: Allow Direct Internet Access Traffic Failover to MPLS Link
Focus
Focus

Allow Direct Internet Access Traffic Failover to MPLS Link

Table of Contents

Allow Direct Internet Access Traffic Failover to MPLS Link

Requirements for DIA traffic to fail over to an MPLS link.
At an SD-WAN branch office, the firewall performs split tunneling so that any applications having a public IP address take the Direct Internet Access (DIA) interface to the internet, and applications having private IP addresses that belong to the hub take the VPN interface. Beginning with PAN-OS 9.1.2, the firewall automatically fails over DIA applications to the MPLS private connection to the hub when necessary, so that the traffic destined for the internet takes an alternative path through the hub to reach the internet. To allow this to work, you must do the following:
  1. Create an MPLS link between your branch and hub. When you create the SD-WAN Interface profile, the link type must be MPLS for both the hub and branch.
  2. (PAN-OS 9.1.2 and later 9.1 releases) If you want the private traffic to go through the VPN tunnel, enable VPN Data Tunnel Support in the SD-WAN Interface profile. If you disable VPN Data Tunnel Support, the private data will go outside of the VPN tunnel.
  3. Configure an SD-WAN Policy Rule for specific applications, Create a Path Quality Profile, and Create a Traffic Distribution Profile that specifies the Top Down Priority method. The Traffic Distribution profile must also specify an MPLS link as one of the failover options (identified by a tag). Verify that the applications in the SD-WAN policy rule reference the correct Path Quality and Traffic Distribution profiles, and that the Traffic Distribution profile specifies Top Down Priority.
    After the VPN Data Tunnel Support is enabled on both the hub and branch and the MPLS link is operational, the firewall automatically uses the MPLS connection to fail over DIA traffic when necessary.
  4. In the hub configuration, ensure the hub has a path to the internet and routing is properly set up for the hub traffic to reach the internet.
    The firewall uses the DIA virtual interface and the VPN virtual interface to ensure that the public internet traffic is kept separate from your private traffic in the same path; that is, the internet traffic and private traffic do not go through the same VPN tunnel. Full segmentation with proper zoning is in full effect.