Configure the Prisma Access Agent MTU

Table of Contents

Seamless User Authentication with Refresh Tokens in Prisma Access Agent

Configure Gateways for the Prisma Access Agent

Configure the Prisma Access Agent MTU

Learn how to configure the Prisma Access Agent MTU to improve network performance and reduce fragmentation in your Prisma Access environment.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager) NGFW (Managed by Panorama)	Prisma Access 5.1 Preferred or Innovation Prisma Access license with the Mobile User subscription macOS 14 and later or Windows 10 version 2024 and later desktop devices require Prisma Access Agent 25.1.0.14 and later versions Ubuntu 24.04 desktop or Fedora 41 devices require Prisma Access Agent 25.6 and later versions

Prisma Access Agent connections can traverse through multiple ISPs and network hops with MTU values lower than the standard 1500 bytes. When the static agent MTU value is lower than what an ISP is offering, excessive fragmentation and additional overhead occurs, resulting in lower throughput. Dropped packets in the ISP network path also trigger retransmissions that contribute to suboptimal performance. Using optimized Prisma Access Agent MTU can help you avoid tedious manual determination and configuration of the optimal MTU value, and prevent users from experiencing poor performance that impacts their productivity.

Default Behavior

The optimized Prisma Access Agent MTU feature is enabled by default to enhance network performance. It utilizes automatic path MTU discovery to detect the optimal MTU size for the network path between the agent and the gateway. This process operates automatically without manual intervention, ensuring optimal performance across different network conditions.

Although the optimized MTU is enabled by default, you can choose to override it and manually configure the MTU packet size. The discovered or configured MTU is applied to the virtual interface (VIF) used for the tunnel connection. This feature supports both SSL and IPSec tunnel protocols, with different overhead sizes calculated for each protocol type. Optimized MTU is supported on Windows and macOS agents.

To manually configure the MTU, complete the following steps:

Navigate to the Prisma Access Agent setup page.
- From Strata Cloud Manager:
  1. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetupPrisma Access Agent.
- From Panorama:
  1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
  2. Select ConfigurationPrisma Access AgentSettingsPrisma Access Agent.
Add an agent setting or edit an existing agent setting.
1. Select the match criteria (OS and User Entities) for the user or user group that will receive this configuration.
2. In the App Configuration section, configure the MTU.
  By default, Optimized MTU is Enabled. The MTU is the largest packet size that Prisma Access Agent can send in a packet during a transmission. To automatically determine the best MTU to use for packet transmissions, make sure this option is Enabled.
  
  To manually configure the MTU size, disable Optimized MTU. The Configurable MTU (Bytes) field appears for you to enter a size for the MTU. The range is 576-1500 bytes.
  
  If you leave it unconfigured, the system will default to 1400 bytes. If you set a value outside this range, the text box will turn red and the Save button becomes disabled. For example:
3. Configure other agent settings if needed and Save the settings.
4. Push the Prisma Access Agent Configuration.
(Optional) Verify the configuration by using the PACli tool on the agent.
- Use the pacli gateway command to display the last MTU detected for the current list of gateways. For example:
- Use the pacli tunnel command to display the current connection (tunnel) MTU. For example: