Prisma Access
App Acceleration in Prisma Access
Table of Contents
App Acceleration in Prisma Access
Learn how Prisma Access can speed up app performance using App
Acceleration.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
App Acceleration directly addresses the causes of poor app performance and
acts in real-time to mitigate them, dramatically improving the user experience for
Prisma Access GlobalProtect and Remote Network users.
The primary causes of poor user experience when accessing apps are dynamic content
(content that must be processed for each user individually, on-demand) and network
connectivity issues.
App Acceleration provides you with the following functionality:
Acceleration for top SaaS apps—App
Acceleration for Prisma SASE accelerates dynamic content to improve the response
time of top SaaS apps. It securely and intelligently prepares the dynamic content
that each user needs, before the user requests it.
As a result, App Acceleration dramatically
reduces the response time of applications and the APIs powering them to improve the
user experience and boost productivity.
Accelerated applications are
listed in the Supported Apps section.
Network Acceleration—When your users access apps, they can experience poor app
performance that is caused by decreased throughput, which could be caused by packet
loss, degraded wireless connectivity, network congestion, and other factors. These
networking issues can adversely affect the employee experience and reduce their
productivity.
When the internet was conceived, networks were homogenous and wireless
connectivity was in its infancy. Fundamental protocols like TCP were originally
created for these networks. Today, networks are no longer homogenous and wireless
connectivity creates a highly variable user experience. When users experience
degraded network conditions, TCP can't differentiate if the problem occurred because
of device limitations, network limitations, or physical constraints.
Without requiring any changes to your client configuration or applications, App
Acceleration securely builds an understanding of the:
- Device capability—The type of client endpoint
- Network capability—The type of network
- App Context— The type of app being used
Using its understanding of device, network and application context, App
Acceleration maximizes throughput and adjusts in real-time to account for changing
network conditions.
When compared to direct internet access, App Acceleration offers a marked throughput
improvement for TCP traffic when connecting through Prisma Access.
You can view throughput improvements from App Acceleration in Prisma SASE
Incidents and Alerts. AI-powered Autonomous DEM (ADEM)
integrates with App Acceleration and provides you with metrics such as the number of
applications that were accelerated and the performance boost gained overall.
App Acceleration Requirements and Guidelines
- Supported Apps—App Acceleration supports the following apps:
- Amazon S3
- Azure Storage
- Box
- Google Drive
- Microsoft 365:
- My Content
- Microsoft OneDrive
- Salesforce
- SAP Ariba
- ServiceNow
- Slack (file downloads)
- Zoom:
- File downloads from chat
- Cloud recording downloads
- Zoom Team Chat
- Supported Locations—App Acceleration is available for all Prisma Access locations except for the following locations:
- All Local Zones
- Bahrain
- China
- Ireland
- South Africa West
- Sweden
- United Arab Emirates
- Trusted Root CA Upload—You need to set up a trusted Root CA and perform a commit and push operation and then select it during App Acceleration setup, as shown in the following procedures. If using Strata Cloud Manager to configure App Acceleration, set up the Root CA in the Prisma Access scope. If you change the certificate you use, you must also commit and push the changed certificate before you select it.
- Forward Trust Certificate and Trusted Root CA—Enable the CA/certificate you uploaded as a forward trust certificate and trusted root CA, as shown in the following procedures. If SSL decryption is applied to any accelerated apps, you must mark the certificate as a forward trust certificate and trusted root CA, or users will encounter SSL errors when trying to access those apps.
- Unsupported Prisma Access Functionality—The following
functionality does not support App Acceleration and Prisma Access
deployments with these features enabled won't be accelerated:
- IPv6App Acceleration coexists with IPv6 networking when IPv6 is configured; however, only IPv4 TCP traffic is accelerated. IPv6 traffic is not accelerated, but functions normally.
- Remote Networks that use Overlapped Subnets (supported by default in Prisma Access (Managed by Strata Cloud Manager) deployments, configurable in Prisma Access (Managed by Panorama) deployments.
- IPv6
- App Acceleration Guidelines:
- QUIC Protocol Support—Some browsers (such as Google Chrome) might use the Quick UDP Internet Connections (QUIC) protocol by default. Layer 7 App Acceleration can't be used on traffic using QUIC. As a workaround, disable the QUIC protocol when you configure App Acceleration.
- SaaS Apps and Zy-* Response Headers—Users connecting to Prisma Access deployments that have App Acceleration enabled for top SaaS apps can expect to see response headers with a name of Zy-*, such as Zy-Server and Zy-Accelerated, and a zy_sid session cookie.If the response header is Zy-Accelerated, a value of 1 indicates that the response was accelerated and a value of 0 indicates the response wasn't accelerated.
- Content Localization—If an accelerated SaaS app localizes content based solely on the user's IP address or user ID, when acceleration is enabled for that app, its content won't be localized.
- Change to Default Behavior for Security Policy Rules with an Action set to Deny—If you have a Security policy rule with an action set to Deny that is applied to traffic going through App Acceleration using a rule based on source or destination address, application, or service, the traffic will complete a three-way handshake but Prisma Access will block it, and the Deny policy functions as configured.
- Amazon S3 and Azure Blob Storage
cache-control—Amazon S3 and
Azure Blob Storage buckets and files have a series of HTTP response
headers associated with them. One of these values is
cache-control. Files are not
accelerated if the cache-control value
is:
- Unset
- Set to a value of max-age=0
- Set to a value of max-age=no-cache
To gain the benefit of App Acceleration for Amazon S3 and Azure Blob Storage, set the cache-control max-age value to one that’s greater than zero.![]()
- Apps with Shared Domain in Activity Insights—When using App Acceleration, Layer 7 acceleration is based on the domain. Under certain conditions, if two apps share the same domain, the app reporting in Activity Insights might attribute one app's Layer 7 traffic to another app. For example, if some traffic from MS Teams and OneDrive app share the same domain, the MS Teams app reporting will display under OneDrive.
- Long-Lived Connections and System Logs—App Acceleration's writes
Layer 4 logs when an individual TCP connection ends. For short-lived
connections, this behavior is transparent, because short-lived connections
are frequently created by applications.App Acceleration collects metrics for the entire period that the connection is active. For long-lived connections such as those used by mounted SMB network drives, this behavior can make it seem as if metrics are collected only during the end of the connection.
Configure App Acceleration
To configure App Acceleration in Prisma Access, select one of the following tabs
depending on your deployment (Prisma Access (Managed by Strata Cloud Manager) or Prisma Access (Managed by Panorama)).