IPSec Termination Nodes, Bandwidth Allocation, and Guaranteed
Bandwidth
Prisma Access divides compute location bandwidth using IPSec
Termination Nodes. Each node provides you with a maximum of 500
Mbps of bandwidth. You assign the node to the remote network during
remote network onboarding. Each IPSec termination node can provide
you with a maxmum of 500 Mbps
of bandwidth. If you allocate more than 500 Mbps of bandwidth
to a compute location, Prisma Access provides you with additional
IPSec termination nodes.
The QoS settings you specify here apply only to outbound
traffic for remote networks, and do not affect secure inbound access traffic.
In the following example, you have allocated 800 Mbps bandwidth
in the Canada Central compute location, which is the compute location
for the Canada Central and Canada East locations.
Since you allocated 800 Mbps for the compute location, Prisma
Access gives you two IPSec termination nodes.
You should now determine whether you want to allocate your locations
to the same IPSec termination node, or to use separate IPSec termination nodes.
If you expect you will add more remote network locations to this
compute location, you could leave one IPSec termination node available
to onboard more remote networks at a later time.
For this example, you onboarded two remote
networks, also known as Remote Network Security Processing
Nodes (RN-SPNs), one in Canada East (RN-8) and one in Canada Central
(RN-9), using the same IPSec termination node for both locations.
You Enable QoS in the QoS area by selecting PanoramaCloud ServicesConfigurationRemote NetworksSettings, clicking the gear
to edit the settings, selecting QoS, and
enabling QoS for the Canada Central compute location. See Configure Quality of Service in Prisma Access for the detailed
steps.
In this example, you want the compute location to receive a guaranteed
bandwidth ratio of 60%; to do so, enter a Guaranteed
Bandwidth Ratio of 60% to the
Canada Central compute location. This action reserves 480 Mbps (60%
of the overall bandwidth allocation) for guaranteed bandwidth.
Prisma Access divides up the guaranteed bandwidth equally between
IPSec termination nodes; therefore, each IPSec termination node
receives 240 Mbps of guaranteed bandwidth (480 Mbps divided by the
total number of IPSec termination nodes). When you select Customize
Per Site, you can view the bandwidth that is allocated
for each location. By default, the Allocation Ratio is
divided equally between all remote networks in an IPSec termination
node. In the following example, since there are two remote networks
in the IPSec termination node, each remote network receives an Allocation
Ratio of 50%.
If you select Customize Per Site and
then onboard additional remote networks in the same IPSec termination node,
the newly-onboarded sites receive an allocation ratio of 0,
and you must manually rebalance the allocation ratio between existing
sites and the newly-onboarded site.
If you do not Customize
Per Site, the bandwidth percentage automatically rebalances
when you add remote networks. For example, if you did not select Customize
Per Site and have four remote networks onboarded, each
of those remote networks have an allocation ratio of 25%. If you
add a fifth remote network, all five sites rebalance and receive
a guaranteed bandwidth of 20%.