Learn about the Move Flows SLA action which provides traffic management to maintain
application performance and enforces SLAs.
Where Can I Use This?
What Do I Need?
Prisma SD-WAN
Prisma SD-WAN license
Physical and virtual ION devices running software version 6.3.1
and higher
Prisma SD-WAN measures application performance and enforces Application SLAs
(Service Level Agreements) through the Performance policy framework. Using link quality
metrics such as Latency, Loss, and Jitter, and application metrics like Application RTT
and Init Failure percentage, Prisma SD-WAN adjusts traffic paths to meet SLA
requirements.
The Move Flows action provides traffic
management to maintain application performance and enforce SLAs. Previously, this action excluded
SLA-violating paths for new flows, preserved existing flows, and used Link Quality Metrics and Application Metrics unless the field
was empty, in which case link quality metrics were ignored. The functionality now offers
greater flexibility with two modes:
Move Flows Graceful moves existing flows while excluding
new flows from using paths that violate SLAs. If Move Flows is empty, the
system ignores Link Quality Metrics during path selection. With Application
Performance SLAs, the system redirects only new flows to a better path after a
performance issue, keeping existing flows on their current path for up to 10
minutes. In contrast, with LQM SLAs, the system moves both new and existing
flows to an optimal path when performance degrades. It always maintains
Application Path Affinity and detects performance issues within one minute, with
probes improving accuracy in path adjustments.
Move Flows Forced ensures that existing flows shift from
a nonperforming path to a better-performing path, regardless of any NAT boundary
violation. However, if no better path is available, the NAT boundary is
violated, and the best available path is selected to move the flows. This
includes both Link Quality metrics and Application /Probe metrics.
The Move Flows Forced action supports path types such as Private
Layer 2, Direct (Public and Private), SD-WAN VPNs (Public and Private), and Third-Party
VPNs (Public and Private). It is triggered by the following events and their respective causes:
Layer 3 Unreachability Event: when the underlay for a path can't consistently
reach the internet.
LQM (Link Quality Metrics) SLA Violation Event: when link quality metrics
(latency, jitter, and packet loss) for a path, as measured by system LQM probes,
fail to meet the default or user-defined path SLAs.
App Unreachable Event: when an application on a path, targeting a specific
destination prefix and port, becomes unreachable.
Synthetic Probe SLA Violation Event: when link quality metrics (latency,
jitter, packet loss, RTT, initialization failure, and DNS-TRT) for a path, based on
user-defined probes, fail to meet the default or user-defined path SLAs.
Service Link Up or Down Event: when an IPSec or GRE tunnel to a third-party
service goes down or comes back up.
Flow Revalidation Event: when a flow is reevaluated after the active path in
the respective path group becomes reachable.
DC Core Reachability with Host Tracking: when the data center core peer goes
down, or a specific prefix becomes unreachable from the data center.
The table outlines the expected behavior of the Move Flows Forced action
across various network path scenarios. It supports combinations of active and backup
paths, including Direct Internet, Direct Private, Public and Private
VPN, Standard VPN, and enterprise VPN configurations. In all cases, the
system applies the Move Flows Forced action, monitoring path
performance using LQM and Probes as SLA criteria. It enables expected behavior for
traffic types like TCP/ICMP/UDP on the internet while enterprise VPN paths provide
enhanced traffic handling capabilities.
Active Path
Backup Path
Action
SLA Criteria
Expected Behavior
App: Internet
Direct internet
Direct internet
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP
Direct Private
Direct Private
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP
Direct Public and Private
Public and Private VPN
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP
Direct Public
Standard VPN
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP
Standard VPN to SEP1
Standard VPN to SEP1
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP
Standard VPN to SEP1
Standard VPN to SEP2
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP
Standard VPN
VPN
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP + Enterprise
VPN1 to DC1
VPN1 to DC2
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP + Enterprise
VPN1 to DC1
VPN2 to DC2
Move Flows Forced
LQM, Probes
Allowed
TCP/ICMP/UDP + Enterprise
The Flow Decision Data indicates whether a
flow was forcefully moved due to any of the above events.