Enable ADEM to Monitor Prisma SD-WAN Remote Sites

Table of Contents

Enable ADEM to Monitor SD-WAN for Remote Sites

As long as you have purchased the Remote Sites license while purchasing ADEM, you can enable ADEM monitoring on your remote sites.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) Strata Cloud Manager	Prisma Access license Autonomous DEM license

To enable Autonomous Digital Experience Management (ADEM) for your Prisma Access Remote Networks, you must have a license for Prisma Access for Remote Networks. You can then apply your ADEM Remote Networks license to the compute locations and let the SD-WAN sites connected to those compute locations run synthetic tests that continuously monitor the digital experience of your remote sites on those applications.

ADEM for Remote Networks is only supported when Aggregate Bandwidth is enabled on Prisma Access.

Purchase Autonomous DEM license for Remote Networks.

If you purchased an Autonomous DEM license with a new Prisma Access subscription, you must activate ADEM during the Prisma Access activation process. If you purchased an add-on Autonomous DEM license for an existing Prisma Access subscription, activation will happen automatically.

With an active ADEM Remote Networks license, each SD-WAN device at a remote site is capable of running a certain number of synthetic tests based on the size of the SD-WAN device.

Prisma SD-WAN Device Model	Application Tests Supported
Hardware Models
ION 1000	Up to 20
ION 1200	Up to 20
ION 2000	Up to 30
ION 3000	Up to 40
ION 5200	Up to 40
ION 7000	Up to 50
ION 9000	Up to 75
Virtual Models
ION 3102v	Up to 30
ION 3104v	Up to 40
ION 3108v	Up to 50

Each platform can run up to a defined number of application tests presuming each application is configured to use a maximum of 4 paths. If the number of paths configured per application increases, it will reduce the overall number of application tests per platform. The Administrator has the flexibility to enable application performance monitoring on active paths only while creating the application tests on the ADEM portal.

Based on the application forwarding policy configured on Prisma SD-WAN, ADEM will monitor all available paths for individual applications. Each path monitored, whether it is an application’s active or backup path is considered as one test. Hence, if an application is monitored for three paths, it will be considered as three tests, but if you also monitor the backup paths for that application, then it will be considered as 6 tests- three tests for the active paths and three for the backup paths. So, you must decide whether to monitor both active and the backup paths for applications or only the active paths. The more paths you monitor per application, the less number of applications you will be able to monitor from a SD-WAN remote site.

You should already have allocated Remote Networks bandwidth on the compute locations in Prisma Access.
You must have enabled all Prisma Access remote network configuration to securely connect Prisma SD-WAN remote sites. For details on configuring aggregate bandwidth, refer to the documentation for Panorama Managed Prisma Access or Cloud Managed Prisma Access respectively.

You must be running these mandatory versions of the following software:

Software Name	Mandatory Version
Prisma Access (Cloud Managed or Panorama)	2.2 Preferred
Prisma SD-WAN	5.6.1-b13
CloudBlades (Prisma Access Cloud Managed)	3.1.1
CloudBlades (Prisma Access Panorama Managed)	2.1.2

Whether you are using ADEM on Panorama Managed Prisma Access or Cloud Managed Prisma Access, you can manage ADEM from the Strata Cloud Manager console.
Use the Autonomous DEM Summary and Applications dashboards within the Strata Cloud Managerconsole to get a sense of the baseline digital experience score for your SASE environment as a whole, and for each individual application.
Even before you begin configuring application tests to monitor specific applications, you can use the Applications dashboard to get an overall view of the applications in use across your network and use this information to decide which applications you want to monitor.
Add application tests for the remote sites that you want to monitor.
Use the ADEM dashboards to monitor the digital experience of users, remote sites, and applications across your SASE environment and use the information to troubleshoot issues as they arise.

For NGFWs without OKTA or SAML authentication, the Cloud Identity Engine Agent is used to sync on-prem Active Directories with CIE. Please ensure the CIE Agent is configured to allow ADEM to fetch User-IDs and User Groups.

To access data on Remote Site experience, select View User Experienceunder the User Experience table on the Home page.

Strata Cloud Manager
Panorama

If you have purchased the Remote Networks license when purchasing ADEM, you can allocate your Remote Networks bandwidth licenses on Prisma Access for each compute location.

To enable Autonomous DEM for Remote Networks in Cloud Managed Prisma Access:

In Strata Cloud Manager, select ManageRemote Networks.
In Remote Networks Setup, under the Autonomous DEM column, to enable Remote Networks on a Compute Location, move its slider to the right until it turns blue.
Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
The following screen shows you an example of what fields you need to configure.

You must add the ADEM URLs to make the endpoints register to the ADEM portal.
1. Add a security profile for your access experience agent registration. You will need to create a security policy for it.
  Click Allow All Traffic for ADEM clients.
  
  The Allow All Traffic for ADEM Clients page opens.
2. Add the ADEM URLs.
  To do so, click the + icon under DestinationAddressesADEM URL.
3. The Address Groups page opens. Click the + icon under Address EntitiesAddress.
  
