Prisma Access Global Protect App routing behaviour with "Customize Include Traffic"
3623
Created On 11/29/24 02:33 AM - Last Modified 08/29/25 02:37 AM
Symptom
- The Prisma Access tunnel is configured with "Customize Include Traffic" enabled.
- This toggle button provides option to add IP routes in the included routes apart from existing section to configure exclude routes.
- An IP subnet is added in the Include Access Routes (for example 172.16.20.0/24).
- After enabling "Customize Include traffic", all other traffic except include route stops being routed to Prisma Access.
Environment
- Prisma Access managed by Strata Cloud manager.
- GlobalProtect App
- Split tunnel
Cause
- When there is a specific subnet added in Include Access Routes, The Prisma Access will only route traffic for included network and split tunnel everything else.
- This means the GP app will not send any traffic to Prisma Access except the included subnet.
- This behavior is as designed.
- By default "Customize Include Traffic" is not enabled,
Resolution
- Add the IP subnets in the Include Access routes which needs to be processed via Prisma Access.
- Alternatively, If the requirement is to send all the traffic to Prisma Access and exclude only specific subnets, Disable the "Customize Include Traffic".
- This would make sure all the traffic from GlobalProtect App is routed via Prisma Access except the subnet part of Exclude Access route.