>
    App Acceleration in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. App Acceleration in Prisma Access
    Download PDF
    Prisma Access

    App Acceleration in Prisma Access

    Table of Contents

    App Acceleration in
    Prisma Access

    Learn how
    Prisma Access
     can speed up app performance using App Acceleration.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • A minimum
      Prisma Access
       version of 5.0 Innovation
    • App Acceleration requires a
      Prisma Access
       dataplane version of 10.2.10
    • App Acceleration Add-On License
      The App Acceleration license includes a 30-day evaluation license for Autonomous DEM (ADEM) so you can retrieve App Acceleration performance metrics from ADEM.
    App Acceleration directly addresses the causes of poor app performance and acts in real-time to mitigate them, dramatically improving the user experience for
    Prisma Access
     GlobalProtect and Remote Network users.
    The primary causes of poor user experience when accessing apps are dynamic content (content that must be processed for each user individually, on-demand) and network connectivity issues.
    App Acceleration provides you with the following functionality:
    Acceleration for top SaaS apps
    —App Acceleration for Prisma SASE accelerates dynamic content to improve the response time of top SaaS apps. It securely and intelligently prepares the dynamic content that each user needs, before the user requests it.
    As a result, App Acceleration dramatically reduces the response time of applications and the APIs powering them to improve the user experience and boost productivity.
    Accelerated applications are listed in the Supported Apps section.
    Network Acceleration
    —When your users access apps, they can experience poor app performance that is caused by decreased throughput, which could be caused by packet loss, degraded wireless connectivity, network congestion, and other factors. These networking issues can adversely affect the employee experience and reduce their productivity.
    When the internet was conceived, networks were homogenous and wireless connectivity was in its infancy. Fundamental protocols like TCP were originally created for these networks. Today, networks are no longer homogenous and wireless connectivity creates a highly variable user experience. When users experience degraded network conditions, TCP can't differentiate if the problem occurred because of device limitations, network limitations, or physical constraints.
    Without requiring any changes to your client configuration or applications, App Acceleration securely builds an understanding of the:
    • Device capability
      —The type of client endpoint
    • Network capability
      —The type of network
    • App Context
      — The type of app being used
    Using its understanding of device, network and application context, App Acceleration maximizes throughput and adjusts in real-time to account for changing network conditions.
    When compared to direct internet access, App Acceleration offers a marked throughput improvement for TCP traffic when connecting through
    Prisma Access
    .
    You can view throughput improvements from App Acceleration in Prisma SASE Incidents and Alerts. AI-powered Autonomous DEM (ADEM) integrates with App Acceleration and provides you with metrics such as the number of applications that were accelerated and the performance boost gained overall.

    App Acceleration Requirements and Guidelines

    When configuring App Acceleration, make a note of the following guidelines and requirements:
    • Supported Apps
      —App Acceleration supports the following apps:
      • AWS S3
      • Azure Storage
      • Box
      • Google Drive
      • Microsoft OneDrive
      • Salesforce
      • SAP Ariba
      • ServiceNow
      • Slack (
        file downloads
        )
      • Zoom (
        file downloads from chat, recording downloads
        )
    • Supported Locations
      —App Acceleration is available for all
      Prisma Access
       locations except for the following locations:
      • Bahrain
      • China
      • Ireland
      • South Africa West
      • Sweden
      • United Arab Emirates
    • Trusted Root CA Upload
      —You need to set up a trusted Root CA and perform a commit and push operation and then select it during App Acceleration setup, as shown in the following procedures. If using
      Strata Cloud Manager
       to configure App Acceleration, set up the Root CA in the
      Prisma Access
       scope. If you change the certificate you use, you must also commit and push the changed certificate before you select it.
    • Forward Trust Certificate and Trusted Root CA—
       Enable the CA/certificate you uploaded as a forward trust certificate and trusted root CA, as shown in the following procedures. If SSL decryption is applied to any accelerated apps, you must mark the certificate as a forward trust certificate and trusted root CA, or users will encounter SSL errors when trying to access those apps.
    • QUIC Protocol Support
      —Some browsers (such as Google Chrome) may use the Quick UDP Internet Connections (QUIC) protocol by default. Layer 7 app acceleration can't be used on traffic using QUIC. As a workaround, disable the QUIC protocol when you configure App Acceleration.
    • SaaS Apps and Zy-* Response Headers
      —Users connecting to Prisma Access deployments that have App Acceleration enabled for top SaaS apps can expect to see response headers with a name of Zy-*, such as Zy-Server and Zy-Accelerated, and a zy_sid session cookie.
      If the response header is Zy-Accelerated, a value of
      1
       indicates that the response was accelerated and a value of
      0
       indicates the response was not accelerated.
    • Content Localization
      —If an accelerated SaaS app localizes content based solely on the user's IP address or user ID, when acceleration is enabled for that app, its content will not be localized.
    • Unsupported
      Prisma Access
       Functionality
      —The following functionality does not support App Acceleration and
      Prisma Access
       deployments with these features enabled will not be accelerated:

    Configure App Acceleration

    To configure App Acceleration in Prisma Access, select one of the following tabs depending on your deployment (
    Prisma Access (Managed by Strata Cloud Manager)
     or
    Prisma Access (Managed by Panorama)
    ).

    Configure App Acceleration in
    Prisma Access
     (
    Strata Cloud Manager
    )

    Configure App Acceleration in a
    Prisma Access (Managed by Strata Cloud Manager)
     deployment.
    To configure App Acceleration in a
    Prisma Access (Managed by Strata Cloud Manager)
     deployment, complete this task.
    1. (
      Optional
      ) Disable the Quick UDP Internet Connections (QUIC) protocol.
      App Acceleration cannot accelerate apps at Layer 7 without disabling QUIC.
      1. Go to
        Manage
        Configuration
        NGFW & Prisma Access
        Security Services
        Security Policy
         and
        Add Rule
        Pre Rules
        .
        Create this Security policy rule in the
        Global
         configuration scope.
      2. Select an
        Application / Service
         of
        quic
         and an
        Actions
         of
        Drop
        .
      3. Save
         your changes.
      4. Go to
        Manage
        Configuration
        NGFW & Prisma Access
        Objects
        Services
        Service
         and
        Add
         services for UDP port 80 and UDP port 443.
        Palo Alto Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional security policy to block UDP traffic on those ports, because newer versions of QUIC might be misidentified as
        unknown-udp
        .
      5. Return to
        Manage
        Configuration
        NGFW & Prisma Access
        Security Services
        Security Policy
        Add Rule
         for a second security policy, specifying the services under
        Application / Services
         and an
        Action
         of
        Drop
        .
        When complete, you will have two security policies: One that blocks the QUIC protocol and one that blocks traffic on UDP ports 80 and 443.
    2. Import a root certificate authority (CA) certificate and private key in
      Strata Cloud Manager
       in the
      Prisma Access
       scope to use with App Acceleration and push your changes.
      A self-signed root CA/certificate is the top-most certificate in a certificate chain. App Acceleration uses the root CA/certificates to create certificates for the accelerated apps. Push the root CA/certificate in Prisma Access so that App Acceleration can begin creation of the app- specific certificates.
      The root CA/certificate must have these characteristics: :
      • The CA must be a trusted CA.
      • (
        Recommended
        ) The CA should be unique and used for App Acceleration only.
      • The CA can't be expired. Make a note of the CA expiration date, and renew the certificate before it expires. If a CA/certificate in use by App Acceleration expires, users will receive an SSL error when trying to access accelerated apps. It is critical to ensure that the CA is valid when App Acceleration is in use by your organization.
      • It must include a key.
      • It must use a passphrase.
      • It must be in the
        Prisma Access
         scope.
      • (
        Mobile Users—GlobalProtect Deployments Only
        ) It must be installed in the local root certificate store.
        You can perform this installation by adding it to the list of trusted certificates as described in this procedure or, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory Group Policy Object (GPO).
      If you ever need to change the root CA/certificate, you must upload it and commit your changes before you can use the changed certificate.
      1. Go to
        Manage
        Configuration
        NGFW and Prisma Access
        Objects
        Certificate Management
        .
      2. Import
         a certificate.
      3. Select the following parameters:
        • Enter a unique
          Certificate Name
           for the certificate, such as
          AppAcceleration_CA
          .
          The name is case-sensitive and can be up to 31 characters long. Use only letters, numbers, hyphens, and underscores in the name.
        • Choose File
           and browse for the
          Certificate File
           received from the CA and
          Open
           it.
        • Select a
          Format
          :
          • Encrypted Private Key and Certificate (PKCS12)
            —This is the default and most common format, in which the key and certificate are in a single container (Certificate File).
          • Base64 Encoded Certificate (PEM)
            —You must import the key separately from the certificate. You're required to select a
            Key File
             if you select this format.
          • Enter a
            Passphrase
             and
            Confirm Passphrase
            .
      4. Save
         your changes.
    3. Mark the root CA/certificate you added as a forward trust certificate and a trusted root CA.
      If you don't specify the certificate as a forward trust certificate and trusted root CA, users will encounter SSL errors when trying to access accelerated apps when using SSL decryption.
      1. Select the root CA/certificate you added.
      2. Select the certificate as a
        Forward Trust Certificate
         and
        Trusted Root CA
        .
      3. Update
         the certificate.
    4. Push
       your changes.
    5. (
      Mobile Users—GlobalProtect Deployments Only
      ) Add the root CA/certificate you added to the list of GlobalProtect trusted certificates and install it in the local root certificate store.
      Alternatively, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory GPO.
      1. Go to
        Workflows
        Prisma Access Setup
        GlobalProtect
        GlobalProtect App
        Global App Settings
        .
      2. Click the gear to edit the
        Settings
        .
      3. Add Trusted Certificate Distribution
        .
      4. Select the
        Trusted Root CA
         you created in an earlier step and select
        Install in Local Root Certificate Store
        .
      5. Save
         your changes.
      6. Push
         your changes.
    6. Enable App Acceleration and choose the certificate file you created.
      1. Go to
        Workflows
        App Acceleration
         from the left navigation bar.
        The App Acceleration window displays.
      2. Move the slider to the right to have App Acceleration be
        Enabled for all Mobile Users—GlobalProtect and Remote Networks
        .
        If commits are ongoing, App Acceleration settings will take effect after all commits complete.
        App Acceleration displays as enabled; however, you still need to select a root CA/certificate.
    7. Select the certificate you created in an earlier step.
      If you need to change the certificate from an existing one, select it here. You must commit the new certificate before you select it.
      After you import the certificate, you must wait until App Acceleration generates domain-specific certificates for each app. This process can take up to one hour. In the meantime, you can move the slider for the
      Accelerated Apps
       to the left to temporarily disable App Acceleration and access the apps until the certificates are generated; if you don't, you might receive an SSL error until the certificates are generated.
    8. (
      Optional
      )
      Show Advanced Options
       and change the metric testing parameters.
      • (
        Optional
        ) To disable the collection of metrics to obtain performance information, deselect
        Allow tests to collect performance metrics for Mobile Users
        .
        Palo Alto Networks recommends that you enable metric collection to view the app performance improvements when using App Acceleration.
      • (
        Optional
        ) To change the percentage of users for which predictive tests are processed from the default of 5%, select another percentage in the drop-down and
        Confirm
         the changes.

