Use Case 1 - Protect a Business Critical SaaS Application
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
- Prisma SD-WAN Incidents and Alerts
Use Case 1 - Protect a Business Critical SaaS Application
Use Case 1: Protecting A Business Critical SaaS Application
Where Can I Use
This? | What Do I
Need? |
---|---|
|
|
- Active Paths:
- Direct on Primary internet (Verizon at the example site).
- Direct on Secondary internet (Comcast at the example site).
- Backup Paths: None
- Layer 3 Failure Paths: Direct on Metered 5G.
Performance Policy Intent
- Use Link Quality Monitoring (LQM) information available from the branch to DC VPNs and TCP Metrics available from real user traffic for path selection decisions on new flows.
- Use any Active Path to load share traffic as long as the path is SLA compliant.
- Use only the Layer 3 Failure Path if all active paths are down, not degraded.
- Generate an Incident to be forwarded to operations in case of noncompliance with the SLA metrics.
Configure the Policy Rule
- Select the desired policy set from.ManagePrisma SD-WANPoliciesPerformance
- SelectAdd Ruleand enter theNameasProtect SuperSaaSApp,Description(optional), and theOrder Number(optional).More specific rules should be organized at the top of the Policy Set list, else a less specific policy rule may be matched first.
- In theActionssection, selectRaise AlarmsandMove Flows.
- In theMatch Criteriasection, underApp Filters, select the applicationSuperSaaSAppfrom the drop-down, select the category inPath FiltersasAll Public, and select thePath TypeasDirect.
- In thePerformance SLAssection, clickAdd New, and check the optionsLink Quality MetricsandApplication Metrics. Enter theSLA NameasSuperSaaSApp.
- InLink Quality Metrics, enter theJittervalue as 50 ms.
- Click the+sign to enter theLatencyvalue as 100 ms and thePacket Lossvalue as 3%.
- Retain theAdvanced Settingsat their default values.
- InApplication Metrics, enter theInit Failure Ratevalue as 10%. This uses the rate of TCP 3-way handshake failure on a per app (matched above), per path, per destination prefix basis. It uses real user traffic.
- Click the+sign to enter theRTTvalue as 100 ms. This uses the TCP Round-Trip Time based upon real user traffic.
- In theAdvanced Settingschange the monitoring approach fromModeratetoAggressive. The Aggressive setting will give more weight to the most recent real user traffic measurements, causing the incident generation to be more sensitive to recent issues.
- Review theSummaryof the policy settings for the desired policy intent andSave & Exit.
Monitor the Policy Intent
- Application Site Details: Each Application has both global and site-specific details which can be viewed by navigating to. This view presents numerous data points reflecting the true health of the application at the site. Focusing on theMonitorApplicationsPrisma SD-WANSuperSaasApp{Branch Site Name}SuperSaaSApp Path Performance Detailswidget reveals that very little traffic has been routed through the Verizon connection.From this point, we can inspect the performance of the circuit available from the site summary or the individual flows. As the flows for this application are located at the bottom of the page, inspecting them will help determine why the system is avoiding the Verizon circuit for SuperSaaSApp.
- Flow Browser: Flow Browser provides a detailed per flow account for all aspects of the app session, including the conditions at the time and actions taken to meet the configured SLA. Click on theFlow Detailfor the SuperSaaSApp application in theFlow Browserto view its details.TheAdvanced Infooption provides information on theFlow Decision Data.In this case, the Verizon connection exceeded the 3% packet loss tolerance specified in the Performance SLA and the path was avoided.
- Incidents and Alerts: If the Application SLA metrics are violated, the system generates an incident, which can be found under, labeled with the incident codeIncidents & AlertsPrisma SD-WANIncidentsAPPLICATION_PERFORMANCE_DEGRADED.In this case, not only were the Application SLA Metrics (Init fail % or RTT) violated, the link quality SLA metrics were also breached. This generated another incident under the incident codeCIRCUIT_PERFORMANCE_DEGRADED. As circuit health issues generally lead to application SLAs not being met, the system automatically detects the correlation between the two andAPPLICATION_PERFORMANCE_DEGRADEDbecomes a child incident ofCIRCUIT_PERFORMANCE_DEGRADED.The default system behavior will correlate the Application Performance Degraded incident and suppresses it to reduce excessive App SLA notifications. This default behavior enables faster root cause determination by minimizing the symptoms (paths not being compliant with App SLAs). Using Incident Settings, the default suppress behavior can be changed to not suppress the child incident.
- Summary: Implementing the Performance Policy rule for SuperSaaSApp ensures an optimal end-user experience by consistently utilizing the best-performing direct internet path available. The effects of the rule are easily monitored using the App Site Details, Link Quality Metrics, and flow browser. Operationally, the generated Incidents notify operations staff that the Verizon internet connection periodically proves unsuitable for SuperSaaSApp.