsp;</P><P>As per my understanding, if we deploy Service Connection and Remote Networks then, there could be some routing challenges</P><P>&nbsp;</P><P>As a standard config for RN, we have the default route towards the RN tunnel and also a route towards the infrastructure subnet in the RN configuration.</P><P>&nbsp;</P><P>In the Service Connection also we have route towards the service infrastructure</P><P>&nbsp;</P><P>Now when the MU comes to Service connection to access some resources, the return route will be having 2 options RN default route and SVC advertised route</P><P>&nbsp;</P><P>If there is a eg. LDAP request from MU that can use infra subnet and both RN and SVC will have that route causing Asymetric routing issue.</P><P>&nbsp;</P><P>Is it a feasible solution to have SVC and RN on same node/site, if yes what all things are required.</P><P>&nbsp;</P> Thu, 22 Jul 2021 21:28:12 GMT DheerajDixit 2021-07-22T21:28:12Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/configuring-prisma-access-remote-networks-and-service/m-p/421504#M212 <P>Hi everyone,&nbsp;</P><P>&nbsp;</P><P>I wanted to know what would be the challenges to deploy Service Connection and Remote Networks on the same device/site and what would be the best solution or workaround as per PAN best practices</P><P>&nbsp;</P><P>As per my understanding, if we deploy Service Connection and Remote Networks then, there could be some routing challenges</P><P>&nbsp;</P><P>As a standard config for RN, we have the default route towards the RN tunnel and also a route towards the infrastructure subnet in the RN configuration.</P><P>&nbsp;</P><P>In the Service Connection also we have route towards the service infrastructure</P><P>&nbsp;</P><P>Now when the MU comes to Service connection to access some resources, the return route will be having 2 options RN default route and SVC advertised route</P><P>&nbsp;</P><P>If there is a eg. LDAP request from MU that can use infra subnet and both RN and SVC will have that route causing Asymetric routing issue.</P><P>&nbsp;</P><P>Is it a feasible solution to have SVC and RN on same node/site, if yes what all things are required.</P><P>&nbsp;</P> Thu, 22 Jul 2021 21:28:12 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/configuring-prisma-access-remote-networks-and-service/m-p/421504#M212 DheerajDixit 2021-07-22T21:28:12Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/configuring-prisma-access-remote-networks-and-service/m-p/424685#M219 <P>Why not just use Remote network SPN connection if you need firewall capabilities (this is needed if you don't have next generation Firewall in the data center otherwise the service connection is used) for filtering traffic going out of the Data Center ? With Remote Network again the internal DNS servers, Ldap servers and etc that are behind the Remote Network SPN can be accessed by Prisma Access or mobile users or other Remote Network Sites?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Just as an info If you need a service infrastructure/connection because of the mobile users routing you can create a fake one without the ipsec tunnel being up and use the SPN for filtering traffic comming from your DC and allowing traffic to your DC from mobile users or other SPN remote networks for services like internal DNS , LDAP etc.</P> Thu, 05 Aug 2021 11:23:20 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/configuring-prisma-access-remote-networks-and-service/m-p/424685#M219 NikolayDimitrov 2021-08-05T11:23:20Z