Bypass Prisma SASE Tunnels for Streaming Apps — Direct Internet Access via VPN 0 on Cisco SD-WAN

Cisco SD-WAN + Prisma SASE  |  Advanced Traffic Engineering

Bypass Prisma SASE Tunnels for Streaming Apps — Direct Internet Access via VPN 0 on Cisco SD-WAN

Complete solution guide: route FQDN-based streaming traffic directly through underlay internet circuits (VPN 0) while keeping all other traffic through Prisma SASE tunnels on VPN 10.

Expert Solution  ✦  Real-World Scenario

📋 Scenario Summary

What Are We Solving?

Current State: Cisco SD-WAN site connected to Prisma SASE via manual IPsec tunnels configured through vManage templates on VPN 10

Problem: Streaming app traffic (Netflix, YouTube, Spotify, etc.) is going through Prisma SASE tunnels (VPN 10) — causing latency, bandwidth inefficiency, and unnecessary SASE processing overhead

Goal: Specific FQDNs for streaming apps must bypass the Prisma SASE tunnels and exit directly via underlay internet circuits (VPN 0 — Direct Internet Access / DIA)

🗺️ Architecture Overview

/* Current Traffic Flow vs. Desired Traffic Flow */

  ┌─────────────────────────────────────────────────────────┐
  │               CISCO SD-WAN EDGE ROUTER                  │
  │           (vEdge / Catalyst 8000 / ISR)                 │
  │                                                         │
  │  VPN 10 (Service VPN)  ──── User LAN Subnets           │
  │  VPN 0  (Transport)    ──── WAN / Internet Circuits     │
  └──────────────┬──────────────────────┬───────────────────┘
                 │                      │
                 │                      │
    ┌────────────▼──────────┐  ┌────────▼─────────────┐
    │  VPN 10 IPsec Tunnel  │  │  VPN 0 Underlay       │
    │  → Prisma SASE        │  │  → Direct Internet    │
    │    (Current default)  │  │    (Desired for DIA)  │
    └───────────────────────┘  └──────────────────────┘
                 │                      │
    ┌────────────▼──────────┐  ┌────────▼─────────────┐
    │   Prisma SASE / SSE   │  │   Internet (Direct)   │
    │   Security Inspection │  │   No Inspection       │
    └───────────────────────┘  └──────────────────────┘

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  ❌ STREAMING APPS (Current):  User → VPN10 → Prisma SASE
  ✅ STREAMING APPS (Desired):  User → VPN0  → Direct Internet
  ✅ ALL OTHER TRAFFIC:         User → VPN10 → Prisma SASE
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

💡 Solution Overview — The Right Approach

✅ Recommended Solution: Cisco SD-WAN Application-Aware Routing (AAR) with Data Policy using DNS/App-based Matching

The cleanest and most scalable solution is to use Cisco SD-WAN Centralized Data Policy combined with Application-Aware Routing Policy to match streaming FQDN traffic and redirect it to VPN 0 for Direct Internet Access (DIA), bypassing the Prisma SASE tunnels on VPN 10.

🔑 Key Building Blocks of the Solution:

1. Custom Application List (FQDN-based) — Define streaming app FQDNs using Cisco SD-WAN Application List or DNS-based app recognition in vManage

2. Centralized Data Policy — Match the streaming application list and set the next-hop or local TLOC (VPN 0 transport) for DIA breakout

3. Application-Aware Routing Policy — Alternatively or additionally, configure AAR policy to prefer the internet-facing TLOC for matched apps

4. NAT on VPN 0 — Ensure NAT is configured on the VPN 0 transport interface so that DIA traffic gets properly source-NATted before hitting the internet

📋 Step-by-Step Implementation Plan

1. Verify VPN 0 DIA Readiness — NAT and Internet Access Check
2. Create a Custom Application List for Streaming FQDNs
3. Create Centralized Data Policy in vManage
4. Configure Policy Sequence — Match Apps, Set DIA Action
5. Apply Policy to the SD-WAN Site
6. Configure DNS Handling for FQDN Resolution
7. Verify and Test Traffic Flow
8. Alternative Method — AAR Policy Approach
9. Troubleshooting Guide
10. Important Caveats and Considerations

Step 1: Verify VPN 0 DIA Readiness — NAT and Internet Access

Before configuring any policy, confirm that your SD-WAN edge router's VPN 0 transport interface is capable of Direct Internet Access (DIA). This requires NAT to be enabled so that VPN 10 user traffic can be source-NATted when breaking out directly to the internet via VPN 0.

