>
    Strata Copilot
    Define Your Application-based Traffic Steering Policies
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. SD-WAN Traffic Steering Using Policy Rules
    4. Define Your Application-based Traffic Steering Policies
    Download PDF
    SD-WAN

    Define Your Application-based Traffic Steering Policies

    Table of Contents

    Define Your Application-based Traffic Steering Policies

    Configure an SD-WAN policy rule to determine how the firewall selects a path for session load and for when the health of the preferred path deteriorates.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • NGFW (Managed by Strata Cloud Manager)
    An SD-WAN policy rule specifies application(s) and/or service(s) and a traffic distribution profile to determine how the firewall selects the preferred path for an incoming packet that doesn’t belong to an existing session and that matches all other criteria, such as source and destination zones, source and destination IP addresses, and source user. The SD-WAN policy rule also specifies a path quality profile of thresholds for latency, jitter, and packet loss. When one of the thresholds is exceeded, the firewall selects a new path for the application(s) and/or service(s).
    When monitoring your SD-WAN traffic, traffic originating from a source behind the hub device is evaluated against the SD-WAN policies pushed to the hub device as it enters the hub device, and because the path selection decision has already been made, the branch device does not evaluate the traffic against its SD-WAN policies as it passes through the branch device to the final target device. Conversely, traffic originating from a source behind the branch device is evaluated against the SD-WAN policies pushed to the branch device and not by hub device. The logs from both the hub and branch are aggregated, and for the same traffic, two session entries are displayed but only the SD-WAN device that originally evaluated the traffic contains the SD-WAN details.

    PAN-OS & Panorama

    Configure an SD-WAN policy rule in PAN-OS.
    1. Log in to the Panorama Web Interface.
    2. Select PoliciesSD-WAN and select the appropriate device group from the Device Group context drop-down.
    3. Add an SD-WAN policy rule.
    4. On the General tab, enter a descriptive Name for the rule.
    5. On the Source tab, configure the source parameters of the policy rule.
      1. Add the Source Zone or select Any source zone
      2. Add one or more source addresses, set an external dynamic list (EDL), or select Any Source Address.
      3. Add one or more source users or select any Source User.
    6. On the Destination tab, configure the destination parameters of the policy rule.
      1. Add the Destination Zone or select Any destination zone.
      2. Add one or more destination addresses, set an EDL, or select Any Destination Address.
    7. On the Application/Service tab, attach your SD-WAN Link Management profiles and specify your applications and services.
      (SD-WAN plugin 2.0 and later versions) PAN-OS 10.0.2 supports associating only a SaaS Quality Profile or an Error Correction but not both. If you associate one of these profiles with an SD-WAN policy rule, you cannot associate the other.
      For example, if you associate a SaaS Quality profile with an SD-WAN policy rule, you are unable to associate an Error Correction profile with the same SD-WAN policy rule.
      1. Select the Path Quality or define your custom SD-WAN application thresholds (using path quality profiles).
      2. (SD-WAN plugin 2.0 and later versions) Select the SaaS Quality Profile or create a SaaS quality profile if the branch firewall has a Direct Internet Access (DIA) link to a SaaS application. The default is None (disabled).
      3. (SD-WAN plugin 2.0 and later versions) Select the Error Correction Profile or create an error correction profile to apply forward error correction (FEC) or packet duplication to the applications that match the SD-WAN policy rule. The default is None (disabled).
      4. Add Applications and select one or more applications from the list or select Any applications. All applications you select are subject to the health thresholds specified in the Path Quality profile you selected. If a packet matches one of these applications and that application exceeds one of the health thresholds in the Path Quality profile (and the packet matches the remaining rule criteria), the firewall selects a new preferred path.
        Add only business-critical applications and applications that are sensitive to path conditions for their usability.
        (SD-WAN plugin 2.0 and later versions) If you associate a SaaS Quality Profile in Adaptive mode with the SD-WAN policy, add the specific SaaS applications you want to monitor. Using adaptive monitoring for all applications that match the SD-WAN policy rule may impact the performance of the SD-WAN firewall.
        (SD-WAN plugin 2.0 and later versions) If you associate a SaaS Quality Profile with a specified SaaS application, add the SaaS application to the SD-WAN rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.
      5. Add Services and select one or more services from the list or select Any services. All services you select are subject to the health thresholds specified in the Path Quality profile you selected. If a packet matches one of these services and that service exceeds one of the health thresholds in the Path Quality profile (and the packet matches the remaining rule criteria), the firewall selects a new preferred path.
        Add only business-critical services and services that are sensitive to path conditions for their usability.
    8. On the Path Selection tab, select a Traffic Distribution profile or create a traffic distribution profile. When an incoming packet (unassociated with a session) matches all the match criteria in the rule, the firewall uses this Traffic Distribution profile to select a new preferred path.
    9. On the Target tab, use one of the following methods to specify the target firewalls in the device group to which Panorama pushes the SD-WAN policy rule:
      • Select Any (target to all devices) (the default) to push the rule to all devices. Alternatively, select Devices or Tags to specify the devices to which Panorama pushes the SD-WAN policy rule.
      • On the Devices tab, select one or more filters to restrict the selections that appear in the Name field; then select one or more devices to which Panorama pushes the rule, as in this example:
      • On the Tags tab, Add one or more Tags and select the tag(s) to specify that Panorama push the rule to devices that are tagged with the selected tags, as in this example:
      • If you specified Devices or Tags, you can select Target to all but these specified devices and tags to have Panorama push the SD-WAN policy rule to all devices except for the specified devices or tagged devices.
    10. Click OK.
    11. Commit and Commit and Push your configuration changes.
      In an SD-WAN policy rule, you also specify the devices to which you want Panorama to push the rule.
    12. (Best Practice) Create a catch-all SD-WAN policy rule to distribute unmatched sessions so that you can control which links any unmatched sessions use and view unmatched sessions in logging and reports in the SD-WAN plugin.
      If you don’t create a catch-all rule to distribute unmatched sessions, the firewall distributes them in round-robin order among all available links because there is no traffic distribution profile for unmatched sessions. Round-robin distribution of unmatched sessions can increase your costs unexpectedly and result in loss of application visibility.
    13. After configuring your SD-WAN policy rules, Create a Security Policy Rule to allow traffic (for example, bgp as an Application) from branches to the internet, from branches to hubs, and from hubs to branches.
    14. (Optional) Configure QoS for critical applications.
      If the SD-WAN applications need guaranteed bandwidth capacities or if you do not want other applications taking bandwidth from critical business applications, create QoS rules to control the bandwidth properly.
    15. To automatically set up BGP routing between VPN cluster members, in the SD-WAN plugin, Configure BGP routing between branches and hubs to dynamically route traffic that will be subject to the SD-WAN failover and load sharing.
      Alternatively, if you want to manually configure BGP routing on each firewall or use a separate Panorama template to configure BGP routing (for more control), leave the BGP information in the plugin blank. Instead, configure BGP routing.
    16. Configure NAT for public-facing virtual SD-WAN interfaces.

