The following examples show how Prisma Access marks and shapes traffic.

In the following example, the administrator created a security policy on the Mobile_User_Device_Group to mark incoming mobile user traffic. These policies assign traffic an IP precedence value of AF11.

The administrator also created QoS profiles with QoS policy rules, enabled QoS on the service connection and remote network connection, and applied the profiles to those connections to shape the traffic at the traffic’s egress point based on the QoS markings.

The following example shows the QoS traffic flow from a branch office to an HQ/data center. The administrator creates a security policy on the Remote_Network_Device_Group to mark the incoming traffic from the remote network connection and enabled QoS and applied a QoS profile on the service connection to shape the outgoing traffic.

The following example shows a hybrid deployment with an on-premises firewall at a branch that is connected by Prisma Access with a remote network connection, and the on-premises firewall marks the traffic. This deployment honors the marking set on the on-premises firewall. You must enable QoS and apply a QoS profile on the service connection, so that Prisma Access can shape the traffic at egress.

Prisma Access honors all DSCP marking from the on-premises device as long as that traffic does not match an overriding security policy on Prisma Access.

The following example shows a Prisma Access for Clean Pipe Overview configuration that shapes on ingress (from the internet to Clean Pipe side). See Configure Quality of Service for Clean Pipe for configuration details.