Prisma Access Traffic Steering fails to work when TCP handshake is not completed.

Prisma Access Traffic Steering fails to work when TCP handshake is not completed.

496
Created On 11/04/25 10:17 AM - Last Modified 02/20/26 03:55 AM


Symptom


  • Prisma Access Traffic Steering is configured which uses Policy-Based Forwarding (PBF).
  • PBF relies on the URL details so URL identification is a must.
  • When URL's reachability check fails, the traffic Steering fails to work.

Environment


  • Prisma Access
  • Traffic Steering

Cause


  • The successful connection initiation allows the device to inspect the Server Name Indication (SNI) field within the client's TLS/SSL "Client Hello" message.
  • The SNI contains the hostname (URL) the client is trying to reach, which is the actual criterion used for PBF steering.
  • The PBF rule fails when its  (the URL/SNI) cannot be validated unless the required TCP handshake is first established trough internet. 

Resolution


  1. Allow traffic from the Prisma Access cloud IP address on the destination Server instead of Traffic Steering.
  2. Use destination based on FQDN instead when there is no dynamic IP resolution.
  3. Use destination based on IPs when possible.

Additional Information


Traffic Steering Requirements
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyYGKAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail