Region Based Blocking feature(Embargo Rule) configured with negate option disrupts Prisma Access operation
2820
Created On 01/17/24 10:17 AM - Last Modified 05/22/25 21:24 PM
Symptom
When Region Based Blocking feature/Embargo Rule configured with negate option (to prevent all traffic except desired countries) Prisma Access infra operational activity is disrupted.
Environment
- Prisma Access
- PANOS-10.2.4
- Region Based Blocking feature
Cause
- Region Based Blocking feature blocks all the traffic from the configured countries based on the geo location information from the source IP address.
- The use case of this feature would be to block traffic from certain risky countries, not for limiting all the access worldwide other than some excluded countries.
- For instance US region is the highest used country in Prisma Access cloud related communication. So if one blocks with source country with US, some cloud related communication will be also denied.
- The blocked cloud provider related communication traffic leads to unexpected behavior, in some cases cloud gateways losing communication with cloud orchestrator and dropping tunnels.
- This feature may be customized in the future not to block the cloud related traffic.
Resolution
Use this feature to only blocking suspected / risky countries.