>
    Strata Copilot
    Configure Hub Failover from Branch to Same SaaS Application Destination
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Enable SD-WAN without Auto VPN
    4. Manage SD-WAN Link Failovers
    5. Monitor SaaS Applications Using SD-WAN
    6. Configure Hub Failover from Branch to Same SaaS Application Destination
    Download PDF
    SD-WAN

    Configure Hub Failover from Branch to Same SaaS Application Destination

    Table of Contents

    Configure Hub Failover from Branch to Same SaaS Application Destination

    Configure the SaaS application to failover to a hub firewall in the event if there are no healthy Direct Internet Access (DIA) links from the branch firewall.
    Where Can I Use This?What Do I Need?
    • NGFW
    If your organization is leveraging a SaaS application at a branch firewall location but the branch firewall has no healthy DIA links to swap to, you can configure the hub firewall as a failover alternative to maintain a healthy connection to your SaaS application.
    If the SaaS application DIA link health metric thresholds are exceeded and the branch firewall has no healthy DIA links available, the link is swapped to the next hub firewall for all new sessions. The existing session on the degraded DIA link is not swapped over to the hub firewall.
    For example, say your branch and hub firewalls are located in the same region and access a SaaS application using the same destination IP. You can configure the hub firewall to act as a failover in the event there are no healthy DIA links from the branch firewall to the SaaS application by configuring an identically named SaaS Quality profile on both the branch and hub firewalls to automatically failover to the hub firewall if no healthy DIA links are available from the branch firewall. This allows you to maintain a health path for your SaaS application and maintain accurate end-to-end SaaS application monitoring data without congesting your network bandwidth.
    1. Set up your SD-WAN deployment.
      1. Install the SD-WAN plugin.
      2. Set up Panorama and firewalls for SD-WAN.
      3. Add SD-WAN Devices to Panorama.
      4. (High availability configurations only) Configure SD-WAN devices in HA mode.
      5. Plan your topology for SD-WAN with Auto VPN.
    2. Define a link tag to group the SaaS application DIA links.
      Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for each SaaS application DIA link based on the link type.
      Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link bundle.
    3. Configure an SD-WAN interface profile to define the characteristics of your ISP connection and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and select the Link Tag to specify to which link the SD-WAN Interface profile applies.
      If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
      If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag applies the SD-WAN Interface profile settings to all DIA links in the bundle.
    4. Configure a physical Ethernet interface for each SaaS application DIA link.
      All physical Ethernet interfaces for DIA links must be Layer3.
    5. Configure a virtual SD-WAN interface that groups all physical Ethernet interfaces for the SaaS application DIA links into a single interface group.
      The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location. The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine which path to use and the order in which to consider new paths if a path health deteriorates.
    6. Create identically named SaaS quality profiles for both the hub and branch firewalls.
      Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to successfully leverage the hub firewall as an alternative failover. The easiest way to accomplish this is to create a single SaaS Quality profile in the Shared device group. Alternatively, you can create two SaaS Quality profiles with identical names in different device groups and push them to your hub and branch firewalls.
      1. Select ObjectsSD-WAN Link ManagementSaaS Quality Profile, and from the Device Group drop-down select Shared.
      2. Add a new SaaS Quality profile.
      3. Enter a descriptive Name for the SaaS Quality profile.
      4. Enable (check) Shared to make the SaaS Quality profile shared across all device groups.
        This is required to make the SaaS Quality profile available to all device groups your branch and hub firewalls belong to.
      5. Enable (check) Disable override to disable overriding the SaaS Quality profile configuration on the local firewall.
      6. Configure the SaaS Monitoring Mode using one of the following methods.
        • Configure the Static IP address for the SaaS application.
          Create a SaaS Quality profile per SaaS application. If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with the multiple static IP addresses for that SaaS application.
          1. Select IP Address/ObjectStatic IP Address and Add an IP address.
          2. Enter the IP address of the SaaS application or select a configured address object.
          3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
          4. Click OK to save your configuration changes.
        • Configure the fully qualified domain name (FQDN) for the SaaS application.
          1. Configure a FQDN address object for the SaaS application.
          2. Select IP Address/ObjectFQDN and Add the FQDN.
          3. Select the FQDN address object for the SaaS application.
          4. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
          5. Click OK to save your configuration changes.
        • Configure the URL for the SaaS application.
          URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
          1. Select HTTP/HTTPS.
          2. Enter the Monitored URL of the SaaS application.
          3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
          4. Click OK to save your configuration changes.
    7. Create a traffic distribution profile to specify the order the branch firewall swaps from DIA links to VPN links to the hub firewall in the event of link health degradation.
    8. Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and determine how the firewall selects the preferred link for the critical SaaS application traffic.
      In the Application tab, add the SaaS application you are monitoring to the SD-WAN policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.

    © 2026 Palo Alto Networks, Inc. All rights reserved.