Requirements for DIA traffic to fail over to an MPLS
link.
At an SD-WAN branch office, the firewall performs
split tunneling so that any applications having a public IP address
take the Direct Internet Access (DIA) interface to the internet,
and applications having private IP addresses that belong to the
hub take the VPN interface. Beginning with PAN-OS 9.1.2, the firewall
automatically fails over DIA applications to the MPLS private connection
to the hub when necessary, so that the traffic destined for the
internet takes an alternative path through the hub to reach the
internet. To allow this to work, you must do the following: