- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-22-2021 02:28 PM
Hi everyone,
I wanted to know what would be the challenges to deploy Service Connection and Remote Networks on the same device/site and what would be the best solution or workaround as per PAN best practices
As per my understanding, if we deploy Service Connection and Remote Networks then, there could be some routing challenges
As a standard config for RN, we have the default route towards the RN tunnel and also a route towards the infrastructure subnet in the RN configuration.
In the Service Connection also we have route towards the service infrastructure
Now when the MU comes to Service connection to access some resources, the return route will be having 2 options RN default route and SVC advertised route
If there is a eg. LDAP request from MU that can use infra subnet and both RN and SVC will have that route causing Asymetric routing issue.
Is it a feasible solution to have SVC and RN on same node/site, if yes what all things are required.
08-05-2021 03:14 AM - edited 08-05-2021 04:23 AM
Why not just use Remote network SPN connection if you need firewall capabilities (this is needed if you don't have next generation Firewall in the data center otherwise the service connection is used) for filtering traffic going out of the Data Center ? With Remote Network again the internal DNS servers, Ldap servers and etc that are behind the Remote Network SPN can be accessed by Prisma Access or mobile users or other Remote Network Sites?
Just as an info If you need a service infrastructure/connection because of the mobile users routing you can create a fake one without the ipsec tunnel being up and use the SPN for filtering traffic comming from your DC and allowing traffic to your DC from mobile users or other SPN remote networks for services like internal DNS , LDAP etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!