- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Can I request the devs to build some feature to check the infrastructure (Prisma Access backbone) routing table? Something similar to Looking Glass but for the Prisma Access backbone.
Currently it is possible to check the BGP information from the Service Connections and Remote Networks side, but not from the Service Infrastructure point of view.
Sometimes there are routing issues, a new site could advertise a more specific subnet or a duplicate subnet, and this kind of tools would help to speed up the troubleshooting process and give more visibility instead of checking individually one by one all routing tables of all Remote Networks.
Better raise feature request to Palo Alto as this is the tech comminity site. You can see the link for how to raise feature requests: https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40... .
Still as this is a cloud offering there is tradeoff between what you are responsible and what you can do or see as with clouds someone else manages the infrastructure but you have less visibility. Still you may try using the "hot potato" routing to have more control on the routing as for this see the youtube official palo alto live community video below:
Just a note for routing to the internet usually Prisma Access routes closer to the destination fqdn domain/ ip address using AWS or Google's high speed networking before sending the traffic outside of Prisma Access. Also the ADEM (Autonomous Digital Experience Management) is a nice tool that can show you the path between a user and the application servers so to see if Prisma Access is causing the slowness and which Prisma Access nodes are involved. Please see the video below:
Also the language localization is an important feature:
I good thing to know is that for a better routing for mobile users a service connection, also known as a Corporate Access Node (CAN) can be created as the mobile gateways use the CAN for routing and the CAN does not need to have a ipsec tunnel to a real on-prem Data Center tunnel. I call it a fake CAN 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!