topic Re: SD-WAN Issue: Some Traffic Not Matching the Expected Policy in Advanced SD-WAN for NGFW Discussions

SD-WAN Issue: Some Traffic Not Matching the Expected Policy

R.BONY — Mon, 07 Apr 2025 17:39:12 GMT

Hello everyone,

I’m facing an issue with Palo Alto SD-WAN on Panorama (FW PA-1440).

I created an SD-WAN rule to direct traffic for the ms-update application through a specific WAN link. However, when I check the traffic monitor using an ms-update filter, I notice that some packets match the "unmatched session" policy, while others correctly match my "Update Microsoft" policy.

Could someone explain why this is happening or guide me on how to debug this issue?

Thanks in advance!

Best regards,

Re: SD-WAN Issue: Some Traffic Not Matching the Expected Policy

ozheng — Fri, 28 Mar 2025 09:15:54 GMT

Hello @R.BONY ,

Please keep in mind App-ID requires some packets before the identification is accurate.

If you want to confirm that is the cause, you can set the logging at start (for the policies which may allow the initial packet), then in the traffic logs, for a ms-update ended session, you search the corresponding start log to see what app-id that was.

Olivier

Re: SD-WAN Issue: Some Traffic Not Matching the Expected Policy

R.BONY — Mon, 31 Mar 2025 08:54:16 GMT

Thanks for the reply,

I set logging at the start, and the traffic logs look fine they match "ms-update" at the beginning.

This is very strange because, in the Session Browser, the Palo Alto firewall identifies the traffic as "ms-update," and the egress interface is my SD-WAN interface. However, it does not apply my SD-WAN policy as expected.

Re: SD-WAN Issue: Some Traffic Not Matching the Expected Policy

R.BONY — Mon, 07 Apr 2025 15:15:21 GMT

Hello all,

Has anyone managed to get SD-WAN traffic working with the application tag 'ms-update'?

I still don't understand why the rule isn't matching. Maybe I should work with a rule based on the IP instead of the application?

regards

Re: SD-WAN Issue: Some Traffic Not Matching the Expected Policy

Ivan_PA1983 — Tue, 03 Jun 2025 14:37:46 GMT

Having the same problem here with ms-update app and even with O365 tagged apps. I have a pair of SD-WAN policies pointing to Prisma tunnels and DIA links respectively and I want to steer traffic from some MSF apps to the former ones and sometimes it does it the right way, other times not, even recognizing the same app....Not understanding the reason of that behaviour.

Re: SD-WAN Issue: Some Traffic Not Matching the Expected Policy

davidemoro86 — Tue, 29 Jul 2025 10:07:20 GMT

I'm having the same problem. Based on the traffic log I can see sessions without any SDWAN policy, empty value on that field.
Traffic applications are more than one, like ssl, quic or ms-office365-base and sessions are with KBs of traffic (so enough traffic passed on the firewall) and session end reason is TCP-FIN.
How that is possible?
I have at the bottom a CatchALL SDWAN policy that MUST match ALL traffic.