Network > Network Profiles > SD-WAN Interface Profile

Create an SD-WAN Interface Profile to group physical links by Link Tag and to control the speed of links and how frequently the firewall monitors those links.
SD-WAN Interface Profile
Enter the
of the SD-WAN Interface Profile using a maximum of 31 alphanumeric characters. The name must begin with an alphanumeric character and can contain letters, numbers, underscores (_), hyphens (-), periods (.), and spaces.
Link Tag
Select the
Link Tag
that this profile will assign to the interface or
a new tag. A link tag bundles physical links (different ISPs) for the firewall to select from during path selection and failover.
Enter a user-friendly description of the profile.
Link Type
Select the physical link type from the predefined list (
Cable Modem
, or
). The firewall can support any CPE device that terminates and hands off as an Ethernet connection to the firewall. For example, Wi-Fi access points, Long-Term Evolution (LTE) modems, and laser-microwave customer-premises equipment (CPEs) all can terminate with an Ethernet hand-off.
VPN Data Tunnel Support
PAN-OS 9.1.2 and later 9.1 releases
) Determines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security (enabled by default) or flows outside of the VPN tunnel to avoid encryption overhead.
  • Leave
    VPN Data Tunnel Support
    enabled for public link types that have direct internet connections or internet breakout capability, such as cable modem, ADSL, and other internet connections.
  • You can disable
    VPN Data Tunnel Support
    for private link types such as MPLS, satellite, or microwave that do not have internet breakout capability. However, you must first ensure the traffic cannot be intercepted because it will be sent outside of the VPN tunnel.
  • The branch many have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. The
    VPN Data Tunnel Support
    setting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
Maximum Download (Mbps)
Enter the maximum download speed from the ISP in megabits per second (range is 1 to 100,000; there is no default value). Ask your ISP for the link speed or sample the maximum speeds for the link using a tool such as and take an average of the maximums over an appropriate length of time.
Maximum Upload (Mbps)
Enter the maximum upload speed from the ISP in Mbps (range is 1 to 100,000; there is no default value). Ask your ISP for the link speed or sample the maximum speeds for the link using a tool such as and take an average of the maximums over an appropriate length of time.
Path Monitoring
Select the path monitoring mode in which the firewall monitors the interfaces where you apply this SD-WAN Interface Profile.
  • Aggressive
    (default for all link types except LTE and Satellite)—Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency.
    Use Aggressive mode if you need fast detection and failover for brownout and blackout conditions.
  • Relaxed
    (default for LTE and Satellite link types)—Firewall waits for a number of seconds (the
    Probe Idle Time
    ) between sending sets of probe packets, which means path monitoring occurs less frequently. When the Probe Idle Time expires, the firewall sends probes for seven seconds at the
    Probe Frequency
    Use Relaxed mode when you have low bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth.
Probe Frequency (per second)
Enter the probe frequency, which is the number of times per second that the firewall sends a probe packet to the opposite end of the SD-WAN link (range is 1 to 5; default is 5).
Probe Idle Time (seconds)
If you select
path monitoring, you can set the probe idle time (in seconds) that the firewall waits between sets of probe packets (range is 1 to 60; default is 60).
Failback Hold Time (seconds)
Enter the length of time (in seconds) that the firewall waits for a recovered link to remain qualified before the firewall reinstates that link as the preferred link after it has failed over (range is 20 to 120; default is 120). The failback hold time prevents a recovered link from being reinstated as the preferred link too quickly and having it fail again right away.

Recommended For You