SD-WAN
Monitor SaaS Applications with SaaS Quality Profile
Table of Contents
Expand All
|
Collapse All
SD-WAN Docs
-
- SD-WAN Deployment Workflow
-
- Add SD-WAN Branch or Hub Firewall
- Configure Certificate-based Authentication for Strong Security
- Quickly Add Multiple SD-WAN Devices with Bulk Import
- Configure SD-WAN Devices in HA Mode
- Onboard PAN-OS Firewalls to Prisma Access for Cloud-based Security
- Plan Your Topology for SD-WAN with Auto VPN
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Monitor SaaS Applications with SaaS Quality Profile
Configure a Software-as-a-Service (SaaS) quality profile to specify a SaaS
application for a hub firewall with a Direct Internet Access (DIA) link.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
If your branch firewall has a Direct Internet Access (DIA) link to a
Software-as-a-Service (SaaS) application, create a SaaS Quality profile to specify
how one or more SaaS applications should be monitored. SaaS Quality profiles are
associated with an SD-WAN policy rule to determine how the
branch firewall determines the path quality thresholds for latency, jitter, and
packet loss and selects the preferred path for an outgoing packet.
The SaaS Quality profile supports up to four static IP addresses, or one fully
qualified domain name (FQDN) or URL per SaaS Quality profile. When multiple static
IP addresses are configured, the branch firewall monitors one IP address at a time
in a cascading order based on how the IP addresses are ordered in the SaaS Quality
profile. For example, if you add IP1, IP2, IP3, and IP4, the branch firewall
monitors IP1 to determine if the path quality thresholds have been exceeded, then
continues to IP2, and so forth.
SD-WAN
monitoring and reporting data displays the SaaS
application and SaaS application IP, FQDN, or URL as it is currently configured
in the SaaS Quality profile associated with an SD-WAN policy rule
regardless of the time filter applied when viewing your SD-WAN
monitoring data.
For example, three days ago you initially configured the IP address of your SaaS
application as 192.168.10.50 in a SaaS Quality profile
and had traffic match the SD-WAN policy rule to which the SaaS
Quality profile is associated. Today, you reconfigured this existing SaaS
Quality profile and changed the SaaS application IP address to
192.168.10.20. When you go review the SD-WAN monitoring data, all existing monitoring data for this
SaaS application display the IP address
192.168.10.20.
PAN-OS & Panorama
In PAN-OS, configure a Software-as-a-Service (SaaS) quality profile to
specify a SaaS application for a hub firewall with a Direct Internet Access (DIA)
link.
- Select ObjectsSD-WAN Link ManagementSaaS Quality Profile and specify the Device Group containing your SD-WAN configuration.
- Add a new SaaS quality profile.
- Enter a descriptive Name for the SaaS Quality profile.
- (Optional) Enable (check) Shared to make the SaaS Quality profile shared across all device groups.
- (Optional) Enable (check) Disable override to disable overriding the SaaS Quality profile configuration on the local firewall.Disable override can only be enabled if Shared is disabled in the previous step.
- Configure the SaaS Monitoring Mode.
- Automatically monitor the SaaS application path health.Enabled by default, Adaptive monitoring allows the branch firewall to passively monitor the SaaS application session for send and receive activity to determine if the path quality thresholds have been exceeded. The SaaS application path health quality is automatically determined without any additional health checks on the SD-WAN interface.Adaptive SaaS monitoring is supported only for TCP SaaS applications.
- Configure the Static IP address for the SaaS application.Create a SaaS Quality profile per critical SaaS application that you need monitored. If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with the multiple static IP addresses for that SaaS application.SaaS monitoring is resource-intensive and may impact firewall performance if monitoring a large number of SaaS applications. It is a best practice to only monitor those business-critical SaaS applications that need good usability.
- Select IP Address/ObjectStatic IP Address and Add an IP address.
- Enter the IP address of the SaaS application or select a configured address object.
- Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Click OK to save your configuration changes.
- Configure the fully qualified domain name (FQDN) for the SaaS application.
- Configure a FQDN address object for the SaaS application.
- Select IP Address/ObjectFQDN and Add the FQDN.
- Select the FQDN address object for the SaaS application.
- Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Click OK to save your configuration changes.
- Configure the URL for the SaaS application.URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
- Select HTTP/HTTPS.
- Enter the Monitored URL of the SaaS application.
- Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.The minimum probe interval supported for a SaaS application HTTP/HTTPS is 3 seconds.
- Click OK to save your configuration changes.
- Select Commit and Commit and Push your configuration changes.
Strata Cloud Manager
In Strata Cloud Manager, configure a Software-as-a-Service (SaaS) quality profile to
specify a SaaS application for a hub firewall with a Direct Internet Access (DIA)
link.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationNGFW and Prisma Access and in the Overview, select the branch folder for which you want to create your SD-WAN Link Management profiles.To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association, select All Firewalls.
- Create a SaaS Quality profile.The SaaS Quality profile specifies how one or more software-as-a-service applications should be monitored if your branch firewall has a Direct Internet Access (DIA) link to a SaaS application. The SaaS Quality profile is associated with an SD-WAN policy rule to determine how the branch firewall determines the path quality thresholds for latency, jitter, and packet loss and selects the preferred path for an outgoing packet.
- Select Security ServicesSD-WAN PolicyProfilesSaaS Quality.
- Add Profile.
- Enter a descriptive Name.
- Configure the SaaS Quality profile.The following SaaS Monitoring Mode types are supported. Only a single SaaS Monitoring Mode type is supported for a SaaS Quality profile.
- Adaptive—Passively monitor the SaaS application session for send and receive activity to determine if the predefined path quality thresholds have been exceeded.
- Static IP Address—Add up to four static IP addresses to monitor and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- FQDN—Add one Fully Qualified Domain Name and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- HTTP/HTTPS—Add a URL and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Save.