>
    Strata Copilot
    Monitor LAN Health When Local Network Access is Blocked
    Focus
    Download PDF
    Focus
    1. Home
    2. Autonomous DEM
    3. Get Started with Autonomous DEM
    4. Monitor Application Experience with Application Tests
    5. Monitor LAN Health When Local Network Access is Blocked
    Download PDF
    Autonomous DEM

    Monitor LAN Health When Local Network Access is Blocked

    Table of Contents

    Monitor LAN Health When Local Network Access is Blocked

    ADEM monitor LAN health even when the direct access to local network is blocked in GlobalProtect app.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Strata Cloud Manager
    • Prisma Access license
    • Autonomous DEM license (agent version 5.7 or higher) or Strata Cloud Manager Pro
    • GlobalProtect license 6.3.3 or higher
    You can run synthetic tests on Autonomous DEM to monitor local network health.
    In many secure environments, you can configure the GlobalProtect app to block direct access to the local network. This setting prevents the Access Experience agent from performing critical health tests on the local network because the app blocks the agent’s standard processes from accessing the local network.
    In such scenarios, you can explicitly configure Autonomous DEM to continue to monitor LAN health. When you enable LAN monitoring with blocked access to local network, the agent runs separate, dedicated processes to collect LAN metrics using TCP connections. Ensure to allowlist these processes in your GlobalProtect app or Prisma Access Agent.

    Enable LAN Monitoring When Local Access is Disabled

    Prerequisites
    • Allowlist the additional network processes on your EDR.
    • Ensure that ports 80 and 443 are open as these ports are used for TCP pings and path traces on the local network when direct access to the local network is blocked.
    • If the VPN gateway is configured on different ports other than 443, the gateway might not respond to TCP pings. In this case, Autonomous DEM can’t collect the internet metrics when direct access to the local network is blocked in GlobalProtect.
    • Verify if direct access to the local network is blocked in the GlobalProtect app.
      1. Launch Strata Cloud Manager and click Configuration > NFW and Prisma Access > Configuration Scope > GlobalProtect.
      2. Under Prisma Access Infrastructure Setup, click GlobalProtect.
      3. Select GlobalProtect App >Tunnel Settings and verify if the Local Network Access is blocked.
    1. Launch Strata Cloud Manager and click InsightsApplication ExperienceManage Tests and RUM.
    2. In the Application Tests tab, select the Enable LAN health when GlobalProtect has disabled Direct Access to Local Network check box
      A pop-up appears to confirm that you have allow listed the processes required for monitoring LAN health on your EDR. Click Confirm to continue.
      The application tests will continue to collect LAN metrics even when the direct access to the local network is blocked in the GlobalProtect app.

    © 2025 Palo Alto Networks, Inc. All rights reserved.