SDWAN is routing the internet traffic to the link that is down.

• The sdwan path-monitor stats shows the status of interface as up/ping.
• Whereas the traffic to Internet through this is failing and failover is not working.

PA_1.2> show sdwan path-monitor stats all-dp yes
idx if-id vif state/reason State-chg-cnt latency jitter loss(%) Type Interface/Tunnel Profile
---------------------------------------------------------------------------------------
0 16 sdwan.901 UP/ping 6 0 0 0 Native ethernet1/1 N/A
1 22 sdwan.901 UP/path_monitor 0 32 0 0 Native ethernet1/7 N/A

• Palo Alto Firewalls
• Supported PAN-OS
• SD-WAN

• The DIA VIF (Direct Internet Access Virtual Interface) inherits the path-monitoring status of the IPsec tunnels that are associated with its member interfaces.
•  SD-WAN primarily monitors the quality of the path to the gateway address.
•  Consequently, when there is a connectivity issue beyond the gateway (such as internet connectivity), traffic may still be routed over this link since the default monitoring behavior targets only the next-hop gateway.

1. Configure SaaS Quality Profile to achieve the true ISP failover.
2. With SaaS Quality Profile, if the monitored IPs are not reachable, the traffic will fall-back to the other ISP links.

Understanding the SDWAN Path Monitor States.