Configuring Prisma Access Remote networks and Service Connections on the same device/site

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuring Prisma Access Remote networks and Service Connections on the same device/site

L0 Member

Hi everyone, 

 

I wanted to know what would be the challenges to deploy Service Connection and Remote Networks on the same device/site and what would be the best solution or workaround as per PAN best practices

 

As per my understanding, if we deploy Service Connection and Remote Networks then, there could be some routing challenges

 

As a standard config for RN, we have the default route towards the RN tunnel and also a route towards the infrastructure subnet in the RN configuration.

 

In the Service Connection also we have route towards the service infrastructure

 

Now when the MU comes to Service connection to access some resources, the return route will be having 2 options RN default route and SVC advertised route

 

If there is a eg. LDAP request from MU that can use infra subnet and both RN and SVC will have that route causing Asymetric routing issue.

 

Is it a feasible solution to have SVC and RN on same node/site, if yes what all things are required.

 

1 REPLY 1

L3 Networker

Why not just use Remote network SPN connection if you need firewall capabilities (this is needed if you don't have next generation Firewall in the data center otherwise the service connection is used) for filtering traffic going out of the Data Center ? With Remote Network again the internal DNS servers, Ldap servers and etc that are behind the Remote Network SPN can be accessed by Prisma Access or mobile users or other Remote Network Sites?

 

 

 

Just as an info If you need a service infrastructure/connection because of the mobile users routing you can create a fake one without the ipsec tunnel being up and use the SPN for filtering traffic comming from your DC and allowing traffic to your DC from mobile users or other SPN remote networks for services like internal DNS , LDAP etc.

  • 2811 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!