>
    Strata Copilot
    Define Path Selection for SD-WAN Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Enable SD-WAN without Auto VPN
    4. Manage SD-WAN Link Failovers
    5. Define Path Selection for SD-WAN Traffic
    Download PDF
    SD-WAN

    Define Path Selection for SD-WAN Traffic

    Table of Contents

    Define Path Selection for SD-WAN Traffic

    An SD-WAN policy rule references a traffic distribution profile to distribute sessions and to fail over to a better path when path quality deteriorates.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    SD-WAN Traffic Distribution Profiles are a crucial component in optimizing application performance across your SD-WAN deployment. These profiles enable you to define path selection strategies for your network traffic, ensuring that critical business applications receive the best possible service quality. A Traffic Distribution Profile determines how the firewall selects paths for session load distribution and failover when path quality deteriorates for an application. This profile works with SD-WAN policy rules to provide granular control over traffic routing decisions.
    When traffic matches an SD-WAN policy rule, the firewall uses the associated Traffic Distribution Profile to determine how to distribute the traffic across available links. The profile's distribution method, combined with real-time path quality measurements, guides the firewall in selecting the optimal path for each session. For example, in a top-down priority configuration, the firewall first attempts to use links associated with the topmost Link Tag in the list. If those links don't meet the quality thresholds defined in the Path Quality Profile, it moves to the next Link Tag in the list, continuing until it finds a qualified link.
    Based on your SD-WAN configuration plan, create the SD-WAN traffic distribution profiles you need based on how you want the applications in your SD-WAN policy rules to be session loaded and to fail over.

    PAN-OS & Panorama

    In PAN-OS, create a Traffic Distribution profile to distribute sessions and to fail over to a better path when path quality deteriorates.
    1. Log in to the Panorama Web Interface.
    2. Ensure you already configured the Link Tags in an SD-WAN interface profile and committed and pushed them. The Link Tags must be pushed to your hubs and branches in order for Panorama™ to successfully associate the Link Tags you specify in this Traffic Distribution profile to an SD-WAN interface profile.
    3. Select a Device Group.
    4. Create a Traffic Distribution profile.
      1. Select ObjectsSD-WAN Link ManagementTraffic Distribution Profile.
      2. Add a Traffic Distribution profile by Name using a maximum of 31 alphanumeric characters.
      3. Select Shared only if you want to use this traffic distribution profile across all Device Groups (both hubs and branches).
      4. Select one traffic distribution method and add a maximum of four Link Tags that use this method for this profile.
        • Best Available PathAdd one or more Link Tags. During the initial packet exchanges, before App-ID has classified the application in the packet, the firewall uses the path in the tag that has the best health metrics (based on the order of tags). After the firewall identifies the application, it compares the health (path quality) of the path it was using to the health of the first path (interface) in the first Link Tag. If the original path’s health is better, it remains the selected path; otherwise, the firewall replaces the original path. The firewall repeats this process until it has evaluated all the paths in the Link Tag. The final path is the path the firewall selects when a packet arrives that meets the match criteria.
          When a link becomes unqualified and must fail over to the next best path, the firewall can migrate a maximum of 1,000 sessions per minute from the unqualified link to the next best path. For example, suppose tunnel.901 has 3,000 sessions; 2,000 of those sessions match SD-WAN policy rule A and 1,000 sessions match SD-WAN policy rule B (both rules have a traffic distribution policy configured with Best Path Available). If tunnel.901 becomes unqualified, it takes three minutes to migrate the 3,000 sessions from the unqualified link to the next best path.
        • Top Down PriorityAdd one or more Link Tags. The firewall distributes new sessions (that meet the match criteria) to links using the top-to-bottom order of the Link Tags you added. The firewall examines the first tag configured for this profile, and examines the paths that use that tag, selecting the first path it finds that is qualified (that is at or below the Path Quality thresholds for this rule). If no qualified path is found from that Link Tag, firewall examines the paths that use the next Link Tag. If the firewall finds no path after examining all paths in all of the Link Tags, the firewall uses the Best Available Path method. The first path selected is the preferred path until one of the Path Quality thresholds for that path is exceeded, at which point the firewall again starts at the top of the Link Tag list to find the new preferred path.
          If you have only one link at the hub, that link supports all of the virtual interfaces and DIA traffic. If you want to use the link types in a specific order, you must apply a Traffic Distribution profile to the hub that specifies Top Down Priority, and then order the Link Tags to specify the preferred order. If you apply a Traffic Distribution profile that instead specifies Best Available Path, the firewall will use the link, regardless of cost, to choose the best performing path to the branch. In summary, Link Tags in a Traffic Distribution profile, the Link Tag applied to a hub virtual interface, and a VPN Failover Metric in an SD-WAN Interface Profile work only when the Traffic Distribution profile specifies Top Down Priority.
        • Weighted Session DistributionAdd one or more Link Tags and then enter the Weight percentage for each Link Tag so that the weights total 100%. The firewall performs session load distribution between Link Tags until their percentage maximums are reached. If there is more than one path in the Link Tag, the firewall distributes equally using round-robin until the path health metrics are reached, and then distributes sessions to the other member(s) that are not at the limit.
        If multiple physical interfaces have the same tag, the firewall distributes matching sessions evenly among them. If all paths fail a health (path quality) threshold, the firewall selects the path that has the best health statistics. If no SD-WAN links are available (perhaps due to a blackout), the firewall uses static or dynamic routing to route the matching packets.
        If a packet is routed to a virtual SD-WAN interface, but the firewall cannot find a preferred path for the session based on the SD-WAN policy’s Traffic Distribution profile, the firewall implicitly uses the Best Available Path method to find the preferred path. The firewall distributes any application sessions that don’t match an SD-WAN policy rule based on the firewall’s implicit, final rule, which distributes the sessions in round-robin order among all available links, regardless of the Traffic Distribution profile.
        If you prefer to control how the firewall distributes unmatched sessions, create a final catch-all rule to distribute unmatched sessions to specific links in the order you specify.
      5. (Optional) After adding Link Tags, use the Move Up or Move Down arrows to change the order of tags in the list, so they reflect the order in which you want the firewall to use links for this profile and for the selected applications in the SD-WAN policy rule.
      6. Click OK.
    5. Commit and Commit and Push your configuration changes.
    6. Commit your changes.