    Configure App Acceleration in
    Prisma Access
     (
    Panorama
    )

    Configure App Acceleration in a
    Prisma Access (Managed by Panorama)
     deployment.
    To configure App Acceleration in a
    Prisma Access (Managed by Panorama)
     deployment, complete this task.
    1. (
      Optional
      ) Disable the Quick UDP Internet Connections (QUIC) protocol.
      App Acceleration cannot accelerate apps at Layer 7 without disabling QUIC.
      1. Go to
        Policies
        Security
        Pre Rules
         and
        Add
         a security policy.
        Create this Security policy rule in the
        Shared
         device group.
      2. Select an
        Application
         of
        quic
         and an
        action
         of
        Deny
        .
      3. Add
         a second security policy.
        Newer versions of QUIC might be misidentified as
        unknown-udp
        . For this reason, Palo Alto Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional security policy to block UDP traffic on those ports.
      4. Under
        Service/URL Category
        ,
        Add
         a new services for UDP port 80 and UDP port 443 and an
        Action
         of
        Deny
        .
        When complete, you will have two security policies: One that blocks the QUIC protocol and one that blocks traffic on UDP ports 80 and 443.
    2. Import a root certificate authority (CA) certificate and private key in Panorama to use with App Acceleration and commit and push your changes.
      A self-signed root CA/ certificate is the top-most certificate in a certificate chain. App Acceleration uses the root CA/ certificates to create certificates for the accelerated apps. Push the root CA/ certificate in Prisma Access so that App Acceleration can begin creation of the app-specific certificates.
      The root CA/ certificate must have these characteristics:
      • The CA must be a trusted CA.
      • (
        Recommended
        ) The CA should be unique and used for App Acceleration only.
      • The CA can't be expired. Make a note of the CA expiration date, and renew the certificate before it expires. If a CA/certificate in use by App Acceleration expires, users will receive an SSL error when trying to access accelerated apps. It is critical to ensure that the CA is valid when App Acceleration is in use by your organization.
      • It must include a key.
      • It must use a passphrase.
      • (
        Mobile Users—GlobalProtect Deployments Only
        ) It must be installed in the local root certificate store.
        You can perform this installation by adding it to the list of trusted certificates as described in this procedure or, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory Group Policy Object (GPO).
      If you ever need to change the root CA/certificate, you must upload it and commit and push your changes before you can use the changed certificate.
      1. Go to
        Device
        Certificates
        Certificate Management
        .
        Be sure that you are in the Mobile_User_Template.
      2. Import
         a certificate.
      3. Select the following parameters:
        • Enter a unique
          Certificate Name
           for the certificate, such as
          AppAcceleration_CA
          .
          The name is case-sensitive and can be up to 31 characters long. Use only letters, numbers, hyphens, and underscores in the name.
        • Browse for the
          Certificate File
           received from the CA and
          Open
           it.
        • Select a
          Format
          :
          • Encrypted Private Key and Certificate (PKCS12)
            —This is the default and most common format, in which the key and certificate are in a single container (Certificate File).
          • Base64 Encoded Certificate (PEM)
            —You must import the key separately from the certificate. You're required to
            Import Private Key
             and select a
            Key File
             if you select this format.
          • Enter a
            Passphrase
             and
            Confirm Passphrase
            .
      4. Click
        OK
        .
      5. Repeat these steps, substituting the Remote_Network_Template for the Mobile_User_Template.
        You must import these certificates in both the Mobile_User_Template and Remote_Network_Template in order to accelerate apps for your mobile users and users at remote network sites.
    3. Mark the root CA/certificate you added as a forward trust certificate and a trusted root CA.
      If you don't specify the certificate as a forward trust certificate and trusted root CA, users will encounter SSL errors when trying to access accelerated apps when using SSL decryption. If you have certificates in the Mobile_User_Template and Remote_Network_Template, perform this step in both templates.
      1. Select the root CA/certificate you added.
      2. Select the certificate as a
        Forward Trust Certificate
         and
        Trusted Root CA
         and click
        OK
        .
    4. Commit and Push
       your changes.
    5. (
      Mobile Users—GlobalProtect Deployments Only
      ) Add the root CA/certificate you added to the list of GlobalProtect trusted certificates in the GlobalProtect portal configuration.
      Alternatively, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory GPO.
      1. Go to
        Network
        GlobalProtect
        Portals
        GlobalProtect_Portal
        Agent
        .
        Be sure that you are in the Mobile_User_Template.
      2. Add
         the trusted root CA you created in a previous step.
      3. Select
        Install in Local Root Certificate Store
        .
      4. Click
        OK
        .
      5. Commit and Push
         your changes.
    6. Enable App Acceleration and choose the certificate file you created.
      1. Go to
        Panorama
        Cloud Services
        App Acceleration
         and
        Get Started
         with App Acceleration.
      1. Go to
        Workflows
        App Acceleration
         from the left navigation bar.
        The App Acceleration window displays.
      2. Move the slider to the right to have App Acceleration be
        Enabled for all Mobile Users—GlobalProtect and Remote Networks
        .
        If commits are ongoing, App Acceleration settings will take effect after all commits complete.
        App Acceleration displays as enabled; however, you still need to select a root CA/ certificate.
    7. Select the certificate you created in an earlier step.
      If you need to change the certificate from an existing one, select it here. You must commit and push the new certificate before you select it.
      After you import the certificate, you must wait until App Acceleration generates domain-specific certificates for each app. This process can take up to one hour. In the meantime, you can move the slider for the
      Accelerated Apps
       to the left to temporarily disable App Acceleration and access the apps until the certificates are generated; if you don't, you might receive an SSL error until the certificates are generated.
    8. (
      Optional
      )
      Show Advanced Options
       and change the metric testing parameters.
      • (
        Optional
        ) To disable the collection of metrics to obtain performance information, deselect
        Allow tests to collect performance metrics for Mobile Users
        .
        Palo Alto Networks recommends that you enable metric collection to view the app performance improvements when using App Acceleration.
      • (
        Optional
        ) To change the percentage of users for which predictive tests are processed from the default of 5%, select another percentage in the drop-down and
        Confirm
         the changes.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.