: Create a Path Quality Profile
Focus
Focus

Create a Path Quality Profile

Table of Contents

Create a Path Quality Profile

Create a path quality profile to control when the firewall replaces a deteriorating path with a new path for packets matching the SD-WAN policy rule.
Create a Path Quality profile for each set of business-critical and latency-sensitive applications, application filters, application groups, services, service objects and service group objects that has unique network quality (health) requirements based on latency, jitter, and packet loss percentage. Applications and services can share a Path Quality profile. Specify the maximum threshold for each parameter, above which the firewall considers the path deteriorated enough to select a better path.
As an alternative to creating a Path Quality profile, you can use any of the predefined Path Quality profiles, such as general-business, voip-video, file-sharing, audio-streaming, photo-video, and remote-access, and more. The predefined profiles are set up to optimize the latency, jitter, and packet loss thresholds for the type of applications and services suggested by the name of the profile.
The predefined Path Quality profiles for a Panorama device group are based on the default Probe Frequency settings in the SD-WAN Interface profile for a Panorama template. If you change the default Probe Frequency setting, you must adjust the Packet Loss percentage threshold in the Path Quality profile for the firewalls in a Device Group that are affected by the Panorama template where you changed the Interface profile.
The firewall treats the latency, jitter, and packet loss thresholds as OR conditions, meaning if any one of the thresholds is exceeded, the firewall selects the new best (preferred) path. Any path that has latency, jitter, and packet loss less than or equal to all three thresholds is considered qualified and the firewall selected the path based on the associated Traffic Distribution profile.
By default, the firewall measures latency and jitter every 200ms and takes an average of the last three measurements to measure path quality in a sliding window. You can modify this behavior by selecting aggressive or relaxed path monitoring when you Configure an SD-WAN Interface Profile.
If a path fails over because it exceeded the configured packet loss threshold, the firewall still sends probing packets on the failed path and calculates its packet loss percentage as the path recovers. It can take approximately three minutes for the packet loss percentage on a recovered path to fall below the packet loss threshold configured in the Path Quality profile. For example, suppose an SD-WAN policy rule for an application has a Path Quality profile that specifies a packet loss threshold of 1% and a Traffic Distribution profile that specifies Top Down distribution with tag 1 (applied to tunnel.1) first on the list and tag 2 (applied to tunnel.2) next on the list. When tunnel.1 exceeds 1% packet loss, the data packets fail over to tunnel.2. After tunnel.1 recovers to 0% packet loss (based on probing packets), it can take up to three minutes for the monitored packet loss rate for tunnel.1 to drop below 1%, at which time the firewall then selects tunnel.1 as the best path again.
The sensitivity setting indicates which parameter (latency, jitter, or packet loss) is more important (preferred) for the applications to which the profile applies. When the firewall evaluates link quality, it considers a parameter with a high setting first. For example, when the firewall compares two links, suppose one link has 100ms latency and 20ms jitter; the other link has 300ms latency and 10 ms jitter. If the sensitivity for latency is high, the firewall chooses the first link. If the sensitivity for jitter is high, the firewall chooses the second link. If the parameters have the same sensitivity (by default the parameters are set to medium), the firewall evaluates packet loss first, then latency, and jitter last.
As the SD-WAN Traffic Distribution Profiles concept states, the new path selection occurs in less than one second if you leave Path Monitoring and Probe Frequency with default settings; otherwise, new path selection could take more than one second. To achieve subsecond failover based on packet loss, you must set the latency sensitivity to high and the latency threshold to no more than 250ms.
Reference the Path Quality profile in an SD-WAN policy rule to control the threshold at which the firewall replaces a deteriorating path with a new path for matching application packets.
  1. Log in to the Panorama Web Interface.
  2. Select a Device Group.
  3. Select ObjectsSD-WAN Link ManagementPath Quality Profile.
  4. Add a Path Quality profile by Name using a maximum of 31 alphanumeric characters.
  5. For Latency, double-click the Threshold value and enter the number of milliseconds allowed for a packet to leave the firewall, arrive at the opposite end of the SD-WAN tunnel, and a response packet to return to the firewall before the threshold is exceeded (range is 10 to 2,000; default is 100).
  6. For Latency, select the Sensitivity (low, medium, or high). Default is medium.
    Click the arrow at the end of the Threshold column to sort thresholds in ascending or descending numerical order.
  7. For Jitter, double-click the Threshold value and enter the number of milliseconds (range is 10 to 1,000; default is 100).
  8. For Jitter, select the Sensitivity (low, medium, or high). Default is medium.
  9. For Packet Loss, double-click the Threshold value and enter the percentage of packets lost on the link before the threshold is exceeded (range is 1 to 100.0; default is 1).
    Setting the Sensitivity for Packet Loss has no effect, so leave the default setting.
    If you change the Probe Frequency in an SD-WAN Interface profile for a Panorama template, you should also adjust the Packet Loss threshold for a Panorama device group.
  10. Click OK.
  11. Commit and Commit and Push your configuration changes.
  12. Commit your changes.
  13. Repeat this task for every Device Group.