    Strata Cloud Manager

    In Strata Cloud Manager, create a Traffic Distribution profile to distribute sessions and to fail over to a better path when path quality deteriorates.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma Access and in the Overview, select the branch folder for which you want to create your SD-WAN Link Management profiles.
      To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association, select All Firewalls.
    3. Create a Traffic Distribution profile.
      The Traffic Distribution profile specifies how the firewall selects paths for session load distribution and for path failover when the firewall detects a brownout, blackout, or path deterioration for an application. Before you can configure a Traffic Distribution profile, you must create all your link tags so the firewall can know which paths to fail over to.
      1. Select Network PoliciesSD-WAN PolicyProfilesTraffic Distribution.
      2. Add Profile.
      3. Enter a descriptive Name.
      4. Select the Traffic Distribution method the firewall uses to determine which path to fail over to.
        Only a single Traffic Distribution method is supported for a Traffic Distribution profile.
        • Best Available Path—Select this method if cost isn’t a factor and you allow applications to use any path out of the branch. The firewall uses the predefined Path Quality metrics to distribute traffic and to fail over to one of the links belonging to a Link Tag in the list, thus providing the best application experience to users.
        • Top Down Priority—Select this method if you have expensive or low-capacity links that you want used only as a last resort or as a backup link. When using this method, order your Link Tags so that the paths you want used as a last resort are at the bottom of the Link Tag list. The firewall uses the top Link Tag in the list first to determine the links on which to session load traffic and on which to fail over. If none of the links in the top Link Tag are qualified based on the predefined Path Quality profile, the firewall selects a link from the second Link Tag in the list. If none of the links in the second Link Tag are qualified, the process continues as necessary until the firewall finds a qualified link in the last Link Tag. If all associated links are overloaded and no link meets quality thresholds, the firewall uses the Best Available Path method to select a link on which to forward traffic. At the start of a failover event, the firewall starts at the top of the Top-Down Priority list of Link Tags to find a link to which it fails over.
        • Weighted Session Distribution—Select this method if you want to manually load traffic (that matches the rule) onto your ISP and WAN links and you don’t require failover during brownout conditions. You manually specify the link load when you apply a static percentage of new sessions that the interfaces grouped with a single Link Tag will get. The firewall distributes new sessions using round-robin among the links having the specified Link Tags, until the link assigned the lowest percentage reaches that percentage of sessions. The firewall then uses one or more remaining links in the same manner. You might select this method for applications that aren’t sensitive to latency and that require much of the link’s bandwidth capacity, such as large branch backups and large file transfers.
      5. Add Link Tags .
        When adding and ordering your Link Tags, be sure consider the Traffic Distribution method you selected to ensure the firewall selects the appropriate path.
      6. Save.

    © 2026 Palo Alto Networks, Inc. All rights reserved.