SD-WAN Administration
  • SD-WAN Administration
  • SD-WAN Documentation
  • All Documentation
>
PAN-OS & Panorama
Focus
Download PDF
Focus
  1. Home
  2. SD-WAN
  3. Enable SD-WAN without Auto VPN
  4. Manage SD-WAN Link Failovers
  5. Monitor SaaS Applications Using SD-WAN
  6. Monitor SaaS Applications with SaaS Quality Profile
  7. PAN-OS & Panorama
Download PDF
SD-WAN

PAN-OS & Panorama

Table of Contents

PAN-OS & Panorama

In PAN-OS, configure a Software-as-a-Service (SaaS) quality profile to specify a SaaS application for a hub firewall with a Direct Internet Access (DIA) link.
  1. Log in to the Panorama web interface.
  2. Select ObjectsSD-WAN Link ManagementSaaS Quality Profile and specify the Device Group containing your SD-WAN configuration.
  3. Add a new SaaS quality profile.
  4. Enter a descriptive Name for the SaaS Quality profile.
  5. (Optional) Enable (check) Shared to make the SaaS Quality profile shared across all device groups.
  6. (Optional) Enable (check) Disable override to disable overriding the SaaS Quality profile configuration on the local firewall.
    Disable override can only be enabled if Shared is disabled in the previous step.
  7. Configure the SaaS Monitoring Mode.
    • Automatically monitor the SaaS application path health.
      Enabled by default, Adaptive monitoring allows the branch firewall to passively monitor the SaaS application session for send and receive activity to determine if the path quality thresholds have been exceeded. The SaaS application path health quality is automatically determined without any additional health checks on the SD-WAN interface.
      Adaptive SaaS monitoring is supported only for TCP SaaS applications.
    • Configure the Static IP address for the SaaS application.
      Create a SaaS Quality profile per critical SaaS application that you need monitored. If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with the multiple static IP addresses for that SaaS application.
      SaaS monitoring is resource-intensive and may impact firewall performance if monitoring a large number of SaaS applications. It is a best practice to only monitor those business-critical SaaS applications that need good usability.
      1. Select IP Address/ObjectStatic IP Address and Add an IP address.
      2. Enter the IP address of the SaaS application or select a configured address object.
      3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
      4. Click OK to save your configuration changes.
    • Configure the fully qualified domain name (FQDN) for the SaaS application.
      1. Configure a FQDN address object for the SaaS application.
      2. Select IP Address/ObjectFQDN and Add the FQDN.
      3. Select the FQDN address object for the SaaS application.
      4. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
      5. Click OK to save your configuration changes.
    • Configure the URL for the SaaS application.
      URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
      1. Select HTTP/HTTPS.
      2. Enter the Monitored URL of the SaaS application.
      3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
        The minimum probe interval supported for a SaaS application HTTP/HTTPS is 3 seconds.
      4. Click OK to save your configuration changes.
  8. Select Commit and Commit and Push your configuration changes.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.