Set up an Autonomous DEM Application Test
Table of Contents
Set up an Autonomous DEM Application Test
Autonomous DEM
Application TestLearn how to start running
Autonomous DEM
synthetic testing on your Prisma Access
endpoints so that you can collect digital experience metrics to help you isolate and
resolve performance issues.Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
After you’ve surveyed the applications running on your network and determined which applications
you want to monitor, you can create app tests and decide whether
you want to run the test only for Mobile Users or only for Remote Sites or for both.
ADEM agents can effectively run tests and collect performance metrics. Synthetic
tests allow ADEM to baseline end-to-end user experience regardless of whether users
access an application.
When creating synthetic tests, you have the option to enable the test on an individual Mobile
User or on a Mobile User group or both. You can enable application tests for user
groups that are already part of Prisma Access Configuration, for example, Global
Protect configuration or security policies. The tests that you enable on a user
group will run on all devices that belong to every single user in that group. You
cannot select only certain devices on which to run the test. If a user is removed
from a user group, the tests will automatically stop running on the user’s devices.
When new users are added to a group, the tests will automatically be run on the new
user’s device(s). Keep in mind that it may take up to 6 hours to automatically
update users that are added/removed from groups. However if an application test is
modified or created, changes made to user group are automatically reflected. The
test results can be filtered by individual Mobile Users or Mobile User groups (only
groups currently in test configuration). You must create at least one application
test in order for data to be displayed on the page.
As you create app tests, keep in mind that every target is a test. So, if you have a group of
targets under one test name, each target will be counted as one test. Each remote
site based on your device has its own capacity. This is the recommended number of
tests based on the Prisma SD-WAN ION formfactor. Also, the same test target can be
set in multiple app tests at a time. For example, www.google.com can be set as a
target in AppTest A as well as in AppTest B. Be aware that every URL, target,
domain, or IP that appears as a test target in any app, regardless of whether it
appears in one app only or in multiple apps, it will be considered as one test
count.
Web and path tests will be enabled by default for pre-defined tests. When creating
tests for Zoom and Teams applications, be sure to set Split Tunnel to true and do
not run the path tests.
In order to run synthetic tests—to SaaS applications or applications in your data center through
Prisma Access
, Secure Fabric, via split tunneling - you must have security
policy rules that allow the synthetic test traffic over ICMP, TCP, HTTPS, and
optionally HTTP (depending on how you configure your app tests).To create an app test:
- Go to .
- In thePrisma AccessApplications table widget, clickManage Tests.
- On the Application Tests page, clickAdd Application Test.
- Namethe new app test.
- You have the option to run application tests only for Mobile Users or only for Remote Sites or for both. Select Mobile Users and Remote Sites you want to monitor inSourcesection.
- Mobile Users:Define the Source Users that you want to run this app test. By default, all licensed ADEM users are assigned to run the test. If you want to limit this app test to specific users, clickMobile UsersunderSourceand selectCustomand click in theSearch Mobile Users and Groupstext box, then select the users and/or groups you want to run the test.
- Remote Networks:Select the remote site. By default, all remote site licenses are selected. You can also choose to run the tests on all remote sites or only particular remote sites. Define Advanced Options as needed. By default ADEM sets the Network Test Options and Web Test Options based on the applications you selected. However, you can customize these options if needed in your environment.
- Identify the application you want to test as theTarget. If you selected an application from the applications list, the application name is automatically populated. Otherwise, begin typing the Application name to see a list of applications from which to select. If you don’t see the application you want to create a test for, you can create a custom application in yourPrisma Accessenvironment using Panorama or the Cloud Management App. Once you have created the custom application and successfully committed, you will see your app under theApplicationsdropdown menu on theAdd Application Testpage in ADEM.The tests get a priority assigned to them in the order that they were created. For example, the first test you create gets a priority order 1. The next test you create gets priority order 2 and so on. The tests are pushed to the mobile users and remote site according to the priority they are assigned. If the remote site devices have available capacity for the test, the test will be enabled. Otherwise, the remote site gets moved to theExcluded Remote Sitesfor the test.Even though the tests are assigned to both Mobile Users and Remote Sites, the priority in which the tests are pushed to the device is important particularly to the remote sites, since each device in a remote site is capable of running a different number of tests depending on the device size. So, if you have created a test, for example Test A which has a priority of 8, and attached it to multiple remote sites all of which can run Test A, if one of those sites, for example San Jose, has reached its limit on how many tests it can run, Test A will not be pushed to the site. That remote site (San Jose) will get moved under theExcluded Remote Sitescolumn in theApplication Teststable on theApplication Testspage. But if you absolutely must run the Test A, you can change the priority of Test A from 8 to a higher location in the table, for example to the top of the list by clicking on the dots to the left of the check box and dragging and dropping it to the top of the list. Alternatively, you can select its check box and click the up arrow at the bottom of the page. You will see its priority change only after you clickSave. Now Test A will get a higher priority and will be pushed to the San Jose remote site before the remaining tests that follow Test A in the table. This would mean though that the San Jose remote site will now be excluded in the configuration push from some other lower priority test (lower priority compared to Test A) that is pushed to it.For a list of devices and the maximum number of tests they are capable of running, refer to the table in Get Started for Remote Networks.
- Set theAdvanced Options:The options that you select in theAdvanced Optionssection determine what you see in thePath Visualizationwidget. If the application has been configured in GlobalProtect to be split tunneled, select theSplit Tunneloption in theNetwork Test Optionssection. To view the split tunneled traffic in thePath Visualizationwidget, enable theEnable per hop performance metricsoption under thePath Visualizationsection.
