Add a Path Policy Rule

• Add a path policy rule to a simple path stack.

  1. Select ConfigurationPrisma SD-WANPoliciesPathPath StacksSimple, select a Path and click Add Rule.
  2. Select an order for the rule.

     Policy rules follow explicit ordering and implicit ordering. In explicit ordering, each rule within a policy set has an order number that is used to explicitly order rules overriding an implicit order, a set of match criteria, and a set of actions. If two rules have the same order, then the rules follow implicit ordering wherein policy rules with more specific attributes get precedence over rules with less specific attributes.

     • In the Info tab, enter a Name for the policy rule, and optionally enter description and tags.
     • Enter an Order between 1-65535 for the policy rule.
       An order of 1 indicates the highest priority for the policy rule. The default is 1024.
     • (Optional) Select Disable Rule if you do not want the ION device to consider this rule.
  3. (Optional) Configure network contexts.

     • On the Network Contexts screen, select a previously configured Network Context or click the + icon to create a network context.
  4. (Optional) Configure Prefixes.

     On the Prefixes tab, select a Source Prefix and a Destination Prefix.

     1. (Optional) Add Device Profile.
        • On the Devices tab, select a Source and/or Destination Device Profile in the drop-down.
  5. (Optional) Add users or user groups.

     On the Users tab, select a User and/or a Group from the User/Group drop-down.
  6. (Optional) Select applications.

     On the Apps tab, select the applications to apply the policy rule. You can select 256 applications for one policy rule.

     You can filter applications based on:

     • For sites 6.4.1 or above—Select this option to view applications supported for device version 6.4.1 and above.
     • For sites above 6.0.1 and less than 6.4.1—Select this option to view system applications supported between releases 6.0.1 and pre-6.4.1.
     • For sites below 6.0.1—Select this option to view applications supported for devices versions below 6.0.1.
     • For any site—Use this option to view applications supported for all device versions.

     (Optional) You can check the type of application - System or Custom by selecting the application first and then using the filters to view the type of application.
  7. Configure paths.

     On the Paths tab, choose Active/Backup/L3 Failure Paths for the application from the drop-down list.

     Select an Overlay and a Circuit Category for a path. You cannot repeat a combination of an overlay and a circuit category for a policy rule. The choices for the Overlay are - Direct, Prisma SD-WAN VPN and Standard VPN.

     You must configure an active path. You can optionally configure backup paths and L3 failure paths. You can configure an L3 failure path without configuring a backup path.

     The Backup Path activates when the primary path is poor or unavailable—but the L3 Failure Path is reserved as the ultimate emergency route, only triggered by a complete loss of Layer 3 reachability across all links.

     In ION devices running 5.2.1 and higher versions, the default setting moves flows back to the active path in the policy as soon as the active path becomes available.
  8. Configure paths.

     On the Paths tab, choose either SLA Compliant Path or Best Path Selection.

     • SLA Compliant Path
       Choose a path based on performance metrics defined in the policy rule to meet SLAs. Select Active, Backup, and L3Failure paths for the application, an Overlay (Direct, Prisma SD-WAN VPN or Standard VPN) and the Circuit Category for a pathYou can utilize metrics for:
       • Link Quality: Latency, Loss, Jitter, and MOS.
       • Probe: ICMP (latency, loss, jitter), DNS (transaction time, failure rate), and HTTP/S (transaction time, failure rate), depending on your probe configuration.
       • App Metrics: TCP (Init Failure and RTT) and TRT for UDP.
       All metrics can be used simultaneously, however, you cannot repeat a combination of an overlay and a circuit category for a policy rule. You must configure an active path and can optionally configure backup and L3 failure paths. Active Paths will be used first and load shared as long as they are SLA compliant. If no Active Paths are SLA compliant then any backup paths will be used. If all Active and Backup paths are completely down (not degraded) the L3 Failure Paths will be used.

     In ION devices running 5.2.1 and higher versions, the default setting moves back to the active path in the policy as soon as the active path becomes available.

     • Best Path Policy
       Choose either an LQM based or Probe based best path selection. It selects the path with the absolute lowest metric specified in the path policy rule, using Active paths primarily and L3 Failure paths only if all active paths are down.
       • LQM: Select the best path based on a single metric (latency, loss, or jitter), focusing on the lowest value of the specified metric while disregarding available bandwidth.

       • Probe: Select ICMP (latency, loss, jitter), DNS (transaction time, failure rate), and HTTP/S (transaction time, failure rate), depending on your probe configuration.

     Only one metric can be used per policy rule. Load sharing for this traffic class will not be performed when using best path selection.
  9. Select Service and DC Groups.

     Select Service & DC Groups, and then select Active/Backup Service & DC Groups from the drop-down.

     If the Required check box is selected, traffic will always transit through the Service and DC Groups. If not selected, traffic may or may not transit through the Service and DC Groups per policy. You cannot select Required, if you have selected at least one direct path in the Paths tab.
  10. Confirm the information displayed in the Summary tab and then click Save & Exit.
• Add a path policy rule to an advanced path policy set.

  1. Select ConfigurationPrisma SD-WANPoliciesPathPath StacksAdvancedSelect a StackAdd Rule.
  2. Follow the steps above for adding a path policy rule to a simple policy stack.