Cloud managed Prisma Access - Implicit PBF rule is configured to provide Internet Access to RN tunnels without routing
982
Created On 03/29/23 00:23 AM - Last Modified 10/17/25 02:50 AM
Symptom
- Without the Inter-Connect license, MU users need to access the RN subnet via SC tunnel.
- But to allow the RN subnet to access the Internet, the routing needs to be configured on the RN node.
- Then RN node will advertise the routing to SC via iBGP, which may cause routing issue.
Environment
- Cloud Managed Prisma Access - Overlapping Subnets is enabled by default
- Panorama Managed Prisma Access - Need to manually enable Overlapping Subnets in RN settings
- MU users need access to Remote Networks without Inter-Connect license
- Remote Networks (RN)
- Mobile Users (MU)
- Service Connections (SC)
Cause
- Without the Inter-Connect license, the MU users are not able to access the RN subnets via the path through the RN tunnel.
- The MU users can only access the RN subnets via SC tunnel. So the routing for the RN subnets need to point to SN tunnel.
- However, the RN subnets need to access Internet via the RN tunnel, so the routing needs to be configured on the RN node.
- Then the RN node will advertise the routing across the iBGP network to MU node.
- Therefore, a more specific route for the RN subnet might be present on the SC, which cause the traffic from MU to RN is sent to RN node.
- Without the Inter-Connect license, the traffic won't go through.
Resolution
- With the "Overlapping Subnets" option enabled, an implicit PBF rule with "Enforce Symmetric Return" is configured on the RN nodes to sure the traffic is going back and forth via the same route.
- Therefore, the traffic from the subnets behind the RN node can actually access Internet, even without the routing to the subnets pointing to the tunnel interface on the RN node.
- Refer "Overlapping Subnets" on RN.