VM-Series and Panorama Plugins Release Notes
    : Features Introduced in SD-WAN Plugin 3.2
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series and Panorama Plugins Release Notes
    3. Panorama Plugin for SD-WAN
    4. Panorama Plugin for SD-WAN 3.2
    5. Features Introduced in SD-WAN Plugin 3.2
    Download PDF

    VM-Series and Panorama Plugins Release Notes

    Features Introduced in SD-WAN Plugin 3.2

    Table of Contents

    Features Introduced in SD-WAN Plugin 3.2

    New features for SD-WAN 3.2.
    The SD-WAN Administrator’s Guide 3.2 provides information about how to use the SD-WAN plugin features in this release.

    What’s New in SD-WAN Plugin 3.2.2

    Key features introduced with the SD-WAN plugin 3.2.2 release:
    New SD-WAN FeatureDescription
    Monitor Bandwidth on SD-WAN Devices
    For a VPN cluster, you will now be able to view the bandwidth of a tunnel and a physical interface (in addition to existing jitter, latency, and packet loss performance measures) for a selected site by default. There is no configuration required from the user to view the bandwidth of a tunnel.
    SD-WAN Plugin Improvements
    Earlier to SD-WAN plugin 3.2.2 version, the SD-WAN generated configurations (such as the IKE ID and tunnel names) uses the active firewall's serial number. Therefore, whenever a HA failover occurs, the SD-WAN generated configurations would reset with the active firewall's serial number that results in temporary tunnel flaps.
    We have improved the SD-WAN plugin 3.2.2 version by using the lower serial number among the HA devices for generating the SD-WAN configurations that remove tunnel flaps. This improvement also introduces the following SD-WAN configuration changes:
    • the IKE key ID is formed with the lower serial number between the HA devices.
    • the SD-WAN generated configurations, such as route table entry in virtual router, tunnel name, IKE gateway name, BGP import rule name, routing profile, BGP peer, and BGP filtering profile will be reset.
    • Tunnel names and corresponding IP address would change as the tunnel names are created from a lower serial number among the two HA devices.

    What’s New in SD-WAN Plugin 3.2.1

    Key features introduced with the SD-WAN plugin 3.2.1 release:
    New SD-WAN FeatureDescription
    Additional SD-WAN Hubs in VPN Cluster
    The number of hubs to configure in a VPN cluster has been increased from 4 to 16. Do not configure the same priority for more than four SD-WAN hubs in a VPN cluster.
    Additional Private Link Types for SD-WAN Interface Profile
    The number of private link types to configure in an SD-WAN Interface Profile has been increased from 3 to 7.
    With PAN-OS 11.1.3 and later releases, SD-WAN plugin 3.2.1 and later releases support the following private link types in addition to the existing private link types (MPLS, Satellite, Microwave/Radio):
    • Private Link1
    • Private Link2
    • Private Link3
    • Private Link4
    We don't support plain text traffic from SD-WAN branch firewall to SD-WAN hub firewall for these new private link types. When you configure any of the new private link types, ensure that you have an SD-WAN policy rule on the hub that is configured only with public link type. Because when the internet-bound traffic backhauls or fails to the hub from the branch, it must match with this SD-WAN policy rule. Otherwise, the traffic gets dropped as these private links (Private Link1, Private Link2, Private Link3, and Private Link4) are part of the direct internet access (DIA) SD-WAN interface.
    Multiple Virtual Routers Support on SD-WAN Hubs
    Supports multiple virtual routers on the SD-WAN hubs that enable you to have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub. Multiple virtual routers can run multiple instances of routing protocols with a neighboring router with overlapping address spaces configured on different virtual router instances. Multiple virtual router deployments provide the flexibility to maintain multiple virtual routers, which are segregated for each virtual router instance.

    What’s New in SD-WAN Plugin 3.2.0

    Key features introduced with the SD-WAN plugin 3.2.0 release:
    New SD-WAN FeatureDescription
    IKEv2 Certificate Authentication Support for Stronger Authentication
    The SD-WAN plugin now supports the certificate authentication type in addition to the default preshared key type for user environments that have strong security requirements. We support the IKEv2 certificate authentication type on all SD-WAN supported hardware and software devices.
    Public Cloud SD-WAN High Availability (HA)
    You can now reduce complexity and increase resiliency by adding HA to your SDWAN for next-generation firewall public cloud deployments. Configure up to four IP addresses per SD-WAN interface, allowing you to deploy SD-WAN on public clouds to achieve failover in HA active/passive configurations. Minimize the downtime and ensure session survivability using the active/passive HA failover in public cloud SD-WAN environments.
    SD-WAN IPv6 Support
    SD-WAN supports IPv6 interfaces, beginning with SD-WAN plugin 3.2.0. You have the flexibility to onboard branch locations in a hybrid IPv4/IPv6 environment or a full IPv6 environment. SD-WAN IPv6 support uses intelligent application path steering technology to provide application reliability and SLAs for IPv6 environments. SD-WAN IPv6 support includes the following changes:
    • You can configure a physical Ethernet interface to have a static IPv6 address.
    • You can configure a static IPv6 route.
    • The Advanced Routing Engine allows you to configure IPv6 BGP routing.
    • SD-WAN provides health monitoring for the next hop from SD-WAN-enabled IPv6 interfaces and health monitoring for a VPN tunnel endpoint.
    • Path monitoring now allows you to use addresses from an IPv4 VPN address pool or an IPv6 VPN address pool.
    • When an SD-WAN interface is enabled for IPv6, Auto VPN configuration creates a DIA interface named sdwan.9016, which has IPv6 physical interfaces as member interfaces. The default IPv6 route points to the sdwan.9016 interface. The user interface allows you to specify whether the virtual interface is a DIA IPv4 interface, DIA IPv6 interface, or tunnel interface (which can have a mix of IPv4 tunnel interfaces and IPv6 tunnel interfaces). An Ethernet interface can belong to both the sdwan.901 virtual interface and the sdwan.9016 virtual interface.
    SD-WAN supports dual stack in the event that one ISP provides you with only an IPv4 address and another ISP provides you with only an IPv6 address. You will create separate virtual SD-WAN interfaces. An IPv4 DIA virtual interface will have Ethernet with an IPv4 address, while an IPv6 DIA virtual interface will have Ethernet with an IPv6 address.
    If a DIA link between a branch and a hub has only IPv6 addresses on the interfaces at each end, the tunnel is created using IPv6 addresses. If the branch and hub have IPv4 addresses on the interfaces, the tunnel is created using IPv4 addresses. If the branch and hub use both IPv4 and IPv6 addresses on the interfaces, the tunnel is created using IPv4 addresses only (IPv4 addresses are preferred). If there is a mismatch of address family identifiers (AFI) between the hub and branch, no tunnel configuration is generated for that pair of interfaces.
    Similarly, a VPN address pool can have both IPv4 and IPv6 addresses configured, in which case IPv4 addresses are preferred for the tunnel interface and tunnel monitoring. If the IPv4 addresses in the VPN address pool are exhausted, then IPv6 addresses are used for the tunnel interface and tunnel monitoring.
    You can also have independent IPv4 VPN address pools that contain IPv4 addresses and IPv6 VPN address pools that contain IPv6 addresses.

    © 2024 Palo Alto Networks, Inc. All rights reserved.