📍 Check in vManage: Configuration > Templates > Feature Templates > VPN Interface (VPN 0)

vManage Feature Template — VPN 0 Interface NAT Configuration

# In your VPN 0 Interface Feature Template
# Navigate to: NAT section

NAT: Enabled ✅
NAT Type: Interface (recommended for DIA)
Overload: Enabled ✅

# CLI equivalent (Catalyst 8000 / ISR)
interface GigabitEthernet0/0/0
  vrf forwarding 0
  ip address dhcp
  ip nat outside
  no shutdown

# VPN 0 static route to default (if not received dynamically)
ip route vrf 0 0.0.0.0 0.0.0.0 <ISP-Gateway-IP>

⚠️ Important: NAT must be enabled on the VPN 0 WAN interface. Without NAT, traffic from VPN 10 (user LAN subnets) that is forwarded to VPN 0 for DIA will be dropped because it carries private RFC-1918 source addresses that are not routable on the internet.

Step 2: Create a Custom Application List for Streaming FQDNs

Cisco SD-WAN identifies applications using Deep Packet Inspection (DPI) and its NBAR2 application library. For streaming apps, most popular services (Netflix, YouTube, Spotify) are already in the Cisco NBAR2 library. You can use these existing application definitions or create a custom application list.

📍 vManage Navigation: Configuration > Policies > Custom Options > Lists > Application (or App List)

Option A — Use Existing NBAR2 Application Entries (Preferred)

In vManage, when creating a policy sequence, you can directly select applications from the built-in Cisco Application Library. These include:

✅ netflix — Covers all Netflix streaming traffic

✅ youtube — YouTube streaming and video

✅ spotify — Spotify audio streaming

✅ hulu — Hulu video streaming

✅ amazon-video — Amazon Prime Video

✅ apple-tv-plus — Apple TV+ streaming

✅ disneyplus — Disney+ streaming

✅ ms-stream — Microsoft streaming services

Option B — Create a Custom Application using FQDN (for non-NBAR apps)

For apps not in the NBAR2 library or for granular FQDN-based matching:

vManage — Custom Application Definition

# Navigate to: Configuration > Policies > Custom Options
# > Lists > Application > New Application List

Application List Name: STREAMING-APPS-DIA

# Add Applications from Cisco Library:
Selected Apps:
  - netflix
  - youtube
  - spotify
  - hulu
  - amazon-video
  - apple-tv-plus

# For custom FQDN-based entries not in library,
# use Custom Application with Server Name (SNI/FQDN):

Custom App 1:
  Name: custom-streaming-1
  L4 Protocol: TCP
  Server Name: *.nflxvideo.net
  Server Name: *.nflximg.net
  Server Name: *.fast.com

Custom App 2:
  Name: custom-streaming-2
  Server Name: *.googlevideo.com
  Server Name: *.youtube.com
  Server Name: *.ytimg.com

Custom App 3:
  Name: custom-streaming-3
  Server Name: *.spotify.com
  Server Name: *.scdn.co
  Server Name: *.spotifycdn.com

✅ Pro Tip: Always prefer the built-in Cisco NBAR2 application names (netflix, youtube, spotify) when they exist. These use DPI signatures that are more reliable than FQDN matching alone — because streaming CDN IPs change frequently and FQDN-only matching depends on DNS inspection. Combine both for maximum coverage.

Step 3: Create Centralized Data Policy in vManage

The Centralized Data Policy is configured in vManage and pushed to the vSmart controllers, which then distribute it to the SD-WAN edge routers. This is where we define the match condition (streaming apps) and the action (send to VPN 0 for DIA).