    Strata Cloud Manager

    Configure an SD-WAN policy rule in Strata Cloud Manager.
    An SD-WAN policy rule specifies applications and services, and a traffic distribution profile to determine how the firewall selects the preferred path for an incoming packet that doesn’t belong to an existing session and that matches all other criteria, such as source and destination zones, source and destination IP addresses, and source user. The SD-WAN policy rule also specifies a path quality profile of thresholds for latency, jitter, and packet loss. When one of the thresholds is exceeded, the firewall selects a new path for one or more applications, services, or both.
    1. Log in to Strata Cloud Manager.
    2. Create SD-WAN link management profiles.
    3. Select ConfigurationNGFW and Prisma AccessNetwork PoliciesSD-WAN Policy and select the branch folder for which you want to create the SD-WAN policy rule.
    4. Add Rule and select whether to create a Pre Rule or Post Rules.
      A pre-rule is a policy rule that always comes before any policy rules configured locally on the firewall. A post-rule is a policy rule that always comes after any policy rules configured locally on the firewall.
    5. Configure the policy rule Source match criteria.
      If you’re adding a zone, Select one or more of the predefined zones you created when setting up SD-WAN.
      Additionally, you can configure any Addresses or Users as needed.
    6. Configure the policy rule Destination match criteria.
      If you’re adding a zone, Select one or more of the predefined zones you created when setting up SD-WAN.
      Additionally, you can configure any Addresses or Users as needed.
    7. Configure the Application/Service to specify which applications or services the SD-WAN policy rule applies to and to associate your link Management Profiles.
      1. For Application, select Any or Select applications, application groups, or application filters.
      2. For Service, select Application Default, Any or Select any custom services you’ve configured.
      3. Select a predefined Path Quality Profile to specify the latency, jitter, and packet loss parameters indicate path health.
      4. (Optional) Select a SaaS Quality Profile you created when you created your SD-WAN link Management Profiles to specifies how software-as-a-service applications are monitored if your branch firewall has a Direct internet Access (DIA) link to a SaaS application.
    8. Configure the corrective Action the firewall takes when a link health is degraded and failover is required.
      1. Select a Traffic Distribution Profile to specify how the firewall selects paths for session load distribution and for path failover when the firewall detects a brownout, blackout, or path deterioration for an application.
      2. Select an Error Correction Profile to specify the corrective action the firewall takes when certain data transmission errors occur over noisy communication lines to improve data reliability without requiring retransmission or Packet Duplication to duplicate application sessions from one tunnel to another.
    9. Save.
    10. Push Config to push your configuration changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.