Configure App Acceleration in Prisma Access (Strata Cloud Manager)

1. (Optional) Disable the Quick UDP Internet Connections (QUIC) protocol.

   App Acceleration cannot accelerate apps at Layer 7 without disabling QUIC.

   1. Go to ManageConfigurationNGFW & Prisma AccessSecurity ServicesSecurity Policy and Add RulePre Rules.

      Create this Security policy rule in the Global configuration scope.
   2. Select an Application / Service of quic and an Actions of Deny.

   3. Save your changes.
   4. Go to ManageConfigurationNGFW & Prisma AccessObjectsServicesService and Add services for UDP port 80 and UDP port 443.

      Palo Alto Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional security policy to block UDP traffic on those ports, because newer versions of QUIC might be misidentified as unknown-udp.

   5. Return to ManageConfigurationNGFW & Prisma AccessSecurity ServicesSecurity PolicyAdd Rule for a second security policy, specifying the services under Application / Services and an Action of Deny.

      When complete, you will have two security policies: One that blocks the QUIC protocol and one that blocks traffic on UDP ports 80 and 443.

2. Import a root certificate authority (CA) certificate and private key in Strata Cloud Manager in the Prisma Access scope to use with App Acceleration and push your changes.

   A self-signed root CA/certificate is the top-most certificate in a certificate chain. App Acceleration uses the root CA/certificates to create certificates for the accelerated apps. Push the root CA/certificate in Prisma Access so that App Acceleration can begin creation of the app- specific certificates.

   The root CA/certificate must have these characteristics: :

   • The CA must be a trusted CA.
   • (Recommended) The CA should be unique and used for App Acceleration only.
   • The CA can't be expired. Make a note of the CA expiration date, and renew the certificate before it expires. If a CA/certificate in use by App Acceleration expires, users will receive an SSL error when trying to access accelerated apps. It is critical to ensure that the CA is valid when App Acceleration is in use by your organization.
   • It must include a key.
   • It must use a passphrase.
   • It must be in the Prisma Access scope.
   • (Mobile Users—GlobalProtect Deployments Only) It must be installed in the local root certificate store.
     You can perform this installation by adding it to the list of trusted certificates as described in this procedure or, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory Group Policy Object (GPO).

   If you ever need to change the root CA/certificate, you must upload it and commit your changes before you can use the changed certificate.

   1. Go to ManageConfigurationNGFW and Prisma AccessObjectsCertificate Management.
   2. Import a certificate.

   3. Select the following parameters:

      • Enter a unique Certificate Name for the certificate, such as AppAcceleration_CA.
        The name is case-sensitive and can be up to 31 characters long. Use only letters, numbers, hyphens, and underscores in the name.
      • Choose File and browse for the Certificate File received from the CA and Open it.
      • Select a Format:
        • Encrypted Private Key and Certificate (PKCS12)—This is the default and most common format, in which the key and certificate are in a single container (Certificate File).
        • Base64 Encoded Certificate (PEM)—You must import the key separately from the certificate. You're required to select a Key File if you select this format.
        • Enter a Passphrase and Confirm Passphrase.
   4. Save your changes.

3. Mark the root CA/certificate you added as a forward trust certificate and a trusted root CA.

   If you don't specify the certificate as a forward trust certificate and trusted root CA, users will encounter SSL errors when trying to access accelerated apps when using SSL decryption.

   1. Select the root CA/certificate you added.
   2. Select the certificate as a Forward Trust Certificate and Trusted Root CA.

   3. Update the certificate.

4. Push your changes.

5. (Mobile Users—GlobalProtect Deployments Only) Add the root CA/certificate you added to the list of GlobalProtect trusted certificates and install it in the local root certificate store.

   Alternatively, if you are using ActiveDirectory, you can distribute the root CA from AD using an Active Directory GPO.

   1. Go to WorkflowsPrisma Access SetupGlobalProtectGlobalProtect AppGlobal App Settings.
   2. Click the gear to edit the Settings.

   3. Add Trusted Certificate Distribution.

   4. Select the Trusted Root CA you created in a previous step and select Install in Local Root Certificate Store.

   5. Save your changes.
   6. Push your changes.
6. Enable App Acceleration and choose the certificate file you created.

   1. Go to WorkflowsApp Acceleration from the left navigation bar.

      The App Acceleration window displays.

   2. Move the slider to the right to have App Acceleration be Enabled for all Mobile Users—GlobalProtect and Remote Networks.

      If commits are ongoing, App Acceleration settings will take effect after all commits complete.

      App Acceleration will be enabled for all TCP traffic. If you wish to accelerate SaaS apps, you will need to select a root CA/certificate, as shown in the next step.
7. Select the certificate you created in a previous step.

   If you need to change the certificate from an existing one, make sure you have committed and pushed the certificate to your firewalls and users, then select it here. You must commit the new certificate before you select it.

   After you import the certificate, you must wait until App Acceleration generates domain-specific certificates for each app. This process can take up to one hour. In the meantime, you can move the slider for the Accelerated Apps to the left to temporarily disable App Acceleration and access the apps until the certificates are generated; if you don't, you might receive an SSL error until the certificates are generated.

   Allow up to 10 minutes for acceleration to be active after you have turned it on for a given application.
8. (Optional) Show Advanced Options and change the metric testing parameters.

   • (Optional) To disable the collection of metrics to obtain performance information, deselect Allow tests to collect performance metrics for Mobile Users.
     Palo Alto Networks recommends that you enable metric collection to view the app performance improvements when using App Acceleration.
   • (Optional) To change the percentage of users for which predictive tests are processed from the default of 5%, select another percentage in the drop-down and Confirm the changes.