📍 vManage Navigation: Configuration > Policies > Add Policy > Configure Traffic Rules > Traffic Data

📝 Policy Creation Steps in vManage GUI:

1. Go to Configuration > Policies and click Add Policy
2. On the left panel, configure Groups of Interest — select your Site List (the SD-WAN site where this policy applies) and VPN List (VPN 10)
3. Click Next through Topology and QoS steps (no changes needed there)
4. On Configure Traffic Rules, click Traffic Data > Add Policy
5. Name the policy: STREAMING-DIA-POLICY
6. Click Sequence Type: QoS — change to Custom
7. Add a sequence and configure match + action as shown below

Step 4: Configure Policy Sequence — Match Apps, Set DIA Action

This is the core of the solution. The policy sequence matches streaming application traffic and redirects it to the local internet breakout via VPN 0.

vManage — Data Policy Sequence Configuration (Conceptual View)

# =====================================================
# POLICY NAME: STREAMING-DIA-POLICY
# Direction: From Service (applied on VPN 10 traffic)
# =====================================================

# SEQUENCE 10 — Match Streaming Apps → DIA via VPN 0
Sequence: 10
  Name: STREAMING-APPS-TO-DIA

  Match Conditions:
    Application List: STREAMING-APPS-DIA
    # (Contains: netflix, youtube, spotify, hulu,
    #  amazon-video, apple-tv-plus, custom FQDN entries)

  Actions:
    Action: Accept ✅
    NAT Pool: VPN 0  ← THIS IS THE KEY - Forces DIA via VPN 0
    # OR use: NAT VPN: 0  (depends on IOS-XE SD-WAN version)
    # NAT VPN 0 = use the internet connection in VPN 0
    # and NAT the traffic out through it

# SEQUENCE 20 — Default — All other traffic via Prisma SASE
# (Implicit — no explicit rule needed, traffic follows
#  normal routing through VPN 10 tunnels to Prisma SASE)

Default Action: Accept (Normal routing via VPN 10 → Prisma SASE)

🔑 Understanding the NAT VPN Action — The Critical Setting

The NAT VPN action in a Cisco SD-WAN Data Policy is what enables Direct Internet Access from a service VPN. When you set:

# Option 1: NAT VPN (Recommended for most deployments)
Action: nat vpn 0
# This tells the router: take this matched traffic,
# route it through VPN 0, and NAT it out the internet interface
# The traffic BYPASSES VPN 10 routing (Prisma SASE tunnel)

# Option 2: If using NAT Pool configured on VPN 0 interface
Action: nat pool <pool-number>
# Use when you have a specific NAT pool defined on VPN 0

How it works: The SD-WAN edge router intercepts the matching flow (streaming app traffic) and instead of sending it through the VPN 10 service route (which goes into the Prisma SASE tunnel), it performs a VPN leak into VPN 0, NATs the source address, and sends it directly out the internet-facing WAN interface. Prisma SASE never sees this traffic.

CLI Equivalent — IOS-XE SD-WAN (Catalyst 8000) — For Reference

# This is what vManage pushes down to the edge router
# You do NOT configure this manually — vManage does it via template

policy
 data-policy _vpn10_STREAMING-DIA-POLICY
  vpn-list VPN-10
   sequence 10
    match
     app-list STREAMING-APPS-DIA
    !
    action accept
     nat vpn 0
    !
   !
   default-action accept
  !
 !
!

# Custom App definition for FQDN-based entries
policy
 app-visibility
 flow-visibility
 !
 lists
  app-list STREAMING-APPS-DIA
   app netflix
   app youtube
   app spotify
   app hulu
   app amazon-video
  !
 !
!

Step 5: Apply the Policy to the SD-WAN Site

The data policy must be applied to the correct site and VPN. In vManage, this is done when completing the policy wizard by associating the policy with your site list and VPN list.

