Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment
Table of Contents
Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment
Learn how to plan from a deployment that allocates bandwidth
by Prisma Access location to one that aggregates bandwidth by compute
location.
Bandwidth for new Prisma Access remote
network deployments are allocated at an aggregate level per compute location, also
known as the aggregate bandwidth model. Allocating bandwidth
at a compute location level offers you more flexibility in allocating
your licensed remote network bandwidth, because Prisma Access dynamically
allocates the bandwidth for each location based on load or demand.
If you have an existing deployment that allocates bandwidth by
Prisma Access location, you can migrate to the aggregate
bandwidth model. Before you migrate, use the following checklist
to plan for the migration:
- If you have an unsupported combination, you will not see the Bandwidth Allocation tab or view the banner to migrate. The following configurations are not supported for migration to the aggregate bandwidth model:
- A remote network with a bandwidth of 1000 Mbps.
- A Prisma SD-WAN CloudBlade integration with Prisma Access that has a version earlier than 3.0.
- An existing QoS configuration.
- A remote network configuration that provides secure inbound access to applications at a remote network site earlier than 2.1 Innovation.
- If you’re not sure which bandwidth allocation model your deployment is using, Select .
- If you see a Bandwidth field in the Remote Networks area, you are allocating bandwidth by Prisma Access location, and you can migrate to the aggregate bandwidth model.
![]()
- If you see an IPSec Termination Node, you have already migrated to the aggregate bandwidth model.
![]()
- After you migrate to the aggregate bandwidth model, the change is permanent and you cannot revert to having a deployment that allocates bandwidth by Prisma Access location.
- Learn how Prisma Access allocates bandwidth during a migration to the aggregate bandwidth model.
- You must have a minimum of 50 Mbps of available bandwidth to migrate to the aggregate bandwidth model.
- If you have configured your remote networks to provide secure inbound access to your remote network locations, all existing inbound access features are supported except QoS, such as enabling a secondary WAN link (Enable Secondary WAN), BGP, and source NAT options. There is also no change to the bandwidth that is consumed by the public IP addresses that Prisma Access allocates (5 IP addresses take 150 Mbps from your remote network license allocation, and 10 IP addresses take 300 Mbps).If you need to configure inbound access after you migrate, use the inbound access procedure that is specific to the aggregate bandwidth model.
- Palo Alto Networks recommends that you take a note of your existing bandwidth settings and total licensed bandwidth before you migrate.Although Prisma Access migrates your bandwidth during migration; you should note your current settings as a best practice and make any adjustments to the compute location bandwidth after you migrate.
- Check your existing bandwidth settings by selecting and make a note of the existing Bandwidth that is available for each remote network connection.
- Navigate to and check your total licensed bandwidth in Mbps for remote networks. This information is included under Prisma Access Net Capacity or GlobalProtect Cloud Service for Mobile Users, depending on your license type.
After you migrate, make a note of the following differences to
your deployment:
- You onboard all new remote networks using the aggregate bandwidth remote network onboarding procedure.
- When you view bandwidth usage statistics, you view them at a per-IPSec termination node level.
Bandwidth Allocation for a Migrated Aggregate Bandwidth Deployment
If you have a deployment that allocates bandwidth by
Prisma Access location, Prisma Access makes the following changes
when you migrate to the aggregate
bandwidth model:
- Prisma Access sums the bandwidth for all locations in a given compute location and allocates the summed bandwidth to that compute location.For example, you have three locations (Location 1, Location 2, and Location 3) in the Mexico West, US Southwest, and US West locations, and each existing location has 50 Mbps of bandwidth. Since each location is in the US Southwest compute location, Prisma Access sums the bandwidth of the three locations and allocates 150 Mbps of bandwidth to the US Southwest location.
- If all the location or locations in a compute location have a total bandwidth of less than 50 Mbps, Prisma Access will increase the bandwidth to 50 Mbps for that compute location. Prisma Access provides you with the locations that require the bandwidth increase during the migration process.
![]()
- Prisma Access uses IPSec termination nodes in aggregate bandwidth deployments. During migration, Prisma Access provides one IPSec termination node per compute location for every 500 Mbps of allocated bandwidth. For example, if you allocate 800 Mbps of bandwidth in a compute location, Prisma Access provides that location with two IPSec termination nodes.You assign IPSec termination nodes to a remote network during remote network onboarding. In an aggregate bandwidth migration, Prisma Access associates the IPSec termination nodes to the remote networks during migration. The following list provides some examples of IPSec termination node association for a migration:
- If you have four remote networks that are in the same compute location, and those locations has 50 Mbps each of bandwidth each, Prisma Access allocates 200 Mbps of bandwidth to that compute location, provides a single IPSec termination node to that compute location, and associates that IPSec termination node to all four remote networks.
- If you have three remote networks in the same compute location with 100 Mbps each, Prisma Access allocates 300 Mbps of bandwidth to that compute location, provides a single IPSec termination node to that compute location, and associates that IPSec termination node to all three remote networks.
- If you have four remote networks in the same compute location, with one remote network having 500 Mbps and three remote networks having 100 Mbps each, Prisma Access allocates 800 Mbps of bandwidth to that compute location. Because the total allocated bandwidth in that compute location is greater than 500 Mbps, Prisma Access allocates two IPSec termination nodes and makes the following associations:
- The 500 Mbps remote network is assigned one IPSec termination node.
- The three 100 Mbps remote networks are assigned one IPSec termination node.
After you migrate, you can change the IPSec termination node association to increase bandwidth for a location. For example, given a compute location with two IPSec termination nodes, you could reassign a single IPSec termination node to a single location and reassign the other IPSec termination node to the remaining locations, which effectively provides the location that does not share an IPSec termination node with more bandwidth.
