Prisma Access
Remote Networks—High Performance
Table of Contents
Remote Networks—High Performance
Deploy branch sites to set up Remote Networks—High Performance in Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
As your business scales and your office locations become geographically distributed, Prisma Access remote networks allow you to quickly onboard your branch sites and
deliver best-in-class security for your users. To onboard a branch site with a high
bandwidth, Prisma Access provides you with a Remote Network—High Performance.
To onboard a Remote Network—High Performance, you specify the branch site's location, and
Prisma Access selects the location that’s closest to the site. You can
optionally set up a secondary (backup) location to the site for redundancy and
resiliency. The high-performance remote network uses a single service IP address for
every 3 Gbps of bandwidth, removing the complexity in configuring and managing multiple
IPSec devices at every remote location.
For new deployments that use site-based licensing, use the onboarding workflow for site-based remote
networks instead of this procedure.
After you have planned for your Remote Network—High
Performance, you can begin the configuration process, which includes
onboarding the high-performance remote network to Prisma Access and enabling QoS and
routing.
Remote Networks—High Performance Capabilities and Guidelines
A high-performance remote network provides you with the following core
capabilities:
- Up to 3 Gbps aggregate bandwidth per node in a compute region
- Up to 2 Gbps bandwidth per remote network tunnel from a remote site
- Up to 120 remote branches per service IP address with Prisma SD-WAN and extended (third-party) CPE deployments
- Connectivity between Prisma SD-WAN and Prisma Access (SASE) supports line conditioning features, including FEC and Packet Duplication, for enhanced reliability.
When configuring a high-performance remote network for a branch site, be aware of the
following guidelines and differences between sites and remote networks:
- Prisma Access Locations—Remote Networks—High Performance support a subset of Prisma Access locations.
- Quality of Service (QoS)—For branch sites, Prisma Access supports QoS at a per-site level, and the QoS Profile you select applies to the entire site.
- Committed Information Rate (CIR)—To secure and commit the amount of bandwidth used per site, specify a CIR. If there are multiple remote networks that share bandwidth in a compute location, the Remote Network—High Performance receives at least the bandwidth specified in the CIR when there is contention with other sites in that compute location.
- IPSec Termination Nodes No Longer Needed—Unlike traditional remote networks, you don't need to select an IPSec termination node during onboarding for Prisma Access (Managed by Strata Cloud Manager) deployments. Prisma Access automatically load-balances the remote network connections to maximize the bandwidth allocation to the sites.
- Service Endpoint Address Allocation Based on Deployment Type—The number
of Service Endpoint addresses that you receive depends on
if you have set up your site-based remote networks in a single location or if
you have set them up using two different locations in a primary and secondary
deployment. You use the Service Endpoint address as the peer IP or FQDN address on your CPE to terminate the IPSec tunnel.As a best practice, specify the FQDN instead of the IP address.
- If you have set up your site-based remote network in a single location with no secondary location, Prisma Access provides you with a single Service Endpoint address.
- If you set up compute location redundancy in a primary and secondary configuration, Prisma Access provides you with two Service Endpoint addresses (one each for the primary and secondary location).
If you set up IPSec tunnels in an Active/Passive configuration, Prisma Access provides you with a single Service Endpoint address for both tunnels (the same as a standard Prisma Access remote network configuration).Remote networks use one Service Endpoint address for every 3 Gbps of bandwidth, removing the complexity in configuring and managing multiple IPSec devices at every remote location. - Service IP Address Allocation Based on Bandwidth—Prisma Access provides you with a single IP address or FQDN for every 3 Gbps of bandwidth in a compute location.
- Bandwidth Per Compute Location—You allocate bandwidth per compute location
the same as allocating bandwidth for a standard remote network. You can plan and
allocate the bandwidth before you begin configuration or during high-performance
remote network creation. The following locations support a maximum of 2 Gbps per tunnel for Remote Networks—High Performance:
- Colombia Central
- France South East
- India South Central
- Israel Central
- Mexico Northeast
- Saudi Arabia West
- US Midwest
- US West Central
- User-ID Redistribution and SSL Decryption—If you configure an SSL decryption profile on your tenant, User-ID redistribution from the Remote Networks—High Performance node to service connections is not supported.
- Unsupported Configurations— The following features and configurations are not supported:
- Tunnel Modes and Circuit Settings—A site-based remote network lets you
configure both location and IPSec redundancy.
- Location redundancy (specifying a Primary
location in one compute location and
specifying a Secondary location in a separate
compute location). Configuring a secondary location is optional.
- IPSec tunnel redundancy (specifying tunnels as Active/Active or Active/Passive).
Before you begin setup, it's important to understand how you specify circuits and tunnels. Set up circuits and tunnels in the following configurations:- Active/Passive—Set up either one circuit (the
default) or two circuits. If you specify one circuit (ISP in the diagram), configure two tunnels (one for the primary remote network location and one for the secondary remote network location). Prisma Access uses this circuit for the tunnels for both the primary and secondary locations. If the primary location is unreachable (for example, if the tunnels experienced an ISP failure or CPE failure, or if the tunnels couldn't be established for any other reason), Prisma Access fails over from Tunnel 1 to Tunnel 2 and switches from the primary to the secondary remote network location.
![]()
If you specify two circuits, configure four tunnels (two for the primary remote network location and one for the secondary remote network location).If the primary location is unreachable by Tunnel 1, then Tunnel 2 becomes active. If both Tunnel 1 and Tunnel 2 primary tunnels go down, Prisma Access switches from the primary to the secondary location and Tunnel 3 becomes active. If Tunnel 3 to the secondary location goes down, then Tunnel 4 becomes active.![]()
- Active/Active—Set up either two circuits (the
default), three circuits or four circuits. If you specify two circuits, configure four tunnels. If Tunnel 1 and Tunnel 2 to the primary remote network location go down, Tunnels 3 and 4 to the secondary remote network location become active. All active tunnels to the primary location must go down before Prisma Access fails over to the secondary location.
![]()
If you specify three circuits, configure six tunnels. Each ISP has one active tunnel to the primary location and one passive tunnel to the secondary location. If all active tunnels to the primary location go down, the standby tunnels to the secondary location become active.![]()
If you specify four circuits, configure eight tunnels. Each ISP has one active tunnel to the primary location and one passive tunnel to the secondary location. If all active tunnels to the primary location go down, the standby tunnels to the secondary location become active.![]()
- Location redundancy (specifying a Primary
location in one compute location and
specifying a Secondary location in a separate
compute location).
Use one of the following procedures to onboard your remote networks depending on your
bandwidth allocation type: