Palo Alto Networks ADEM Key Concepts

What is ADEM?

Autonomous Digital Experience Management (ADEM) is a Palo Alto Networks capability integrated within its SASE solution (primarily Prisma Access and Strata Cloud Manager). It provides native, end-to-end visibility and actionable insights into the digital experience of users accessing applications, regardless of user location (office, home, remote) or application hosting location (SaaS, IaaS, data center).

ADEM continuously monitors the entire service delivery path, segment by segment: Device , WiFi , LAN , Internet (ISP) , Prisma Access , and the Application itself. It uses a variety of monitoring techniques (synthetic tests, real user monitoring, endpoint telemetry) to establish performance baselines, detect degradations, identify root causes, and provide suggestions for remediation.

ADEM functionality is built into the GlobalProtect Client for mobile users and can leverage agents on Prisma SD-WAN ION devices or NGFWs with an SD-WAN subscription for remote site monitoring.

Licensing & Management: Using ADEM requires appropriate licenses. This typically includes a base Prisma Access license plus an ADEM add-on (like ADEM Observability or AI-Powered ADEM) or Strata Cloud Manager Pro tier. ADEM data and configuration are primarily accessed and managed via Strata Cloud Manager (SCM) through the Palo Alto Networks Hub, even for Prisma Access deployments managed by Panorama.

ADEM Monitoring Capabilities

ADEM gathers performance and health data using several methods:

Monitoring for Mobile Users (via GlobalProtect Agent)

Synthetic Monitoring:
- Utilizes the DEM-enabled GlobalProtect agent on the endpoint and cloud-based ADEM agents within Prisma Access.
- Runs scheduled, automated tests to proactively measure performance even when users aren't actively using an application.
- Measures end-to-end network quality metrics: Latency , Jitter , and Packet Loss for each segment from the user to the monitored application.
- Collects web performance metrics via HTTP/HTTPS tests: Application Availability/Uptime , Server Response Time , DNS Lookup Time , TCP Connect Time , SSL Connect Time , Time-to-First-Byte (TTFB) , and Data Transfer Rate .
- Provides a baseline view and helps pinpoint segment-specific degradations over time.
Browser-Based Real User Monitoring (RUM):
- Requires installation of the ADEM Browser Plugin on the user's browser.
- Collects metrics directly from the user's live interactions with web applications.
- Measures actual perceived performance using metrics like Time To First Byte (TTFB) and Core Web Vitals: Largest Contentful Paint (LCP) , Cumulative Layout Shift (CLS) , First Input Delay (FID) , and Interaction to Next Paint (INP) .
- Provides insights into real-world browsing experience and page load performance.
Endpoint Monitoring:
- The ADEM agent (within GlobalProtect) gathers device health telemetry as soon as an application test is assigned.
- Collected metrics include: CPU Utilization , Memory Utilization , Disk Usage , Disk Queue Length , Battery Level .
- Collects detailed WiFi information: SSID , BSSID , Channel , Tx/Rx Utilization , WiFi Signal Quality .
- Helps determine if performance issues stem from the user's device or local WiFi environment.

Monitoring for Remote Sites (via ION/NGFW Agent)

Supported Devices: Prisma SD-WAN ION devices (v5.6.1+) or NGFWs with an active SD-WAN subscription.
Prerequisites: Aggregate bandwidth must be enabled for the Prisma Access deployment.
SD-WAN Device Monitoring: Collects device-level metrics like CPU Utilization , Memory Utilization , and historical trends from the ION device or NGFW.
Remote Site Traffic Visibility: Provides continuous visibility into real traffic usage between the site and applications (SaaS, IaaS, Data Center), including traffic traversing Prisma Access.
Synthetic Monitoring from Site: The ADEM agent on the SD-WAN device and cloud agents in Prisma Access run synthetic tests (Network Quality and Web Performance, similar to mobile users) from the site perspective towards monitored applications.
Monitored Paths: ADEM can monitor application experience across all available WAN paths defined in SD-WAN policies (active and backup), including:
- Prisma Access Path: Traffic tunneled via standard VPN to Prisma Access for security.
- Secure Fabric Path: Traffic tunneled to another SD-WAN device (e.g., in a data center).
- Direct Access Path: Traffic sent directly to the internet from the site.

Monitored Paths from Remote Sites

flowchart TD
    subgraph Remote_Site["Remote Site (ION/NGFW)"]
        Device(SD-WAN Device)
    end
    subgraph Paths
        PA(Prisma Access Path \n Standard VPN)
        SF(Secure Fabric Path \n DC VPN Tunnel)
        DA(Direct Access Path \n Local Internet)
    end
    subgraph Destinations
        App_PA(App via Prisma Access)
        App_DC(Internal App via DC)
        App_INET(SaaS/Internet App)
    end

    Device -- Synthetic/Real Traffic --> PA --> App_PA
    Device -- Synthetic/Real Traffic --> SF --> App_DC
    Device -- Synthetic/Real Traffic --> DA --> App_INET

    style Remote_Site fill:#e9ecef,stroke:#333
    style Destinations fill:#fff3cd,stroke:#333

Key Metrics & Experience Score Calculation

ADEM synthesizes diverse metrics into an Experience Score to gauge application performance quality for users and sites.

Experience Score Scale: Ranges from 0-100, color-coded for quick assessment:
- Good: Score >= 70
- Fair: Score 30-69
- Poor: Score < 30
Root Cause Identification: When the score drops below 70, ADEM analyzes metrics from synthetic tests across the service delivery segments (Device, Wi-Fi, LAN, ISP, App) to pinpoint the likely root cause(s).
Synthetic Metrics Score Calculation: Primarily based on two key metrics:
- Availability: If the application is unavailable (score 0), the overall experience score is 0.
- Time to First Byte (TTFB): If available, the score is based on TTFB thresholds. TTFB itself is composed of DNS Resolution Time, TCP Connect Time, SSL Connect Time, and Server Response Time.
Browser-Based RUM Metrics Score Calculation (Mobile Users Only):
- Availability: Based on successful HTTP status (score 1) or failure (score 0). If Availability is 0, the experience score is 0.
- LCP & INP: If available (HTTP success), the score is the minimum of the calculated scores for Largest Contentful Paint (LCP) and Interaction to Next Paint (INP).
Combined Experience Score Logic (Mobile Users):
- If both Synthetic and RUM metrics are available for an application domain, the overall Experience Score prioritizes and uses **only the RUM metrics**.
- If RUM metrics are unavailable (e.g., no browser plugin, non-web app), the score relies **only on Synthetic metrics**.
Remote Site Experience Score Calculation:
- Calculated per application based on synthetic tests run over configured paths (active/backup).
- An overall score is calculated for each remote site by averaging results across monitored applications.
- An organization-wide score aggregates results from all monitored remote sites.
- The score for an application at a site considers the average of test samples from all **active** paths.

Experience Score Root Cause Segments

flowchart TD
    A[User Interaction/Request] --> B(Device)
    B --> C(WiFi)
    C --> D(Local Network)
    D --> E(Internet/ISP)
    E --> F(Prisma Access)
    F --> G(Application)
    G --> H[Response/Experience]

    style B fill:#f8d7da,stroke:#dc3545
    style C fill:#f8d7da,stroke:#dc3545
    style D fill:#f8d7da,stroke:#dc3545
    style E fill:#f8d7da,stroke:#dc3545
    style F fill:#e7f3fe,stroke:#29abe2
    style G fill:#fff3cd,stroke:#ffc107

    %% note right of G
    %% ADEM analyzes performance across these segments to identify bottlenecks.

Configuration Highlights

Enabling ADEM

The ADEM data collection capability is part of the GlobalProtect client software but must be explicitly enabled for users or groups within the Prisma Access configuration (managed via Strata Cloud Manager or Panorama). Check GlobalProtect compatibility (e.g., version 5.2.11 or later was mentioned).
For Remote Site monitoring (ION/NGFW), ADEM enablement in Prisma Access often requires the use of aggregate bandwidth licensing model for the compute location. Compatible device software versions are also necessary (e.g., ION 5.6.1+ was mentioned).
Appropriate ADEM licenses (add-on or included in SCM Pro) must be assigned and active.

Application Tests (Synthetic Monitoring Setup)

Application tests simulate user interaction to proactively monitor application availability and performance.

Navigate to Insights > Application Experience > Application Tests in Strata Cloud Manager.
Click Create Application Test .
Provide the Application Domain URL / Target IP Address . ADEM validates the target.
Select the Source :
- Mobile Users: Choose 'All Users' (default for licensed users) or 'Custom' to select specific users/groups.
- Remote Networks: Select specific licensed remote sites (ION/NGFW).
- Prisma Access Locations: Select specific Prisma Access locations to run tests from the cloud infrastructure itself.
Configure Advanced Options :
- Network Test Options: Primarily for TCP tests. Port defaults to 443. Critical setting: Split Tunnel checkbox – select this *only* if the application is configured to be split tunneled in the corresponding GlobalProtect configuration.
- Web Test Options: Enable/disable HTTP/S tests (enabled by default for web apps). Option to override default ports (80/443). Can add a custom URL path or HTTP headers. Option to ignore SSL certificate trust issues.
- Path Visualization Options: Enable/disable per-hop performance metrics (enabled by default). Select Protocol (TCP/ICMP) for traceroute - *Note:* If 'Split Tunnel' is checked in Network Options, the protocol choice here is automatically determined by the endpoint OS (Windows uses TCP, macOS uses ICMP for split tunnels) and cannot be manually selected. For non-split-tunneled apps, TCP or ICMP can be chosen.
- Remote Sites Test Options: (If Remote Sites are selected as source) Choose to monitor only active paths or both active and backup paths as defined in the Prisma SD-WAN path policy. Optionally specify App-IDs, Network Context, or Source Prefixes to align tests with specific SD-WAN rules (requires specific agent/ION versions).
Save the test. Tests are assigned priority based on creation order (1, 2, 3...).

Application Test Configuration Flow

graph TD
    A[Start: Insights > App Exp > App Tests] --> B(Click 'Create Application Test')
    B --> C[Define Target: URL/IP]
    C --> D{Select Source}
    D -- Mobile_Users --> E[All Users or Custom Users/Groups]
    D -- Remote_Sites --> F[All Sites or Specific Sites]
    D -- PA_Locations --> G[Specific PA Locations]
    E --> H[Configure Advanced Options: Network, Web, Path Vis]
    F --> H
    G --> H
    H --> I(Save Test - Priority Assigned)
    I --> J[Config pushed to Agents/Sites]
    J --> K(Tests Begin Running)

    style A fill:#lightblue
    style K fill:#lightgreen

Application Suites

Application Suites allow grouping related domains or application tests for aggregated monitoring and easier analysis.

Create and manage via Insights > Application Experience > Application Suites .
Add existing domains monitored by RUM or synthetic tests, or add completely new domains directly to a suite.

ADEM Self-Serve (End-User Remediation)

This feature empowers end users by providing notifications and remediation suggestions for common performance issues they can potentially resolve themselves.

Functionality: Notifies users directly on their endpoint about: Poor WiFi quality, Disconnected WiFi, High CPU usage, High Memory usage, and Internet Outages.
User Interface: Users clicking the notification (or opening the Application Experience UI proactively) see details about the issue and suggested actions.
Enablement: Disabled by default. IT Admins enable it via Insights > Users (scope set to Prisma Access), clicking the Self Serve button.
Configuration: Admins select which notification types to enable (CPU, Memory, WiFi Quality, Internet Outage), set thresholds (e.g., CPU > 95%, Memory > 95%, WiFi Signal Quality < 48%), and choose target users or groups.
Notification Frequency: CPU/Memory/WiFi alerts trigger once per 30-minute interval if the condition persists or reoccurs. Internet Down alerts trigger only once per outage.
Suppression Logic: All Self-Serve notifications are suppressed if the ADEM agent is disconnected from the portal for over 24 hours. WiFi and Internet notifications are also suppressed if GlobalProtect is in 'Connected Internal' or 'Internal' state.

Self-Serve Notification Logic

sequenceDiagram
    participant Agent as ADEM Agent (on Endpoint)
    participant Portal as ADEM Portal/Service
    participant User as End User
    participant Admin as IT Admin

    Admin->>Portal: Enable Self-Serve & Configure Thresholds/Users
    Agent->>Agent: Monitor Device/WiFi/Internet Status
    Agent->>Agent: Check if Threshold Crossed & Notification Interval Passed
    alt Threshold Crossed & Interval OK
        Agent->>Portal: Report Status (Implied)
        Agent->>User: Display Desktop Notification (e.g., High CPU)
        User->>Agent: Click Notification (Optional)
        Agent->>User: Open Application Experience UI with details & remediation
    else Threshold Not Crossed or Within Interval
        Agent->>Agent: Continue Monitoring
    end

Agent Upgrades & Data Collection Details

Agent Updates: Although bundled with GlobalProtect, the ADEM agent component updates separately to ensure latest monitoring capabilities. Updates are managed via Autonomous DEM > Settings > Access Experience Agent Management (for Mobile Users) or Remote Sites Agent Management . Options include manual trigger (`Start Upgrade`) or automatic (`Auto Upgrade`). Online agents upgrade immediately; offline agents upgrade upon reconnection.
Data Collected: ADEM gathers a wide range of telemetry including:
- **User Session:** GP username, login/logout times, GP status, Prisma Access location, user geo-location, ISP.
- **BIOS:** Serial number.
- **Computer:** Hostname, Model, Manufacturer, Battery status.
- **Network:** Hostname, interface details, IP (v4/v6), Public IP, MAC, default gateway, WiFi details (Signal Quality, Tx/Rx Speed/Util, Channel, SSID, BSSID).
- **VPN Network:** VPN interface, Gateway ID/Hostname, network interfaces used by VPN.
- **OS:** Type, Version, Architecture.
- **Logical Devices:** ID, type, media type, size, name, volume info, filesystem details.
- **CPU:** Architecture, core/processor counts, manufacturer, max clock speed, name.
- **RAM:** Memory capacity (Windows), Total capacity.
- **Synthetic Test Results:** Network Latency/Jitter/Loss, DNS time, TCP/SSL latency, Server Response Time.
- **RUM Metrics:** Page Load Time, TTTB, LCP, CLS, FID, INP.
Whitelisting Requirements: For proper communication and function, specific ADEM FQDNs (like `agents.dem.prismaaccess.com`, `updates.dem.prismaaccess.com`) may need whitelisting in firewalls and excluded from SSL decryption. Additionally, specific ADEM agent processes (e.g., `DEMAnalyticsProcess.exe`, `GlobalProtectAutonomousDEM.exe` on Windows; various `.xpc` services and `.app` components on macOS) must be whitelisted in any third-party EDR solutions (CrowdStrike, Trellix, SentinelOne mentioned as examples).

UCaaS Integrations (Zoom / Microsoft Teams)

ADEM integrates with Zoom and Microsoft Teams to provide deeper insights into unified communications quality by correlating ADEM's network/endpoint data with vendor-provided call quality metrics (CQM).

Zoom Integration:
- **Requirement:** Requires purchasing a Zoom Quality of Service Subscription (QSS) license directly from Zoom.
- **Functionality:** ADEM ingests the Zoom QSS data feed containing per-minute call performance telemetry (loss, latency, jitter, bandwidth).
- **Correlation:** ADEM correlates this QSS data with its own endpoint, WiFi, LAN, and ISP performance data to pinpoint root causes for degraded Zoom calls.
- **Setup:** Requires Zoom Administrator authorization during configuration within the ADEM Application Test setup for Zoom (`zoom-meeting` or `zoom-base`). The User ID for Zoom login and GlobalProtect login should match for data correlation.
- **Limitations:** Monitoring is restricted to participants within the customer's organization/tenant. Calls involving only external participants are not analyzed. Supported only for TSG id migrated Prisma Access tenants.
Microsoft Teams Integration:
- **Requirement:** Requires Microsoft Teams Administrator permissions to authorize ADEM during onboarding.
- **Functionality:** Enables ADEM to receive call quality data from Microsoft Teams meetings (call records generated 30 mins post-meeting).
- **Correlation:** Similar to Zoom, correlates Teams CQM with ADEM synthetic data for root cause analysis across Device, Local Network, Wi-Fi, and Internet segments.
- **Setup:** Onboarded via an integrated workflow in Insights > Application Experience > Application Tests , typically by editing the predefined "MS Teams" test and authorizing access.
- **Data Views:** Provides dashboards showing overall Teams performance impact, users experiencing issues, root causes, meeting lists, and detailed performance metrics (latency, jitter, loss, bandwidth) per meeting.

Viewing ADEM Data (Dashboards & Monitoring)

Admins access ADEM insights through various dashboards within Strata Cloud Manager (SCM) accessed via the Hub.

Insights > Application Experience: The primary landing page. Provides organization-wide views, top degraded applications/domains, user experience score distributions (Mobile vs. Remote Site), RUM activity summaries (if enabled), and access to Application Suites and Application Test configuration. Allows drilling down into specific applications.
Insights > Application Experience > (Select Application Domain): Shows detailed metrics for a specific application, including experience score trends, RUM vs. Synthetic data sources (indicated by R/S letters), root cause analysis via Sunburst Chart, impacted user lists, segment-wise impact, and performance metric trends (Availability, TTFB components, RUM metrics).
Insights > Activity Insights > Users: Lists monitored users and devices. Shows aggregated experience scores, last seen info, agent versions, Self-Serve status.
Insights > Activity Insights > Users > (Select User) > Experience: Provides a per-user, per-device view. Shows device details, unique time impacted across segments, application domains accessed by the user with their experience, performance trends for selected domains, path visualization, device health metrics (CPU/Memory/Disk/Battery), and RUM transaction performance (if applicable).
Monitor > Branch Sites > Prisma SD-WAN > List / (Select Site) > Experience: Displays experience scores, trends, and application performance details specifically for monitored Remote Sites connected via SD-WAN (ION or NGFW). Shows monitored paths (Prisma Access, Secure Fabric, Direct Access).
Monitor > Prisma Access Locations: Aggregates performance metrics based on the Prisma Access location users/sites are connected to. Shows connected entity counts, status, and allows drilling into location details with application experience trends and path visualization *from* that location.
Monitor > Access Analyzer: Leverages ADEM telemetry (topology, operational state, logs) alongside configuration data to provide natural language query troubleshooting for connectivity issues (e.g., "Can user X access app Y from location Z?"). Identifies blocks due to policy, security profiles, IdP issues, or infrastructure problems.
SASE Health > Experience > Accelerated Applications / Monitored Applications: (Requires App Acceleration license) Displays performance boost metrics and availability/experience data for applications monitored by ADEM synthetic tests, distinguishing between accelerated and non-accelerated apps.

Data Flow for Viewing

graph TD
    A["ADEM Agent (GP/ION/NGFW)"] --> B["Data Collection"]
    B -- Telemetry --> C{"ADEM Portal / Cloud Service"}
    C -- Processed Data --> D["Cortex Data Lake (Implied Storage)"]
    C -- Insights Feed --> E["Strata Cloud Manager / Hub"]
    subgraph SCM_UI_Views
        E --> F["Insights - App Experience"]
        E --> G["Insights - Activity Insights - Users"]
        E --> H["Monitor - Branch Sites"]
        E --> I["Monitor - PA Locations"]
        E --> J["Monitor - Access Analyzer"]
        E --> K["SASE Health - Experience"]
    end
    F --> L["Admin Views Data"]
    G --> L
    H --> L
    I --> L
    J --> L
    K --> L

    style A fill:#d4edda,stroke:#28a745
    style C fill:#e7f3fe,stroke:#29abe2
    style E fill:#e9ecef,stroke:#6c757d
    style L fill:#fff3cd,stroke:#ffc107

Gotchas & Important Considerations

Firewall Rules for Synthetics: Ensure downstream firewalls (including Prisma Access policies if traffic routes there) explicitly allow the protocols/ports used by ADEM synthetic tests (ICMP, TCP/443 by default, potentially HTTP/80, or custom ports defined in the test) towards the target application IPs. 'Application-default' service settings in policies might block tests.
Split Tunnel Configuration Accuracy: The 'Split Tunnel' checkbox in the Application Test configuration *must* accurately reflect the GlobalProtect configuration for that application. Incorrect configuration impacts Path Visualization data (protocol used) and potentially test reachability. Remember Win agent uses TCP, macOS uses ICMP for split tunnel path vis by default.
Test Limits & Priority Impacts: Each remote site device (ION/NGFW) has a maximum number of synthetic tests it can run concurrently (based on model/size). Tests are pushed based on priority (lowest number first). If a site hits its limit, lower-priority tests assigned to it will be moved to an 'Excluded Remote Sites' state for that test and will not run, potentially impacting monitoring coverage. Prioritize critical application tests.
RUM Data Dependencies: Real User Monitoring data requires users to have the ADEM Browser Plugin installed *and* actively browse the target web application domain. Data won't exist for non-web apps or users without the plugin. ADEM score calculation prioritizes RUM over Synthetic data when both exist for a mobile user.
Self-Serve Notification Logic: Understand the suppression rules: no notifications if the agent is offline >24hrs, or for WiFi/Internet alerts if GP is connected internally. Thresholds must be crossed *after* the 30-minute cooldown period for repeat CPU/Memory/WiFi notifications.
EDR/AV Exclusions Crucial: Failure to whitelist required ADEM FQDNs (for portal comms) and processes (agent executables, helpers like `crypter`, `mtr`, `curl`, etc.) in EDR/Antivirus solutions is a common cause of ADEM not functioning correctly or failing to report data. Consult the documentation for the full list.
GP Log Collection Certificate Renewal: This certificate is critical for the GP agent (and thus ADEM) to communicate with the portal. If it expires, data collection stops. Admins must manually renew it via Panorama (Cloud Services > Configuration) or Strata Cloud Manager (Manage > Certificate Management) before expiration.
UCaaS Integration Prerequisites: Zoom integration requires purchasing the QSS license *from Zoom*. Teams integration requires Teams Admin permissions for the initial authorization workflow. User IDs should match between GP login and UCaaS login for best correlation.
Data Latency & Refresh Rates: While ADEM aims for near real-time insights, understand there are intervals for data collection (e.g., endpoint telemetry), synthetic test execution (e.g., every 5 mins for path traces, longer for web tests depending on config), RUM data processing, and dashboard refresh rates (e.g., App Experience UI refreshes ~30 seconds). Configuration changes (like adding users to test groups) can take time to propagate (up to 6 hours mentioned).
Access Analyzer Data Sources: Access Analyzer leverages ADEM data but also pulls from Prisma Access topology, firewall config, operational state (routing, FIB), authentication logs, and traffic logs. Its analysis depends on the availability and timeliness of these multiple sources.

Autonomous Digital Experience Management (ADEM) - Detailed Summary