📍 Policy Application in vManage:

1. After creating the Traffic Data Policy, go to the Policy Application section (last step of policy wizard)
2. Under Traffic Data tab, click New Site/VPN List
3. Select your Site List — the site where your SD-WAN router is (the site connected to Prisma SASE)
4. Select VPN List: VPN 10 (the service VPN where users reside)
5. Set Direction: From Service — this means the policy applies to traffic entering from the service side (user LAN → toward internet)
6. Click Add, then Save Policy
7. Go to Configuration > Policies, select the policy, click Activate to push to vSmart

⚠️ Direction Matters: Always apply this Data Policy with direction "From Service" on the VPN 10 list. This ensures the policy intercepts traffic as it arrives from the user LAN side (Service VPN 10) heading toward the internet — not in the reverse direction. Using "From Tunnel" would apply to traffic arriving from SD-WAN tunnel side, which is not what we want here.

Step 6: Configure DNS Handling for FQDN Resolution

FQDN-based policy matching depends critically on how DNS resolution works. If users' DNS queries go through the Prisma SASE tunnel and the returned IP addresses are resolved via Prisma's DNS, the SD-WAN DPI may not correctly identify the application by FQDN in time to apply the policy to the first packet.

🌐 DNS Considerations and Recommendations:

Option A — Let DPI Handle It (NBAR2 App Recognition): For well-known apps like Netflix and YouTube, Cisco NBAR2 DPI identifies the application within the first few packets based on signatures — not just DNS. This means the policy will apply correctly even without explicit DNS configuration. This is why using built-in NBAR2 app names is preferred.

Option B — Configure Umbrella DNS or Local DNS in VPN 0: If you want DNS queries for streaming apps to resolve via internet DNS (not Prisma), configure the VPN 10 DNS server to point to a public resolver (8.8.8.8 or Umbrella) that resolves FQDNs to optimal CDN IPs. This prevents Prisma SASE from intercepting and potentially redirecting DNS.

Option C — Use Cisco Umbrella DNS Policy (if deployed): If Cisco Umbrella is part of your stack, configure split-DNS where streaming app FQDNs bypass Umbrella inspection and are resolved directly — ensuring optimal CDN IP addresses are returned and not geo-shifted by proxy DNS.

VPN 10 DNS Configuration in vManage Feature Template

# In VPN 10 Feature Template — DNS Settings
# Configuration > Templates > Feature > VPN (VPN10)

DNS Primary:   8.8.8.8      # Google Public DNS (resolves via internet)
DNS Secondary: 8.8.4.4      # Or use 1.1.1.1 (Cloudflare)

# This ensures DNS for streaming apps goes directly
# through VPN 0 internet path, NOT through Prisma SASE

# CLI equivalent pushed by vManage to VPN 10:
ip name-server vrf 10 8.8.8.8
ip name-server vrf 10 8.8.4.4

Step 7: Verify and Test Traffic Flow

After activating the policy, use the following verification commands and vManage monitoring tools to confirm that streaming traffic is taking the DIA path and not going through the Prisma SASE tunnels.

SD-WAN Edge Router — Verification Commands

# 1. Verify data policy is active on the device
show sdwan policy from-vsmart

# 2. Check data policy applied — look for STREAMING-DIA-POLICY
show sdwan policy data-policy-filter

# 3. Verify application route statistics
# Shows which path applications are taking
show sdwan app-route statistics

# 4. Check NAT translations — confirm streaming IPs are being NATted
show ip nat translations vrf 0 | include 443

# 5. Verify policy counters — check sequence 10 hit counts
show sdwan policy data-policy-filter

# 6. Check active flows for a specific destination
show platform nat translations vrf 0

# 7. vManage Monitor — Application Traffic Path
# Monitor > Network > Select Device
# > Troubleshooting > Traffic Flow (Simulate Flows)
# Enter source/destination IP to see expected path

# 8. Real-time flow monitoring on the device
show sdwan policy service-path
  vpn 10
  interface GigabitEthernet0/0/3  # LAN interface
  source-ip 192.168.1.100
  dest-ip <netflix-IP>
  protocol 6
  dest-port 443
  all

✅ Expected Verification Results:

✅ Policy counters for Sequence 10 incrementing when streaming

✅ NAT translations show streaming destination IPs in VPN 0 NAT table

✅ Traceroute from user to Netflix shows public internet path (not Prisma SASE IP)

✅ Prisma SASE dashboard does NOT show Netflix/YouTube sessions from this site

✅ vManage Application Visibility shows netflix/youtube app on DIA/local path

Step 8: Alternative Method — Application-Aware Routing (AAR) Policy Approach

While the Centralized Data Policy with NAT VPN (Steps 1–7) is the primary recommended approach, you can also use Application-Aware Routing (AAR) Policy as a complementary or alternative method — particularly useful when you want SLA-based path selection rather than a hard-coded DIA redirect.

