Configure Quality of Service in Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure Quality of Service in Prisma Access
Configure Quality of Service in Prisma Access
by completing the following task.
- Add one or more security policy rules for remote networks and mobile users to mark the ingress traffic for QoS.You use these policies to match a traffic flow and assign it a selected DSCP value.
- Select.PoliciesSecurityPre RulesAlternatively, selectto add a rule at the bottom of the rule order that is evaluated after a pre-rule.PoliciesSecurityPost RulesBe sure that you select the correctDevice Group. To create a security rule for a remote network, select the device group for the remote network (for example,Remote_Network_Device_Group); for mobile users, select the device group for the mobile users (for example,Mobile_User_Device_Group).
- Adda security policy rule.
- Enter aNamefor the rule.
- Define the matching criteria for the source or destination fields in the packet.See Create a Security Policy Rule for details.
- ClickActions, then select aQoS Markingof eitherIP DSCPorIP Precedence.
- Enter the QoS value in binary form, or select the value from the drop-down.The following screenshot shows a security policy rule that matches traffic marked with anIP DSCPvalue ofaf11.
- Add one or more QoS policy rules.You use QoS policies to bind DSCP marking to one of eight available classes. You use these classes later when you create one or more QoS profiles.
- Select.PoliciesQoSPre RulesAlternatively, use Post Rules () to add a rule at the bottom of the rule order that is evaluated after a pre-rule.PoliciesQoSPost RulesService connections do not support QoS Post Rules; use Pre Rules only with Service Connections.Be sure that you select the correctDevice Groupfor the service connection (for example,Service_Conn_Device_Group) or remote network connection (for example,Remote_Network_Device_Group). If a rule in a Shared device group has defined values other than the values in theGeneral,DSCP/ToS, andOthersettings areas, Prisma Access does not apply the rule on the remote network and service connection.
- Adda QoS policy rule.
- ClickGeneraland enter a name for the policy rule.
- Click theDSCP/ToStab, then clickCodepointsandAddone or more new codepoints.For Clean Pipe deployments, you can specify additional QoS settings in policy, such as source, destination, or application.
- Specify aNamefor the DSCP/ToS rule, then select aTypeandCodepoint.Alternatively, keep the default value (Any) to allow the policy to match to traffic regardless of the Differentiated Services Code Point (DSCP) value or the IP Precedence/Type of Service (ToS) defined for the traffic.
- Click theOther Settingstab, then Choose the QoSClassto assign to the rule.You define class characteristics in the QoS profile.
- ClickOK.
- Create one or more QoS profiles to shape QoS traffic on egress for service connections and remote network connections.You use profiles to shape the traffic at egress point by defining QoS classes and assigning a bandwidth to them. You must select either an existing QoS profile or create a new QoS profile when you enable QoS for Prisma Access.
- Select the correct template the profile you want to create (Remote_Network_TemplateorService_Conn_Template); then, selectandNetworkNetwork ProfilesQoS Profile
- Adda profile.
- Enter a profileName.
- Set the overall bandwidth limits for the QoS profile rule.
- Enter anEgress Maxthat represents the maximum throughput (in Mbps) for traffic leaving the service connection or remote network connection.
- For service connections, specify a number of up to 1 Gbps (1,000 Mbps).Do not enter a number greater than 1 Gbps; Prisma Access calculates service connection bandwidth per service connection IPSec tunnel and not cumulatively across multiple tunnels.
- For remote network connections, enter a value of0.
- Enter anEgress Guaranteedvalue. bandwidth that is the guaranteed bandwidth for this profile (in Mbps).
- For service connections, enter anEgress Guaranteedbandwidth that is the guaranteed bandwidth for this profile (in Mbps).Any traffic that exceeds the Egress Guaranteed value is best effort and not guaranteed. Bandwidth that is guaranteed but is unused continues to remain available for all traffic.
- For remote network connections, enter a value of0.
- In the Classes section,Addone or more classes and specify how to mark up to eight individual QoS classes.
- For QoS profiles used by remote networks that allocate bandwidth by compute location, change theClass Bandwidth TypetoPercentageand enter percentages for theEgress MaxandEgress Guaranteedvalues you enter in this area.
- For QoS profiles used by service connections or by remote networks that allocate bandwidth by location, specify a type ofMbps.
- Select thePriorityfor the class (eitherreal-time,high,medium, orlow).
- Enter theEgress Maxfor traffic assigned to each QoS class you create.
- For remote networks that allocate bandwidth by compute location, enter0.
- For bandwidth-based QoS profiles (used by service connections or remote networks that allocate bandwidth by location), enter a value in Mbps. The Egress Max for a QoS class must be less than or equal to the Egress Max for the QoS profile.
- Enter theEgress Guaranteedpercentage or bandwidth in Mbps for each QoS class. For QoS profiles for remote networks, enter a percentage.Guaranteed bandwidth assigned to a class is not reserved for that class—bandwidth that is unused continues to remain available to all traffic. When a class of traffic exceeds the egress guaranteed bandwidth, Prisma Access passes that traffic on a best-effort basis.
- Enter aClass Bandwidth Typefor the profile.
- ClickOK.
- (Service Connections Only) Enable QoS for the service connection and apply the QoS profile to the connection.
