03-27-2025
03:01 AM
- last edited on
04-07-2025
10:39 AM
by
banand
Hello everyone,
I’m facing an issue with Palo Alto SD-WAN on Panorama (FW PA-1440).
I created an SD-WAN rule to direct traffic for the ms-update application through a specific WAN link. However, when I check the traffic monitor using an ms-update filter, I notice that some packets match the "unmatched session" policy, while others correctly match my "Update Microsoft" policy.
Could someone explain why this is happening or guide me on how to debug this issue?
Thanks in advance!
Best regards,
03-28-2025 02:15 AM
Hello @R.BONY ,
Please keep in mind App-ID requires some packets before the identification is accurate.
If you want to confirm that is the cause, you can set the logging at start (for the policies which may allow the initial packet), then in the traffic logs, for a ms-update ended session, you search the corresponding start log to see what app-id that was.
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
03-31-2025 01:54 AM
Thanks for the reply,
I set logging at the start, and the traffic logs look fine they match "ms-update" at the beginning.
This is very strange because, in the Session Browser, the Palo Alto firewall identifies the traffic as "ms-update," and the egress interface is my SD-WAN interface. However, it does not apply my SD-WAN policy as expected.
04-07-2025 08:15 AM
Hello all,
Has anyone managed to get SD-WAN traffic working with the application tag 'ms-update'?
I still don't understand why the rule isn't matching. Maybe I should work with a rule based on the IP instead of the application?
regards
06-03-2025 07:37 AM
Having the same problem here with ms-update app and even with O365 tagged apps. I have a pair of SD-WAN policies pointing to Prisma tunnels and DIA links respectively and I want to steer traffic from some MSF apps to the former ones and sometimes it does it the right way, other times not, even recognizing the same app....Not understanding the reason of that behaviour.
07-29-2025 03:04 AM - edited 07-29-2025 03:07 AM
I'm having the same problem. Based on the traffic log I can see sessions without any SDWAN policy, empty value on that field.
Traffic applications are more than one, like ssl, quic or ms-office365-base and sessions are with KBs of traffic (so enough traffic passed on the firewall) and session end reason is TCP-FIN.
How that is possible?
I have at the bottom a CatchALL SDWAN policy that MUST match ALL traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