AAR Policy — When to Use It:

• When you want streaming apps to prefer the DIA/internet TLOC but fallback to Prisma SASE tunnel if the internet link is down
• When you have multiple WAN transports (MPLS + Internet) and want DPI-based path selection
• When latency, jitter, or packet loss SLAs should determine the path for streaming quality

vManage — AAR Policy Configuration Conceptual

# Navigate to: Configuration > Policies
# > Custom Options > Forwarding Classes/QoS
# > App Route Policy > Add Policy

Policy Name: STREAMING-AAR-POLICY
Sequence: 10
  Name: STREAMING-PREFER-DIA

  Match:
    Application List: STREAMING-APPS-DIA

  Actions:
    SLA Class: STREAMING-SLA
      # Define SLA: latency < 150ms, loss < 1%
    Preferred Color: public-internet  # DIA transport
    Fallback to Best Path: Yes        # If DIA fails, use Prisma tunnel
    Strict: No                        # Allow fallback

# SLA Class Definition
SLA Class Name: STREAMING-SLA
  Latency: 150 ms
  Loss: 1 %
  Jitter: 50 ms

💡 AAR vs Data Policy — Key Difference: Data Policy with NAT VPN gives you a hard DIA bypass — streaming traffic ALWAYS goes direct, never through Prisma SASE. AAR Policy gives you intelligent SLA-based path selection — streaming traffic prefers DIA but can fall back to the Prisma SASE tunnel if DIA quality degrades. For most streaming scenarios, the Data Policy approach (Steps 3–5) is preferred for predictability.

Step 9: Troubleshooting Guide

❌ Problem: Streaming traffic still going through Prisma SASE tunnels

Check: (1) Verify policy is activated in vManage — show sdwan policy from-vsmart. (2) Confirm the App List includes the correct NBAR2 app names. (3) Verify App Visibility is enabled on the device — without DPI, apps cannot be recognized. (4) Check that the policy direction is set to "From Service" not "From Tunnel". (5) Confirm VPN 10 is in the VPN List applied to the policy.

❌ Problem: First few packets of streaming session go to Prisma SASE, then switch to DIA

Root Cause: This is expected behavior — DPI requires a few packets to identify the application. The first 1–3 packets may follow the default route (Prisma SASE) before NBAR identifies the app and the policy kicks in. Solution: For more consistent first-packet matching, use IP-based prefix lists in addition to App matching — create a Prefix List with known streaming CDN IP ranges and add it as an OR condition in the policy match.

❌ Problem: NAT translations not showing for streaming traffic in VPN 0

Check: (1) Verify NAT is enabled on the VPN 0 WAN interface in the Feature Template. (2) Run show ip nat translations vrf 0. (3) Confirm the VPN 0 interface has a default route — show ip route vrf 0 0.0.0.0. (4) Check that the NAT pool or NAT interface configuration is correctly defined in the VPN 0 interface Feature Template.

❌ Problem: App visibility/DPI not recognizing streaming applications

Check: (1) Confirm App Visibility is enabled in the vManage device Policy — show sdwan app-route statistics should show app names. (2) Verify the device has an active NBAR2 protocol pack — show ip nbar protocol-pack. (3) Ensure the device has sufficient CPU/memory for DPI — on low-end platforms, DPI may be limited. (4) Update the NBAR2 protocol pack via vManage if using an older version.

Step 10: Important Caveats & Considerations

⚠️ Security Gap Awareness: By sending streaming traffic directly to the internet via VPN 0 (DIA), that traffic bypasses Prisma SASE security inspection entirely — no URL filtering, no threat prevention, no DLP from Prisma for those flows. Ensure your security policy explicitly accepts this tradeoff for streaming content, or configure local security on the SD-WAN router (Cisco Umbrella DNS, IPS, URL filtering) to cover DIA traffic.

