Where is route leaking configured between VRFs?

In the Prisma SD-WAN solution, multi-tenancy and network isolation are achieved through the use of Virtual Routing and Forwarding (VRF) instances. However, there are many operational scenarios—such as providing shared access to a common service (e.g., DNS, NTP) or a central Internet gateway—where traffic must transition between these isolated routing domains. This process is known as route leaking.

In the Prisma SD-WAN management interface, route leaking is specifically configured within the VRF Profile. Unlike traditional CLI-based routers where route leaking might be configured under a global routing table or individual VRF definitions via import/export targets, Prisma SD-WAN utilizes a profile-based approach to ensure scalability and consistency across multiple sites. A VRF Profile acts as a template that defines the routing behavior for specific VRFs across the fabric.

When an administrator navigates to the VRF Profile settings, they can define "Leaking Rules." These rules specify the "From VRF" (source) and "To VRF" (destination) parameters, along with the specific prefixes or default routes that should be shared. By placing this configuration within the VRF Profile rather than a site-specific configuration, Palo Alto Networks allows for a "configure once, apply many" workflow. Once the VRF Profile is updated with the leaking rules, any ION device associated with that profile will automatically update its local routing table to allow the specified inter-VRF communication. This centralized orchestration simplifies the management of complex segmentation requirements in large-scale SD-WAN deployments.