Enable Routing and QoS for Service Connections (Cloud Management)

Configure routing and QoS settings for your service connection.
In order for Prisma Access to route traffic to your HQ and data centers, you must provide routing information for the subnetworks that you’d like users to be able to access. You can do this in several ways. You can either define a static route to each subnetwork at the remote network site, or configure BGP between your service connection locations and Prisma Access, or use a combination of both methods. If you configure both static routes and enable BGP, the static routes take precedence. You can also configure QoS to prioritize business-critical traffic or traffic that requires low latency.
  • Static Routes
    —Identify the subnetworks or individual IP addresses at the data center or HQ that you want mobile users or remote sites to access. The subnetworks at HQ, data centers, and remote network sites must not overlap with each other, with the IP pools that you designated for Prisma Access for Users, or with the infrastructure subnet.
  • BGP
    —If you want to enable BGP to dynamically route traffic to and from your HQ and data centers, you will need to provide the BGP information for the eBGP router at the HQ/DC:
    • Branch Router Autonomous System (AS) Number
      —The AS to which the eBGP router at the HQ/DC belongs. This is called the
      Peer AS
    • Router ID
      —The IP address assigned as the Router ID of the eBGP router on the HQ/DC network. This is called the
      Peer Address
    If you configure both static routes and BGP routing, the static routes take precedence.
  • QoS
    —If you plan to configure Prisma Access security policy rules to apply QoS markings to ingress traffic or you have a device at the HQ/DC that marks ingress traffic, you can shape the traffic egressing the site by defining a QoS profile that maps the classes you use to maximum and guaranteed bandwidth values.
Here’s how to configure routing and QoS settings for your HQ and data center service connections:
  • To add or adjust routing and QoS settings, go to
    Prisma Access Setup
    Service Connections
  • Configure static routes.
    If you are using static routes to route traffic to and from your HQ/DC,
    the IP subnets or IP addresses that you want to secure at the branch. Note that if you make any changes to the IP subnets on your HQ/DC network, you must manually update the static routes.
  • Configure dynamic routing.
    To use dynamic routing to advertise HQ/DC subnets,
    Enable BGP for Dynamic Routing
    and then configure the following settings:
    • Do Not Export Routes
      —Prevent Prisma Access from forwarding routes into the HQ/DC.
      By default, Prisma Access advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.
      Because Prisma Access does not send BGP advertisements, if you select this option you must configure static routes on your on-premise equipment to establish routes back to Prisma Access.
    • Peer IP Address
      —Enter the Peer IP Address assigned as the Router ID of the eBGP router on the HQ/DC network.
    • Peer AS
      —Enter the Peer AS, which is the autonomous system (AS) for your network.
      You must use an RFC 6696-compliant BGP Private AS number.
    • Local IP Address
      —Enter the IP address that Prisma Access uses as its Local IP Address for BGP.
      A local address is only required if your HQ/DC device requires it for BGP peering to be successful. Make sure the address you specify does not conflict or overlap with IP addresses in the infrastructure subnet or subnets in the remote network.
    • Secret
      —Enter a Secret password to authenticate BGP peer communications and then
      Confirm Secret
  • Configure QoS.
    To start, add QoS profile to define the QoS classes that’ll shape traffic between the HQ/DC and Prisma Access. You’ll then create a QoS policy rule and add the profile to the rule, in order to enforce QoS on matching HQ/DC traffic.
    1. Add a QoS profile.
      Set bandwidth limits for the profile:
      • Set the maximum throughput (in Mbps) for traffic leaving the HQ/DC service connection as the
        Egress Max
        . You can specify a value up to the maximum licensed bandwidth of your HQ/DC service connection.
      • Set the guaranteed bandwidth as the
        Egress Guaranteed
        (in Mbps). Any traffic that exceeds the
        Egress Guaranteed
        value is best effort but not guaranteed. Any bandwidth that is guaranteed but unused remains available to all traffic.
      Define the QoS classes for the profile:
      • Class
        —A QoS class determines the priority and bandwidth for traffic matching a QoS policy rule. Here you’ll use the profile to define each QoS class, and you’ll next attach this profile to a policy rule.
        There are up to eight definable QoS classes in a single QoS profile. Unless otherwise configured, traffic that does not match a QoS class is assigned a class of 4.
      • Priority
        —Give a QoS class a priority of real-time, high, medium or low.
      • Egress Max
        —The egress max value for a QoS class, or the combined egress max values for multiple QoS classes, must not exceed the egress max value for the QoS profile.
      • Egress Guaranteed
        —The guaranteed bandwidth assigned to the QoS class is not reserved for that class; unused bandwidth remains available to all traffic. Any class traffic that exceeds the egress guaranteed value is best effort but not guaranteed.

Recommended For You