PAN-OS SD-WAN: Finding Failover Reasons for Closed Sessions

Scenario: An administrator configured PAN-OS SD-WAN. They need to investigate why a specific session failed over to a different path, even though the session has already ended.

Question: Where in the Panorama or firewall logs can the administrator find the reason for this past session failover?

(Incorrect Answer Selected: Traffic Logs)

Correct Log Location

📘 Explanation

In Palo Alto Networks PAN-OS SD-WAN, the decision to move an active session from one WAN path to another (session failover) is triggered by specific events related to path quality or link status changes. These events are considered system-level occurrences rather than typical traffic events.

Because session failovers are system events related to the SD-WAN engine's decision-making process, they are logged in the System Logs ( Monitor > Logs > System ).

Information in System Logs for SD-WAN Failover:

When a session failover happens, the System Log entry typically contains crucial details for post-mortem analysis, including:

The timestamp of the failover event.
The reason for the failover (e.g., latency threshold exceeded, jitter threshold exceeded, packet loss threshold exceeded, path down).
The original (preferred) path ID or link tag.
The new path ID or link tag chosen after failover.
The specific session ID that failed over (allowing correlation with Traffic logs if needed, though Traffic logs don't show the *reason* for failover).

Crucially, these System Log entries persist even after the individual traffic sessions that failed over have closed and are no longer visible in the live Session Browser.

Why Other Locations Are Incorrect

2. Session Browser

❌ The Session Browser ( Monitor > Session Browser ) only displays information about currently active sessions on the firewall. Once a session terminates (for any reason, including natural closure after failover), it disappears from the Session Browser.

3. You cannot find failover details on closed sessions

❌ This is incorrect. While the *live session* details are gone from the Session Browser, the **event that caused the failover** is recorded historically in the System Logs.

4. Traffic Logs (Your Answer)

❌ Traffic Logs ( Monitor > Logs > Traffic ) record details about the start and end of sessions, matched policies, applications, bytes transferred, security actions taken (allow/deny), etc. They show *what* traffic flowed and *if* it was allowed, but they **do not contain information about SD-WAN path selection logic or the specific reasons** why a session might have moved from one path to another during its lifetime. This is why System Logs are needed for failover analysis.

✅ Summary: To investigate the reason for an SD-WAN session failover, especially for sessions that have already ended, the primary source of information is the System Log , which records these path change events and their triggers.