⚠️ Encrypted Traffic Challenge: Most streaming apps use TLS 1.3 with Encrypted Client Hello (ECH). NBAR2 and DPI can still identify these flows using JA3/JA4 fingerprinting and SNI, but first-packet identification may be limited. Combining App recognition with known CDN IP prefix lists improves policy accuracy significantly.

⚠️ Platform DPI Limitations: Not all SD-WAN platforms support full NBAR2 DPI at line rate. Entry-level platforms (ISR 1100, vEdge 100) have DPI limitations. Verify your platform's DPI capability in the Cisco datasheet before relying on application-based policy for high-throughput streaming.

⚠️ Prisma SASE Tunnel Impact: Verify that bypassing streaming traffic does not violate any SLA or licensing terms with your Prisma SASE deployment. Some SASE contracts include bandwidth commitments. Also ensure the Prisma tunnel configuration (manual IPsec on VPN 10) remains stable — the DIA bypass should be transparent to the tunnel itself.

⚠️ Geo-restriction Consideration: When streaming traffic goes direct via VPN 0 (DIA), content will resolve to geo-appropriate CDN servers based on the site's physical location. If users previously relied on Prisma SASE's proxy to access geo-restricted content, that capability will be lost for DIA traffic. This is usually desirable for performance but worth noting.

📊 Complete Solution Summary

Final Traffic Flow After Implementation

STREAMING APPS (Netflix, YouTube, Spotify, etc.)
User Device
  └──► VPN 10 LAN Interface (Service VPN)
         └──► SD-WAN Data Policy: MATCH App = STREAMING-APPS-DIA
                └──► Action: NAT VPN 0
                       └──► VPN 0 WAN Interface (NAT applied)
                              └──► Direct Internet (No Prisma SASE)
                                     └──► Netflix CDN / YouTube CDN ✅

ALL OTHER TRAFFIC (Office 365, Internal Apps, etc.)
User Device
  └──► VPN 10 LAN Interface (Service VPN)
         └──► SD-WAN Data Policy: NO MATCH (default action)
                └──► Normal Routing via VPN 10
                       └──► IPsec Tunnel to Prisma SASE
                              └──► Prisma SASE Security Inspection ✅
                                     └──► Internet via Prisma SSE

✅ Implementation Checklist:

☑️  VPN 0 NAT enabled on WAN interface (Feature Template)

☑️  VPN 0 default route confirmed (internet reachable)

☑️  Application List STREAMING-APPS-DIA created with NBAR2 app names

☑️  Custom FQDN-based apps added for any non-NBAR2 streaming services

☑️  Centralized Data Policy created: match app list, action NAT VPN 0

☑️  Policy applied to correct Site List and VPN 10 with direction "From Service"

☑️  Policy activated in vManage and pushed to vSmart

☑️  App Visibility confirmed enabled on edge device

☑️  DNS configured to resolve streaming FQDNs via internet (optional but recommended)

☑️  Traffic verified via show sdwan policy from-vsmart

☑️  NAT translations confirmed for streaming destinations in VPN 0

☑️  Prisma SASE dashboard confirms streaming sessions not appearing from this site

☑️  Security team informed of DIA traffic bypassing SASE inspection

🎯 Solution Implemented Successfully!

Your streaming app traffic now exits directly via VPN 0 (DIA) — reducing latency, saving Prisma SASE bandwidth, and improving user streaming experience — while all other business traffic continues through Prisma SASE for full security inspection.

📌 Save This Solution Guide for Future Reference

📌 Note: This solution guide is based on Cisco SD-WAN (vManage / Catalyst SD-WAN) and Palo Alto Prisma SASE best practices as of 2026. Exact GUI navigation paths and CLI syntax may vary between PAN-OS and IOS-XE SD-WAN versions. Always test in a lab or staging environment before applying to production. Cisco SD-WAN, vManage, Catalyst, NBAR2, and IOS-XE are trademarks of Cisco Systems, Inc. Prisma SASE and Prisma Access are trademarks of Palo Alto Networks, Inc.