topic Palo alto sdwan dia Saas profile issue in Prisma SD-WAN Discussions

Palo alto sdwan dia Saas profile issue

ranjith22 — Mon, 16 Dec 2024 14:06:44 GMT

Recently we have enabled SDWAN DIA setup in the firewall without the Panorama, all the routing and link switchover works fine as expected.

However we ran into the issue now, we have saas profile probing cisco.com using https when the cisco.com was not reachable via both the ISP the saas profile active monitor went down, since the site was temporarily down for sometime, the internet traffic was not working using the default catch-all policy

example policies:

rule number - 1

source address - project vlan

source zone - trust

destination address - any

destination zone - untrust

application - any

path quality profile - general-web

saas quality - cisco.com(https)

traffic distribution - best path (two ISPs)

Rule 2:

source address - any

source zone - trust

destination address - any

destination zone - untrust

application - any

path quality profile - general-web

saas quality - NA

traffic distribution - best path (two ISPs)

is there a way to bypass the sdwan policy to which the saas monitoring went down and choose the available policy for internet access

Note: No issues at ISPs

Re: Palo alto sdwan dia Saas profile issue

nikoolayy1 — Fri, 17 Jan 2025 08:18:12 GMT

Maybe it is better to change the rule order as to have the one without "saas quality " before the other that has the monitoring or you can just configure also an "application" that matches the Cisco url, so the first rule to be more specific and not capture all rule.

Re: Palo alto sdwan dia Saas profile issue

VasanthK — Tue, 11 Mar 2025 08:41:04 GMT

Maybe You can create a policy that bypasses the SD-WAN path selection when the SaaS monitoring is down. This policy should be placed above the existing policies to ensure it takes precedence.