Autonomous DEM Integration for User Experience Management

Starting with GlobalProtect™ app 5.2.6 with Content Release version 8393-6628 or later.
OS Support
: Windows 10 and macOS
Prisma Access
: Cloud Managed Prisma Access or the 2.0 Innovation Release of Panorama Managed Prisma Access with an active Prisma Access for Mobile Users license
You can now gain visibility into the user experience, application, and network performance in your Secure Access Service Edge (SASE) environment by integrating the Autonomous DEM (ADEM) service into the GlobalProtect app and Prisma Access without deploying any additional appliances or agents. By natively integrating the ADEM service into the GlobalProtect app, the ADEM service enables synthetic tests for applications you specify both from the endpoint and from the different vantage points in Prisma Access. By using the ADEM service, you can now quickly identify real and synthetic traffic analysis that enables the ability to drive autonomous remediation of digital experience problems when they arise. You must enable ADEM in the GlobalProtect app to connect to the ADEM service and to perform endpoint, WiFi, and synthetic monitoring tests. To learn more about the various monitoring techniques to determine performance levels by using ADEM, see ADEM Monitoring and Tests (Cloud Managed) or ADEM Monitoring and Tests (Panorama Managed).
For details about getting started with ADEM on Panorama Managed Prisma Access, see Get Started with Autonomous DEM. For details about getting started with ADEM on Cloud Managed Prisma Access, see Get Started with Autonomous DEM.

Enable Autonomous DEM (Panorama Managed Prisma Access)

With the 2.0 Innovation Release of Prisma Access, the Panorama web interface can be used to install the ADEM endpoint agent on your end user devices so that the ADEM endpoint agent can authenticate with the Autonomous DEM service.
  1. Generate a client certificate for the ADEM endpoint agent to authenticate to the Autonomous DEM service.
  2. Configure the ADEM settings on the GlobalProtect portal.
    You must enable the GlobalProtect app to use the certificate you just created to authenticate to the ADEM service. You can define how your end users install the ADEM endpoint agent on their endpoints and whether to let them enable and disable ADEM.
    1. In Panorama, select
      Network
      GlobalProtect
      Portals
      GlobalProtect_Portal
      Agent
      DEM
      App
      Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
      .
    2. In Panorama, select
      Network
      GlobalProtect
      Portals
      GlobalProtect_Portal
      Agent
      DEM
      App
      Autonomous DEM endpoint agent for Prisma Access (Windows & MAC only)
      .
      Select
      Install and user can enable/disable agent from GlobalProtect
      to install the ADEM endpoint agent during the GlobalProtect app installation, and allow end users to enable or disable user experience tests from the GlobalProtect app. Select
      Install and user cannot enable/disable agent from GlobalProtect
      to install the ADEM endpoint agent during the GlobalProtect app installation, and not allow end users to enable or disable user experience tests from the GlobalProtect app. Select
      Do Not Install
      (default) to not install the ADEM endpoint agent during the GlobalProtect app installation.
  3. Click
    OK
    twice.
  4. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
  5. Commit
    the configuration to Panorama and push the configuration changes to Prisma Access.
  6. Verify that the ADEM endpoint agent can perform user experience tests only when GlobalProtect is connected.
    If you have configured the portal to install the ADEM endpoint agent during the GlobalProtect app installation and either allow end users to enable the tests or not allow them to enable the tests, they can verify if the GlobalProtect app is enabled to run user experience tests on Windows and macOS devices. By default, heartbeat alerts are still forwarded to ADEM even when GlobalProtect is disabled.

Enable Autonomous DEM (Cloud Managed Prisma Access)

With Cloud Managed Prisma Access, the certificate is retrieved automatically so that it can be pushed to your end user devices and authenticate their devices to the Autonomous DEM service.
  1. From the Prisma Access app on the hub, create a new GlobalProtect app settings configuration and enable Autonomous DEM.
    You can enable Autonomous DEM for the selected end users under App Configuration by expanding
    Show Advanced Optons
    User Behavior
    and selecting the option to enable
    Digital Experience Monitoring (DEM) for Prisma Access (Windows and Mac only)
    . You can select whether to let end users enable or disable user experience tests from the GlobalProtect app by selecting
    Install and User can Enable or Disable DEM
    or
    Install and User cannot Enable or Disable DEM
    .
  2. Make sure you have security policy rules required to allow the GlobalProtect app to connect to the ADEM service and run the synthetic tests.
  3. Save
    and
    Push
    the configuration to Prisma Access.
  4. Verify that your end users can run user experience tests only when GlobalProtect is connected.
    If you have configured the portal to install the ADEM endpoint agent during the GlobalProtect app installation and either allow end users to enable the tests or not allow them to enable the tests, they can verify if the GlobalProtect app is enabled to run user experience tests on Windows and macOS devices. By default, heartbeat alerts are still forwarded to ADEM even when GlobalProtect is disabled.

Recommended For You