Allow Direct Internet Access Traffic Failover to MPLS Link

Create an MPLS link between your branch and hub. When you create the SD-WAN Interface profile, the link type must be
MPLS
for both the hub and branch.
If you want the private traffic to go through the VPN tunnel, enable
VPN Data Tunnel Support
in the SD-WAN Interface profile. If you disable
VPN Data Tunnel Support
, the private data will go outside of the VPN tunnel.
Configure an SD-WAN Policy Rule for specific applications, Create a Path Quality Profile, and Create a Traffic Distribution Profile that specifies the
Top Down Priority
method. The Traffic Distribution profile must also specify an
MPLS
link as one of the failover options (identified by a tag). Verify that the applications in the SD-WAN policy rule reference the correct Path Quality and Traffic Distribution profiles, and that the Traffic Distribution profile specifies Top Down Priority.
After the VPN Data Tunnel Support is enabled on both the hub and branch and the MPLS link is operational, the firewall automatically uses the MPLS connection to fail over DIA traffic when necessary.
In the hub configuration, ensure the hub has a path to the internet and routing is properly set up for the hub traffic to reach the internet.
The firewall uses the DIA virtual interface and the VPN virtual interface to ensure that the public internet traffic is kept separate from your private traffic in the same path; that is, the internet traffic and private traffic do not go through the same VPN tunnel. Full segmentation with proper zoning is in full effect.