: Features Introduced in SD-WAN Plugin 2.0
Focus
Focus

Features Introduced in SD-WAN Plugin 2.0

Table of Contents

Features Introduced in SD-WAN Plugin 2.0

Features introduced in SD-WAN Plugin 2.0 releases.
Our SD-WAN subscription integrates with PAN-OS to provide intelligent, dynamic path selection on top of the industry leading security that PAN-OS software already delivers. Secure SD-WAN provides the optimal end-user experience by leveraging multiple ISP links to ensure application performance and scale capacity. For upgrade and downgrade considerations and for specific information about the upgrade path, refer to the SD-WAN 2.0 Administrator’s Guide. The administrator’s guide also provides additional information about how to use the SD-WAN plugin features in this release.

What’s New in SD-WAN Plugin 2.0.3

The SD-WAN plugin 2.0.3 release includes minor bug and performance fixes.

What’s New in SD-WAN Plugin 2.0.2

Key feature introduced with the SD-WAN plugin 2.0.2 release:
New SD-WAN FeatureDescription
Remove Private AS
(PAN-OS 10.0.3 and later PAN-OS 10.0 releases, and SD-WAN Plugin 2.0.2 and later 2.0 releases) When you use BGP routing between your SD-WAN firewall and your internal BGP autonomous system (AS), you can now control whether Auto VPN configuration enables or disables the Remove Private AS setting for all BGP peer groups on a branch or hub. The default setting is enabled; however, it is convenient to disable this setting so that private AS numbers can leave the SD-WAN private AS.

What’s New in SD-WAN Plugin 2.0.1

Key features introduced with the SD-WAN plugin 2.0.1 release:
New SD-WAN FeatureDescription
Full Mesh VPN Cluster with DDNS Service
(PAN-OS 10.0.3 and later PAN-OS 10.0 releases, and SD-WAN Plugin 2.0.1 and later 2.0 releases) In addition to the hub-spoke topology, SD-WAN now supports a full mesh topology (with or without hubs) so that branches can communicate with each other directly. For branch or hub interfaces that receive their IP address from DHCP or PPPoE, a Dynamic DNS (DDNS) service detects the public-facing IP address of the firewall interface.
Auto-VPN Configuration with Branch Behind NAT
(PAN-OS 10.0.3 and later PAN-OS 10.0 releases, and SD-WAN Plugin 2.0.1 and later 2.0 releases) If you place your SD-WAN branch firewall behind a device performing NAT, you need a way to specify the IP address of the public-facing interface on that upstream device, which Auto VPN Configuration uses as the tunnel endpoint for the branch. When you add an SD-WAN branch to Panorama, you can now specify the IP address or FQDN of the upstream device performing NAT for the branch, or you can specify DDNS, which indicates that the IP address for the interface on the NAT device is obtained from the Palo Alto Networks DDNS service. Auto VPN uses the public IP address as the tunnel endpoint for the branch.
DIA AnyPath
(PAN-OS 10.0.3 and later PAN-OS 10.0 releases, and SD-WAN Plugin 2.0.1 and later 2.0 releases) You can now configure an SD-WAN direct internet access (DIA) link to fail over to another link that has a direct or indirect path (through a hub or branch) to the internet, and thus ensure business continuity. The DIA failover is no longer restricted to another DIA link. DIA AnyPath use cases include transitioning from an expensive MPLS link to one or more public internet connections, possibly from different vendors. You can do split tunneling per application, where specific applications initially use a DIA link but fail over to a hub link, or vice versa.

What’s New in SD-WAN Plugin 2.0.0

Key features introduced with the SD-WAN plugin 2.0.0 release:
New SD-WAN FeatureDescription
SD-WAN Forward Error Correction
When the encoder endpoint of a VPN tunnel is a PAN-OS firewall that uses forward error correction (FEC), the receiving tunnel endpoint can recover lost packets before the link needs to fail over to a better path. Thus, FEC at the network level allows you to maintain a high-quality application experience in your SD-WAN. FEC is especially helpful for applications that are sensitive to packet loss, such as voice and video streaming.
SD-WAN Packet Duplication
When the encoder endpoint of a VPN tunnel is a PAN-OS firewall that uses packet duplication, and two such tunnels to the same destination exist, the source firewall sends the same packets for an SD-WAN flow over both tunnel links. The destination tunnel endpoint receives the first packet successfully and discards the duplicate packet. Packet duplication allows the receiving firewall to mitigate poor network conditions before the link needs to fail over to a better path, although packet duplication uses twice the bandwidth for every flow because it duplicates all packets. Packet duplication allows you to maintain a high-quality application experience in your SD-WAN. Packet duplication is especially helpful for applications that are sensitive to packet loss, high latency, or jitter, such as voice and video streaming.
SaaS Application Path Monitoring
SD-WAN plugin 2.0.0 now allows SD-WAN to accurately measure the health of SaaS and Cloud application paths to ensure reliability and user experience. When you have an SD-WAN firewall with a Direct Internet Access (DIA) link, SD-WAN can now fail over to a higher performance path based on accurate measurements of the path health quality.
SD-WAN Application and Link Performance Monitoring
SD-WAN monitoring and visibility now allow you to better understand the effectiveness of Forward Error Correction (FEC) and packet duplication for paths with degraded health metrics.