  Add the following URLs one by one by clicking the + icon:
  - agents.dem.prismaaccess.com
  - updates.dem.prismaaccess.com
  - features.dem.prismaaccess.com
  - agents-prod1-us-west2.dem.prismaaccess.com
  - agents-sg1-asia-southeast1.dem.prismaaccess.com
  - agents-au1-australia-southeast1.dem.prismaaccess.com
  - agents-jp1-asia-northeast1.dem.prismaaccess.com
  - agents-ca1-northamerica-northeast1.dem.prismaaccess.com
  - agents-eu1-europe-west4.dem.prismaaccess.com
  - agents-uk1-europe-west2.dem.prismaaccess.com
  - agents-in1-asia-south1.dem.prismaaccess.com
  - agents-de1-europe-west3.dem.prismaaccess.com
  - agents-ch1-europe-west6.dem.prismaaccess.com
  - agents-fr1-europe-west9.dem.prismaaccess.com
4. To enable the app to connect to the ADEM service and to run the application tests, you must have a policy rule to allow the remote sites to connect to applications over HTTPS.
5. To enable the app to run network monitoring tests, you must have a policy rule to allow ICMP and TCP traffic.
6. (Optional) If you plan to run synthetic tests that use HTTP, you must also have a security policy rule to allow the remote sites to access applications over HTTP.
If you use a third-party EDR, you must allow certain processes on the EDR for ADEM to function properly. Examples of EDRs that require this include:
CrowdStrike
Trellix
SentinelOne

If you have purchased the Remote Networks license when purchasing ADEM, you can allocate your Remote Networks bandwidth licenses on Prisma Access for each compute location.

Based on your capacity planning, you allocate your Remote Networks bandwidth licenses on Prisma Access for each compute location. The unit of measure for bandwidth licenses is Mbps.

Below are some points to consider when allocating bandwidth for ADEM:

When enabling ADEM on a compute location, the amount of ADEM bandwidth allocated on a compute location will mandatorily be equal to the bandwidth that you had already allocated for Remote Networks (see Bandwidth Allocation (Mbps) column) on Prisma Access for that compute location.
As soon as you enable ADEM on a compute location, the same amount of bandwidth allocated for Remote Network is automatically deducted from the overall ADEM pool of bandwidth licenses (shown by Autonomous DEM Allocated Total).
The Autonomous DEM Allocated Total shows you how much bandwidth has already been consumed by ADEM and how much is remaining.
For any compute location, you can Enable ADEM only if you have enough ADEM bandwidth license available in the overall ADEM bandwidth pool (shown in Autonomous DEM Allocated Total) matching the allocated Remote Networks bandwidth. For example, if you are trying to Enable ADEM on a compute location where 100 Mbps of Remote Networks bandwidth is allocated, if your ADEM pool of licenses does not have at least 100 Mbps bandwidth available, you won't be able to enable ADEM on that compute location unless you add more ADEM bandwidth license to overall pool.
Also, when ADEM is enabled on a particular compute location, if you increase or decrease the amount of Remote Networks Bandwidth Allocation (Mbps) on that compute location, it will correspondingly increase or decrease the overall bandwidth in the ADEM pool of licenses (Autonomous DEM Allocated Total).
When you Enable ADEM on a compute location, all the sites that connect to the compute location get ADEM enabled and those Prisma SD-WAN sites can connect to the ADEM portal. Hence all those sites can be monitored.
After you have enabled ADEM on a compute location, if you would like to free up some ADEM bandwidth to allocate to some other compute location, you can deselect the Enable check box. Doing so will release that bandwidth back to the ADEM pool of licenses, but it will also disable ADEM on the compute location which results in synthetic test monitoring to be stopped on all sites connected to that compute location.

To enable Autonomous DEM for the compute location, follow these steps:

Open Panorama.
In the left panel, expand Cloud Services and select ConfigurationRemote Networks.
Edit the Aggregate Bandwidth and Autonomous DEM Settings.
Enable the compute locations for which to allocate the bandwidth for ADEM.

The Autonomous DEM Allocation column will be visible only if you have purchased the ADEM for Remote Networks license.
Click OK.
Add the following URLs to make the SD-WAN site register to the ADEM portal:
1. In Panorama, go to Objectsaddresses. Click on Add and add the following ADEM Service Destination FQDNs.
  - agents.dem.prismaaccess.com
  - updates.dem.prismaaccess.com
  - features.dem.prismaaccess.com
  - agents-prod1-us-west2.dem.prismaaccess.com
  - agents-sg1-asia-southeast1.dem.prismaaccess.com
  - agents-au1-australia-southeast1.dem.prismaaccess.com
  - agents-jp1-asia-northeast1.dem.prismaaccess.com
  - agents-ca1-northamerica-northeast1.dem.prismaaccess.com
  - agents-eu1-europe-west4.dem.prismaaccess.com
  - agents-uk1-europe-west2.dem.prismaaccess.com
  - agents-in1-asia-south1.dem.prismaaccess.com
  - agents-de1-europe-west3.dem.prismaaccess.com
  - agents-ch1-europe-west6.dem.prismaaccess.com
  - agents-fr1-europe-west9.dem.prismaaccess.com
2. Create an address group to contain the addresses above by going to ObjectsAddress Groups, clicking Add and providing a name for the address group.
3. Add the address group you just created into the security policy. Go to PoliciesSecurityPreRules. Click Add and add the address group to the policy.
If you use a third-party EDR, you must allow certain processes on the EDR for ADEM to function properly. Examples of EDRs that require this include:
CrowdStrike
Trellix
SentinelOne