>
    Strata Copilot
    Configure Hub Failover from Branch to Different SaaS Application Destination
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Enable SD-WAN without Auto VPN
    4. Manage SD-WAN Link Failovers
    5. Monitor SaaS Applications Using SD-WAN
    6. Configure Hub Failover from Branch to Different SaaS Application Destination
    Download PDF
    SD-WAN

    Configure Hub Failover from Branch to Different SaaS Application Destination

    Table of Contents

    Configure Hub Failover from Branch to Different SaaS Application Destination

    Configure the SaaS application to failover to a hub firewall pointing to a different SaaS application destination if there are no healthy DIA links from the branch firewall.
    Where Can I Use This?What Do I Need?
    • NGFW
    If your organization is leveraging a SaaS application at a branch firewall location but the branch firewall has no healthy DIA links to swap to, you can configure the hub firewall as a failover alternative to maintain a healthy connection to your SaaS application using a SaaS Quality profile pointing to a different SaaS application destination.
    If the SaaS application DIA link health metric thresholds are exceeded and the branch firewall has no healthy DIA links available, the link is swapped to the next hub firewall for all new sessions. The existing session on the degraded DIA link is not swapped over to the hub firewall.
    For example, say your branch and hub firewalls are located on opposite sides of the country and access a SaaS cloud application deployed in a cloud provider such as GCP. You can configure the hub firewall to act as a failover in the event there are no healthy DIA links from the branch firewall to the SaaS application. To accomplish this, configure an identically named SaaS Quality profile on both the branch and hub firewalls to automatically failover to the hub firewall if no healthy DIA links are available from the branch firewall. The SaaS Quality profile configured on the hub firewall to points to the on-ramp location closest to the hub to take advantage of local resources closest to it. This allows you flexibility in specifying healthy failover paths and the ability to maintain accurate end-to-end SaaS application monitoring data without congesting your network bandwidth.
    1. Set up your SD-WAN deployment.
      1. Install the SD-WAN plugin.
      2. Set up Panorama and firewalls for SD-WAN.
      3. Add SD-WAN Devices to Panorama.
      4. (High availability configurations only) Configure SD-WAN devices in HA mode.
      5. Plan your topology for SD-WAN with Auto VPN.
    2. Define a link tag to group the SaaS application DIA links.
      Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for each SaaS application DIA link based on the link type.
      Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link bundle.
    3. Configure an SD-WAN interface profile to define the characteristics of your ISP connection and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and select the Link Tag to specify to which link the SD-WAN Interface profile applies.
      If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
      If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag applies the SD-WAN Interface profile settings to all DIA links in the bundle.
    4. Configure a physical Ethernet interface for each SaaS application DIA link.
      All physical Ethernet interfaces for DIA links must be Layer3.
    5. Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS application DIA links into a single interface group.
      The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location. The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine which path to use and the order in which to consider new paths if a path health deteriorates.
    6. Create identically named SaaS quality profiles for both the hub and branch firewalls.
      Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to successfully leverage the hub firewall as an alternative failover. Create two SaaS Quality profiles with identical names each pointing to a different SaaS application destination in different device groups and push them to your hub and branch firewalls.
      1. Select ObjectsSD-WAN Link ManagementSaaS Quality Profile, and select the target device group containing the branch firewall from the Device Group drop-down.
      2. Add a new SaaS Quality profile.
      3. Enter a descriptive Name for the SaaS Quality profile.
      4. Enable (check) Disable override to disable overriding the SaaS Quality profile configuration on the local firewall.
      5. Configure the SaaS Monitoring Mode using one of the following methods.
        • Configure the Static IP address for the SaaS application.
          Create a SaaS Quality profile per SaaS application. If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with the multiple static IP addresses for that SaaS application.
          1. Select IP Address/ObjectStatic IP Address and Add an IP address.
          2. Enter the IP address of the SaaS application or select a configured address object.
          3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
          4. Click OK to save your configuration changes.
        • Configure the fully qualified domain name (FQDN) for the SaaS application.
          1. Configure a FQDN address object for the SaaS application.
          2. Select IP Address/ObjectFQDN and Add the FQDN.
          3. Select the FQDN address object for the SaaS application.
          4. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
          5. Click OK to save your configuration changes.
        • Configure the URL for the SaaS application.
          URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
          1. Select HTTP/HTTPS.
          2. Enter the Monitored URL of the SaaS application.
          3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health information.
          4. Click OK to save your configuration changes.
      6. Select ObjectsSD-WAN Link ManagementSaaS Quality Profile, and select the target device group containing the hub firewall from the Device Group drop-down.
      7. Repeat Steps 6.2 through 6.5 to create an identically named SaaS Quality profile for a SaaS application at a different destination.
        This step is required to make in identically named SaaS Quality profile in the device group your hub firewall belongs to.
    7. Create a traffic distribution profile to specify the order the branch firewall swaps from DIA links to VPN links to the hub firewall in the event of link health degradation.
    8. Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and determine how the firewall selects the preferred link for the critical SaaS application traffic.
      In the Application tab, add the SaaS application you are monitoring to the SD-WAN policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS application.

    © 2026 Palo Alto Networks, Inc. All rights reserved.