URL Traffic Steering in Prisma Access is not working for a single website
5904
Created On 06/28/24 21:26 PM - Last Modified 07/15/25 02:04 AM
Symptom
- Traffic is failing for a specific URL. The page will not load at all, timeout or the loading icon may spin with no results, even after several minutes.
- Traffic logs shows that the specific URL is not being steered correctly to the Service Connection
- Other steered URL traffic is working normally
- With traffic steering, the destination zone will be Inter-FW. When traffic steering is not working, the destination zone is untrust (indicating the traffic went to internet directly from the gateway.
Environment
- Prisma Access
- Prisma Access (Panorama Managed)
- Supported PAN-OS versions
- Traffic Steering
Cause
- URL Traffic Steering in Prisma Access relies on the web server responding to a TLS request from the Prisma Access IP range.
- For security reasons some websites deny communications with all IPs except for pre-determined range(s) owned by their customer(s)
- If the web server denies TLS requests from the Prisma Access IP range, URL Traffic Steering will be unable to resolve the web server FQDN to an IP, and URL Traffic Steering will fail
Resolution
- To ensure URL Traffic Steering succeeds, ensure that the web server responds to TLS requests from the Prisma Access IP range.
- If URL Traffic Steering is not possible due to the web server not responding, then use IP based traffic steering rules instead.