Configure App Acceleration in Prisma Access (Panorama)

1. (Optional) Disable the Quick UDP Internet Connections (QUIC) protocol.

   App Acceleration cannot accelerate apps at Layer 7 without disabling QUIC.

   1. Go to PoliciesSecurityPre Rules and Add a security policy.

      Create this Security policy rule in the Shared device group.
   2. Select an Application of quic and an action of Deny.

   3. Add a second security policy.

      Newer versions of QUIC might be misidentified as unknown-udp. For this reason, Palo Alto Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional security policy to block UDP traffic on those ports.
   4. Under Service/URL Category, Add a new services for UDP port 80 and UDP port 443 and an Action of Deny.

      When complete, you will have two security policies: One that blocks the QUIC protocol and one that blocks traffic on UDP ports 80 and 443.

2. Import a root certificate authority (CA) certificate and private key in Panorama to use with App Acceleration and commit and push your changes.

   A self-signed root CA/certificate is the top-most certificate in a certificate chain. App Acceleration uses the root CA/certificates to create certificates for the accelerated apps. Push the root CA/certificate in Prisma Access so that App Acceleration can begin creation of the app-specific certificates.

   The root CA/certificate must have these characteristics:

   • The CA must be a trusted CA.
   • (Recommended) The CA should be unique and used for App Acceleration only.
   • The CA can't be expired. Make a note of the CA expiration date, and renew the certificate before it expires. If a CA/certificate in use by App Acceleration expires, users will receive an SSL error when trying to access accelerated apps. It is critical to ensure that the CA is valid when App Acceleration is in use by your organization.
   • It must include a key.
   • It must use a passphrase.
   • (Mobile Users—GlobalProtect Deployments Only) It must be installed in the local root certificate store.
     You can perform this installation by adding it to the list of trusted certificates as described in this procedure or, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory Group Policy Object (GPO).

   If you ever need to change the root CA/certificate, you must upload it and commit and push your changes before you can use the changed certificate.

   1. Go to DeviceCertificatesCertificate Management.

      Be sure that you are in the Mobile_User_Template.
   2. Import a certificate.

   3. Select the following parameters:

      • Enter a unique Certificate Name for the certificate, such as AppAcceleration_CA.
        The name is case-sensitive and can be up to 31 characters long. Use only letters, numbers, hyphens, and underscores in the name.
      • Browse for the Certificate File received from the CA and Open it.
      • Select a Format:
        • Encrypted Private Key and Certificate (PKCS12)—This is the default and most common format, in which the key and certificate are in a single container (Certificate File).
        • Base64 Encoded Certificate (PEM)—You must import the key separately from the certificate. You're required to Import Private Key and select a Key File if you select this format.
        • Enter a Passphrase and Confirm Passphrase.
   4. Click OK.

   5. Repeat these steps, substituting the Remote_Network_Template for the Mobile_User_Template.

      You must import these certificates in both the Mobile_User_Template and Remote_Network_Template in order to accelerate apps for your mobile users and users at remote network sites.
3. Mark the root CA/certificate you added as a forward trust certificate and a trusted root CA.

   If you don't specify the certificate as a forward trust certificate and trusted root CA, users will encounter SSL errors when trying to access accelerated apps when using SSL decryption. If you have certificates in the Mobile_User_Template and Remote_Network_Template, perform this step in both templates.

   1. Select the root CA/certificate you added.
   2. Select the certificate as a Forward Trust Certificate and Trusted Root CA and click OK.

4. Commit and Push your changes.
5. (Mobile Users—GlobalProtect Deployments Only) Add the root CA/certificate you added to the list of GlobalProtect trusted certificates in the GlobalProtect portal configuration.

   Alternatively, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory GPO.

   1. Go to NetworkGlobalProtectPortalsGlobalProtect_PortalAgent.

      Be sure that you are in the Mobile_User_Template.
   2. Add the trusted root CA you created in a previous step.
   3. Select Install in Local Root Certificate Store.
   4. Click OK.

   5. Commit and Push your changes.
6. Enable App Acceleration and choose the certificate file you created.

   1. Go to PanoramaCloud ServicesApp Acceleration and Get Started with App Acceleration.

   2. Go to WorkflowsApp Acceleration from the left navigation bar.

      The App Acceleration window displays.

   3. Move the slider to the right to have App Acceleration be Enabled for all Mobile Users—GlobalProtect and Remote Networks.

      If commits are ongoing, App Acceleration settings will take effect after all commits complete.

      App Acceleration will be enabled for all TCP traffic. If you wish to accelerate SaaS apps, you will need to select a root CA/certificate, as shown in the next step.
7. In the App Acceleration configuration, type the name of the certificate you created in an earlier step exactly as it is listed in Panorama.

   Be sure that you have committed and pushed the certificate before typing it.

   If you need to change the certificate from an existing one, type the new name. You must type in the name (you cannot select it from a list), and you must commit and push the new certificate before you enter the name.

   After you import the certificate, you must wait until App Acceleration generates domain-specific certificates for each app. This process can take up to one hour. In the meantime, you can move the slider for the Accelerated Apps to the left to temporarily disable App Acceleration and access the apps until the certificates are generated; if you don't, you might receive an SSL error until the certificates are generated.

   Allow up to 10 minutes for acceleration to be active after you have turned it on for a given application.
8. (Optional) Show Advanced Options and change the metric testing parameters.

   • (Optional) To disable the collection of metrics to obtain performance information, deselect Allow tests to collect performance metrics for Mobile Users.
     Palo Alto Networks recommends that you enable metric collection to view the app performance improvements when using App Acceleration.
   • (Optional) To change the percentage of users for which predictive tests are processed from the default of 5%, select another percentage in the drop-down and Confirm the changes.