- Enable QoS by selecting, selecting aPanoramaCloud ServicesConfigurationService SetupConnection Name, clicking theQoStab; thenEnableQoS.If you allocate your remote network bandwidth by Prisma Access Remote Network Deployments instead of by compute location, configure QoS in the same way as you do service connections. Select, select the hypertext for a remote network connectionPanoramaCloud ServicesConfigurationRemote NetworksName, click theQoStab, andEnableQoS. If you allocate bandwidth by compute location (the default method), continue to Step 5 to configure QoS for remote networks.
- Select a QoS profile and clickOK.
- (Remote network deployments that allocate bandwidth by compute location only) Enable QoS for your remote network locations.
- Determine the Prisma Access locations where you want to deploy QoS; then find the compute location that corresponds to each location.Each location is allocated bandwidth from its compute location, and you must know the name of the compute location for the locations where you want to allocate QoS. For a list of compute location-to-location mapping, see Prisma Access Locations by Compute Location, or selectand click the gear icon; the mappings display in thePanoramaCloud ServicesConfigurationRemote NetworksAggregate BandwidthCompute LocationandPrisma Access Locationcolumns.
- Select, click the gear to edit the settings, and selectPanoramaCloud ServicesConfigurationRemote NetworksSettingsQoS.
- Enable QoSat a compute location level.Whatever settings you enter apply to all locations that correspond to this compute location.
- Enter theQoS Profile,Guaranteed Bandwidth Ratio, andReserved for Guaranteed Bandwidth (Mbps).
- Enter theQoS Profileto use with this compute location.If you want to use different QoS Profiles per remote networks, useCustomize Per Siteas described in a later step.
- Enter the Guaranteed Bandwidth Ratio, which is a ratio based on the entire allocated bandwidth for the compute location.For example, If you have allocated bandwidth of 800 Mbps for the Canada Central compute location, and you enter aGuaranteed Bandwidth Ratioof60%, the guaranteed bandwidth for that compute location is 480 Mbps.
- Enter the amount of bandwidth that isReserved for Guaranteed Bandwidth (Mbps)for the QoS profile and compute location you selected.
The following screenshot shows QoS enabled for the Canada Central, Ireland, and South Korea compute locations. - (Optional) if you have multiple remote network connections per compute location and want to change either the bandwidth ratio or QoS profile for each location, onboard your remote network locations; then, selectCustomize Per Siteand change the bandwidth allocation ratio, QoS profile, or both.
- To customize the guaranteed bandwidth, click the number in theCustomize Per Sitearea, selectCustomize Per Site, and change theAllocation Ratio.By default, each remote connection is given a percentage that is equal to the number of connections. For example, given 4 connections in a compute location and a total guaranteed bandwidth of 100 Mbps, each location receives 25% of that bandwidth or 25 Mbps.If you selectCustomize Per Siteand then onboard additional remote networks in the same IPSec termination node, the newly-onboarded sites receive an allocation ratio of0, and you must manually rebalance the allocation ratio between existing sites and the newly-onboarded site.If you do notCustomize Per Site, the bandwidth percentage automatically rebalances when you add remote networks. For example, if you did not selectCustomize Per Siteand have four remote networks onboarded, each of those remote networks have an allocation ratio of 25%. If you add a fifth remote network, all five sites rebalance and receive a guaranteed bandwidth of 20%.
- If you want to specify a QoS profile at a per-remote network level, select a differentQoS Profilefor the remote network.
- Check the QoS status.
- For remote networks, select, select a region from the map, selectPanoramaCloud ServicesStatusMonitorRemote NetworksQoS, then select a location.Remote network statistics display for the 10 IPSec termination nodes that have the highest throughput. Prisma Access uses the 95th percentile standard to gather statistics, which tracks bandwidth at peak utilization and ignores the top 5 percent of utilization peaks and large bursts.Select the time range (Last hour,Last 24 hours,Last 7 days, orLast 30 days) to view statistics for that time period.The remote networks with the highest egress bandwidth usage displays in theSitearea, along with the remote networks locations’ statistics forGuaranteed Bandwidth,Average Throughput,Average Packet Loss, and theIPSec Termination NodeandQoS Profileused by the remote network. You can alsoSearchfor a location.To view the remote networks associated with a specific IPSec termination node, change the drop-down at the top of the page fromAllto a specific IPSec termination node to view statistics for that IPSec termination node and the remote networks for that site.To view specific traffic for a site sorted by QoS class, slick theSite Name. The guaranteed bandwidth, egress throughput, and throughput over time displays for the remote network site. You can also sort this information over the last hour, last 24 hours, last 7 days, or last 30 days.Hover over the graph on the right to get detailed information for a specific period of time.
- For service connections, select, select a region, thenPanoramaCloud ServicesStatusMonitorService ConnectionMonitortheStatistics.
ClickQoSto view a page with QoS statistics.This page displays a chart with real-time and historical QoS statistics, including the number of dropped packets per class. This chart displays only for service connections or remote network connections that have QoS enabled, shows the last five minutes of the connection’s network activity, and refreshes every 10 seconds.The following figure shows traffic being passed for classes 1,2,3, and 4. The data below the figure shows the number of packets dropped based on the QoS configuration for classes 2, 3, and 4.