Prisma SD-WAN Administrator’s Guide
  • Prisma SD-WAN Administrator’s Guide
  • Prisma SD-WAN Documentation
  • All Documentation
>
Move Flows
Focus
Download PDF
Focus
  1. Home
  2. Prisma SD-WAN
  3. Prisma SD-WAN Performance Policy
  4. Add Performance Policy Rules
  5. Move Flows
Download PDF
Prisma SD-WAN

Move Flows

Table of Contents

Move Flows

Learn about the Move Flows SLA action which provides traffic management to maintain application performance and enforces SLAs.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Prisma SD-WAN license
  • Physical and virtual ION devices running software version 6.3.1 and higher
Prisma SD-WAN measures application performance and enforces Application SLAs (Service Level Agreements) through the Performance policy framework. Using link quality metrics such as Latency, Loss, and Jitter, and application metrics like Application RTT and Init Failure percentage, Prisma SD-WAN adjusts traffic paths to meet SLA requirements.
The Move Flows action provides traffic management to maintain application performance and enforce SLAs. Previously, this action excluded SLA-violating paths for new flows, preserved existing flows, and used Link Quality Metrics and Application Metrics unless the field was empty, in which case link quality metrics were ignored. The functionality now offers greater flexibility with two modes:
  • Move Flows Graceful moves existing flows while excluding new flows from using paths that violate SLAs. If Move Flows is empty, the system ignores Link Quality Metrics during path selection. With Application Performance SLAs, the system redirects only new flows to a better path after a performance issue, keeping existing flows on their current path for up to 10 minutes. In contrast, with LQM SLAs, the system moves both new and existing flows to an optimal path when performance degrades. It always maintains Application Path Affinity and detects performance issues within one minute, with probes improving accuracy in path adjustments.
  • Move Flows Forced ensures that existing flows shift from a nonperforming path to a better-performing path, regardless of any NAT boundary violation. However, if no better path is available, the NAT boundary is violated, and the best available path is selected to move the flows. This includes both Link Quality metrics and Application /Probe metrics.
The Move Flows Forced action supports path types such as Private Layer 2, Direct (Public and Private), SD-WAN VPNs (Public and Private), and Third-Party VPNs (Public and Private). It is triggered by the following events and their respective causes:
  • Layer 3 Unreachability Event: when the underlay for a path can't consistently reach the internet.
  • LQM (Link Quality Metrics) SLA Violation Event: when link quality metrics (latency, jitter, and packet loss) for a path, as measured by system LQM probes, fail to meet the default or user-defined path SLAs.
  • App Unreachable Event: when an application on a path, targeting a specific destination prefix and port, becomes unreachable.
  • Synthetic Probe SLA Violation Event: when link quality metrics (latency, jitter, packet loss, RTT, initialization failure, and DNS-TRT) for a path, based on user-defined probes, fail to meet the default or user-defined path SLAs.
  • Service Link Up or Down Event: when an IPSec or GRE tunnel to a third-party service goes down or comes back up.
  • Flow Revalidation Event: when a flow is reevaluated after the active path in the respective path group becomes reachable.
  • DC Core Reachability with Host Tracking: when the data center core peer goes down, or a specific prefix becomes unreachable from the data center.
The table outlines the expected behavior of the Move Flows Forced action across various network path scenarios. It supports combinations of active and backup paths, including Direct Internet, Direct Private, Public and Private VPN, Standard VPN, and enterprise VPN configurations. In all cases, the system applies the Move Flows Forced action, monitoring path performance using LQM and Probes as SLA criteria. It enables expected behavior for traffic types like TCP/ICMP/UDP on the internet while enterprise VPN paths provide enhanced traffic handling capabilities.
Active PathBackup PathActionSLA CriteriaExpected BehaviorApp: Internet
Direct internetDirect internetMove Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP
Direct PrivateDirect PrivateMove Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP
Direct Public and PrivatePublic and Private VPNMove Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP
Direct PublicStandard VPNMove Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP
Standard VPN to SEP1Standard VPN to SEP1Move Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP
Standard VPN to SEP1Standard VPN to SEP2Move Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP
Standard VPNVPNMove Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP + Enterprise
VPN1 to DC1VPN1 to DC2Move Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP + Enterprise
VPN1 to DC1VPN2 to DC2Move Flows ForcedLQM, ProbesAllowedTCP/ICMP/UDP + Enterprise
The Flow Decision Data indicates whether a flow was forcefully moved due to any of the above events.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.