UnderPath Visualization, TCP or ICMP can be selected as the protocol for traceroute. Here is an example of TCP vs ICMP based traceroutes. Results for TCP and ICMP traceroutes can vary, but sometimes they can be the same. In general, TCP-based traceroutes can provide less unresponsive nodes.
Here is an example of thePath Visualizationwidget for split tunneled applications. This is an example of when theSplit Tunneloption underNetwork Test Optionsis selected along with theEnable per hop performance metricsoption underPath Visualization.
Network Test Options- measures end-to-end availability, latency, jitter, and packet lossFieldDescriptionProtocolProtocol to be used for network tests. It is set to TCP and cannot be changed.PortSet to port 443 which is the port that the TCP protocol uses.Split TunnelSelect this check box if your application is split tunneled.If you select theSplit Tunneloption along with selecting theEnable per hop performance metricsoption underPath Visualizationyou will not be given the option to select aProtocolunderPath Visualization. When you selectSplit Tunnel, the protocol for split tunnel applications will be chosen based on the operating system where the endpoint agent resides. The Windows agent will run TCP-based traceroute for split tunnel applications, hence theProtocolunderPath Visualizationdefaults to TCP on Windows. The MacOS agents will run ICMP-based traceroutes for split tunneled applications hence the Protocol defaults to ICMP on MacOS.Selecting theSplit Tunneloption along with selecting theEnable per hop performance metricsoption underPath Visualizationshows per-hop network paths for split tunneled applications in the Path Visualization widget.Web Test OptionsSelectionDescriptionEnable HTTP/HTTPS testingWhen enabled the test uses HTTP/HTTPS to collect application performance metrics. You must clear the checkbox for non- web-based applications, such as SMB, to collect network performance metrics only.Ignore SSL warnings and errorsSelect this option to make sure that an application test does not fail due to SSL warnings and errors such as the ones caused due to certificate trust issues.Override the default HTTP/HTTPS portSelect this box if you want to override the standard ports for HTTP/HTTPS.ProtocolSelect the protocol to use (HTTP or HTTPS) when running end-to-end tests. This option affects the port used (80 for HTTP and 443 for HTTPS).PathOptional. A custom path that will be appended to the target during the end-to-end test and allows clients to test different paths on the same server, for example, www.someserver.com/some/path.HeadersOptional. Custom HTTP headers that are sent as part of the HTTP/S request to a given target for end-to-end tests.Path Visualization- measures per hop network paths with TCP/ICMPFieldDescriptionEnable per hop performance metricsThis check box is enabled by default. When enabled it displays per-hop network paths for split tunneled applications in thePath Visualizationwidget.If you select theSplit Tunneloption in theNetwork Optionssection, along with selecting theEnable per hop performance metricsoption, you will not be given the option to select aProtocol. When you selectSplit Tunnel, the protocol for split tunnel applications will be chosen based on the operating system where the endpoint agent resides. The Windows agent will run TCP-based traceroute for split tunnel applications, hence theProtocolunderPath Visualizationdefaults to TCP on Windows. The MacOS agents will run ICMP-based traceroutes for split tunneled applications hence the Protocol defaults to ICMP on MacOS.ProtocolFor nonSplit Tunnelapplications, you have the option to select TCP or ICMP protocol. ICMP is selected as the default protocol. If TCP is selected and the VPN gateway is not responding to the TCP based traceroute and path visualization returns minimal data, please verify the security configurations implemented for your device or select ICMP based traceroute instead.If your security policy is set to 'application-default' under 'Service/URL Category' or 'APPLICATION / SERVICE', your traffic may be getting dropped causing traceroute to not run successfully. Update this field to 'any' so that any port can be used.If you select theSplit Tunneloption in theNetwork Optionssection, along with selecting theEnable per hop performance metricsoption, you will not be given the option to select aProtocol. When you selectSplit Tunnel, the protocol for split tunnel applications will be chosen based on the operating system where the endpoint agent resides. The Windows agent will run TCP-based traceroute for split tunnel applications, hence theProtocolunderPath Visualizationdefaults to TCP on Windows. The MacOS agents will run ICMP-based traceroutes for split tunneled applications hence the Protocol defaults to ICMP on MacOS.Mobile Users Test OptionsEnabling end-to-end Application Experience monitoring when mobile users are in Trusted Networks will consume additional session connections per Mobile User and per application on Remote Site devices.SelectionDescriptionEnd-to-end Application Experience monitoring from Trusted Networks (in Office)Select this option if you are in a trusted network environment.End-to-end Application Experience monitoring from Untrusted Networks when VPN is disabledSelect this option if you are in an untrusted network environment such as using a public network with your VPN is disabled.Remote Sites Test OptionsEnable Application Experience monitoring on active and backup pathsSelect this option to run synthetic tests on both active and backup paths configured in the Prisma SD-WAN path policy.Enable Application Experience monitoring on active paths onlySelect this option if you want to monitor active paths only for the applications. - After you create the tests, you can view a summary of all the tests created in theApplication Teststable.
The next time the selected users and remote sites connect to
Prisma Access
they will receive
the new app test settings and begin running the tests. After the app tests start
running, the ADEM service collects sample data from all assigned users every five
minutes. Edit an Existing Application Test
To edit an app test, do the following:
- Go to .
- Click theApplication Test Namethat you want to edit.
- Edit the application test.Select the check box to the left of the test toDelete,Enable, orDisablea test. Once you disable a test, that test will not be executed any more until you enable it again.
- ClickSave.The test starts running.