Mark the ingress traffic using a security policy
or using marking from an on-premises device.
You can create PAN-OS security policies to mark
traffic destined to Prisma Access for mobile users and for remote
network connections. For service connections, Prisma Access will
honor traffic marking from your organization’s on-premises devices.
Optionally, you can also use on-premises devices to mark traffic
for remote networks.
To ensure predictable results,
we recommend marking traffic using either security policies in Prisma
Access or your on-premises device, but not both. If there are differences
between the security policies in Prisma Access and the on-premises
device, the security policy in Prisma Access overrides the policy
in the on-premises device.
Map the traffic to classes using a QoS policy rule.
You can create QoS profiles to shape QoS traffic for service
connections and for remote network connections and apply those profiles
to traffic that you marked with PAN-OS security policies, traffic
that you marked with an on-premises device, or both PAN-OS-marked
and on-premise-marked traffic.
Enable QoS on the service connection or remote network
connection and bind the QoS profile to the connection.
The following figure shows the available QoS deployments
in Prisma Access.