Is it possible for Prisma Access to split the traffic between the on-premise globalprotect gateways and the prisma cloud based on app/domain/ip_addr?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible for Prisma Access to split the traffic between the on-premise globalprotect gateways and the prisma cloud based on app/domain/ip_addr?

L3 Networker

When using Prisma access and on-premise devices can you do someting like per app_process/domain/destination_ip gateway selection (some traffic to be send to the geteways other to the prisma cloud)? What I mean by this is to do like a split-tunnel for the traffic but instead the excluded appications to be send directly to Internet to the prisma cloud (sounds like double VPN or if possible to send traffic to the Prisma cloud without VPN just for web filtering)?

 

 

My idea is for an office is easier to send the corporate traffic to the on-premise gateways as after they authenticate on the firewalls with their Microsoft Active Directory accounts and they will have corporate access to the internal environment but for a web traffic like facebook etc. it can go to the prisma cloud for web filtering without going to the on-premise gateways.

 

 

 

 

Edit:

 

 

I found out that in Prisma Access 2.0 Explicit Proxy is supported as an access method but can the two methods Globalprotect and Explicit Proxy  be combined ? First to establish a VPN for example to the on-premise firewalls and then to split the tunnel but the excluded traffic from the tunnel to not be send directly to internet but to the Prisma Cloud using the PAC file. Is this possible?

1 accepted solution

Accepted Solutions

L3 Networker

After talks with Palo Alto it seems that in the future if globalprotect app is used for VPN to the prisma access and also a PAC file is used for web filtering with Prisma Access then there will be seamless authentication (afrer authenticating the VPN connecton to prisma access there will be no need to authnticate the Explicit proxy connection) but if the globalprotect app is used for VPN connection to local on premise gateways and a PAC file is used for Explicit proxy connection then the user will need to enter their credentials 2 times (once for the VPN and once with SAML for the Explicit Proxy) and seems cumbersome to me as many proxy vendors use the agents to share the user Windows SSO credentials to the cloud based explicit proxy services, so should be possible to be done.

View solution in original post

1 REPLY 1

L3 Networker

After talks with Palo Alto it seems that in the future if globalprotect app is used for VPN to the prisma access and also a PAC file is used for web filtering with Prisma Access then there will be seamless authentication (afrer authenticating the VPN connecton to prisma access there will be no need to authnticate the Explicit proxy connection) but if the globalprotect app is used for VPN connection to local on premise gateways and a PAC file is used for Explicit proxy connection then the user will need to enter their credentials 2 times (once for the VPN and once with SAML for the Explicit Proxy) and seems cumbersome to me as many proxy vendors use the agents to share the user Windows SSO credentials to the cloud based explicit proxy services, so should be possible to be done.

  • 1 accepted solution
  • 2773 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!