https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/weak-path-affinity/m-p/1225541#M255 <P>We're looking at some interesting issues around app shift between our Prisma Access tunnel and local/DC breakout. Session starts as SSL, gets pushed over the PA tunnel, gets reidentified as an app that is set to breakout locally and the ION duly changes path and breaks the session. Most apps/devices tolerate this fine, but some refuse to reattempt a new connection and thus are broken from the user perspective.</P> <P>&nbsp;</P> <P>We're looking at a few things, Path Affinity is one. The doco is pretty clear on how None and Strict work when configured in an App Override or Custom App, but looking at the predefined apps, many of them are set to Weak. But I can't find any explanation of what this default behaviour is, so can't really compare it to Strong. A full site search only gives a short summary from the API doco:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN class="openapi-schema__container"><STRONG class="openapi-schema__property">path_affinity</STRONG><SPAN class="openapi-schema__name">string</SPAN><SPAN class="openapi-schema__required">required</SPAN></SPAN></P> <P class="lia-indent-padding-left-30px">This parameter defines the path affinity characteristics to consider during flow decision making. Allowed values: "none" "weak" "strict". If path affinity is none or weak and a better path is available, flows will be moved to a new path. If path affinity is strict, all application flows will continue on the same path.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>Better than nothing, but also doesn't help much. Has anyone seen better doco, or done the experimenting to work out how Weak actually works compared to None?</P> <P>&nbsp;</P> <P>(we have a TAC case open but it's a bit slow, this might be faster. Also aware the App Affinity might not be related to our issue if the Path Policy is higher precedence, but it's still a good knowledge gap to fill)</P> Thu, 03 Apr 2025 05:58:26 GMT James.McCutcheon 2025-04-03T05:58:26Z https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/weak-path-affinity/m-p/1225541#M255 <P>We're looking at some interesting issues around app shift between our Prisma Access tunnel and local/DC breakout. Session starts as SSL, gets pushed over the PA tunnel, gets reidentified as an app that is set to breakout locally and the ION duly changes path and breaks the session. Most apps/devices tolerate this fine, but some refuse to reattempt a new connection and thus are broken from the user perspective.</P> <P>&nbsp;</P> <P>We're looking at a few things, Path Affinity is one. The doco is pretty clear on how None and Strict work when configured in an App Override or Custom App, but looking at the predefined apps, many of them are set to Weak. But I can't find any explanation of what this default behaviour is, so can't really compare it to Strong. A full site search only gives a short summary from the API doco:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN class="openapi-schema__container"><STRONG class="openapi-schema__property">path_affinity</STRONG><SPAN class="openapi-schema__name">string</SPAN><SPAN class="openapi-schema__required">required</SPAN></SPAN></P> <P class="lia-indent-padding-left-30px">This parameter defines the path affinity characteristics to consider during flow decision making. Allowed values: "none" "weak" "strict". If path affinity is none or weak and a better path is available, flows will be moved to a new path. If path affinity is strict, all application flows will continue on the same path.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>Better than nothing, but also doesn't help much. Has anyone seen better doco, or done the experimenting to work out how Weak actually works compared to None?</P> <P>&nbsp;</P> <P>(we have a TAC case open but it's a bit slow, this might be faster. Also aware the App Affinity might not be related to our issue if the Path Policy is higher precedence, but it's still a good knowledge gap to fill)</P> Thu, 03 Apr 2025 05:58:26 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/weak-path-affinity/m-p/1225541#M255 James.McCutcheon 2025-04-03T05:58:26Z https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/weak-path-affinity/m-p/1231818#M285 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/153547">@James.McCutcheon</a>&nbsp; any info from the SOC as ION devices nowadays utlize the same app database as Palo Alto NGFW but on the NGFW you can see&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1aCAC" target="_blank">How to Prevent Application Shift - Knowledge Base - Palo Alto Networks</A>&nbsp;and&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-topics/handling-of-and-awareness-of-app-id-shifts-or-new-releases/td-p/568136" target="_blank">LIVEcommunity - Handling of and Awareness of APP-ID shifts or new releases - LIVEcommunity - 568136</A>&nbsp;while ION devices seem more limited.</P> Mon, 16 Jun 2025 08:50:44 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/weak-path-affinity/m-p/1231818#M285 nikoolayy1 2025-06-16T08:50:44Z