>
    PAN-OS & Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Enable SD-WAN without Auto VPN
    4. Manage SD-WAN Link Failovers
    5. Recover Corrupted or Lost Data to Improve Reliability
    6. PAN-OS & Panorama
    Download PDF
    SD-WAN

    PAN-OS & Panorama

    Table of Contents

    PAN-OS & Panorama

    In PAN-OS, create an Error Correction profile to apply Forward Error Correction (FEC) or packet duplication for applications specified in an SD-WAN policy rule.
    FEC and packet duplication functionality require Panorama to run PAN-OS 10.0.2 or a later release and SD-WAN plugin 2.0 or a later release that is compatible with the PAN-OS release. The encoder and decoder must both be running PAN-OS 10.0.2 or a later release. If one branch or hub is running an older software release than what is required, traffic with an FEC or packet duplication header is dropped at that firewall.
    Beginning with PAN-OS 10.0.3, FEC and packet duplication are supported in a full mesh topology, in addition to the hub-spoke topology already supported.
    1. Log in to the Panorama Web Interface.
    2. Define your ISP connections and link types, where you select Eligible for Error Correction Profile interface selection to indicate that the firewall can automatically use the interfaces (where the SD-WAN Interface Profile is applied) for error correction. Whether this option defaults to selected or not depends on the Link Type you select for the profile.
      You can have Eligible for Error Correction Profile interface selection unchecked in a profile and apply the profile to an expensive 5G LTE link, for example, so that costly error correction is never performed on that link.
    3. Configure a physical Ethernet interface for SD-WAN and apply the SD-WAN Interface Profile that you created to an Ethernet interface.
    4. Create an Error Correction Profile for FEC or packet duplication.
      1. Select ObjectsSD-WAN Link ManagementError Correction Profile.
      2. Add an Error Correction profile and enter a descriptive Name of up to 31 alphanumeric characters; for example, EC_VOIP.
      3. Select Shared to make the Error Correction profile available to all device groups on Panorama and to the default vsys on a single-vsys hub or branch, or to vsys1 on a multi-vsys hub or branch to which you push this configuration.
      4. Specify the Activate when packet loss exceeds (%) setting—When packet loss exceeds this percentage, FEC or packet duplication is activated for the configured applications in the SD-WAN policy rule where this Error Correction profile is applied. Range is 1 to 99; the default is 2.
      5. Select Forward Error Correction or Packet Duplication to indicate which error correction method the firewall uses when an SD-WAN policy rule references this SD-WAN Interface Profile; the default is Forward Error Correction. If you select Packet Duplication, SD-WAN selects an interface over which to send duplicate packets. (SD-WAN selects one of the interfaces you configured with Eligible for Error Correction Profile interface selection in the prior step.)
      6. (Forward Error Correction only) Select the Packet Loss Correction Ratio: 10% (20:2), 20% (20:4), 30% (20:6), 40% (20:8), or 50% (20:10)—Ratio of parity bits to data packets; the default is 10% (20:2). The higher the ratio of parity bits to data packets that the sending firewall (encoder) sends, the higher the probability that the receiving firewall (decoder) can repair packet loss. However, a higher ratio requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving error correction. The parity ratio applies to the encoding firewall’s outgoing traffic. For example, if the hub firewall parity ratio is 50% and the branch firewall parity ratio is 20%, the hub firewall will receive 20% and the branch firewall will receive 50%.
      7. Specify the Recovery Duration (ms)—Maximum number of milliseconds that the receiving firewall (decoder) can spend performing packet recovery on lost data packets using the parity packets it received (range is 1 to 5,000; default is 1,000). The firewall immediately sends data packets it receives to the destination. During the Recovery Duration, the decoder performs packet recovery for any lost data packets. When the recovery duration expires, all the parity packets are released. You configure the recovery duration in the Error Correction Profile for the encoder, which sends the Recovery Duration value to the decoder. A Recovery Duration setting on the decoder has no impact.
        Start by using the default Recovery Duration setting and adjust it if necessary, based on your testing with normal and intermittent brown-outs.
      8. Click OK.
    5. Configure an SD-WAN policy rule, reference the Error Correction Profile you created in the rule, and specify a critical application to which the rule applies.
      Specify only one application in the SD-WAN policy rule when configuring FEC or packet duplication. You should not combine multiple applications in a single policy rule for FEC or packet duplication.
    6. Commit and Commit and Push your configuration changes to the encoding firewalls (branches and hubs).

    © 2025 Palo Alto Networks, Inc. All rights reserved.