Features Introduced in SD-WAN Plugin 3.3
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
Features Introduced in SD-WAN Plugin 3.3
New features for SD-WAN 3.3.
The SD-WAN Administrator’s Guide 3.2 & Later provides
information about how to use the SD-WAN plugin features in this release.
What’s New in SD-WAN Plugin 3.3.2
Key features introduced with the SD-WAN plugin 3.3.2 release:
New SD-WAN Feature | Description |
---|---|
Prisma Access Hub Support for SD-WAN enabled Cellular
Interfaces (4G/5G)
|
SD-WAN Plugin 3.3.2 and later 3.3 releases provides Prisma Access hub
support, in which 4G/5G capable PAN-OS
firewalls connecting to Prisma Access compute nodes
(CNs) achieve cloud-based security in an SD-WAN hub-and-spoke
topology. In this topology, the SD-WAN hubs are Prisma Access
CNs (IPSec Termination Nodes) and the SD-WAN branches
are 4G/5G capable PAN-OS firewalls. A maximum of four hubs (any
combination of PAN-OS hubs participating in DIA AnyPath and
Prisma Access hubs) are supported. SD-WAN automatically creates
IKE and IPSec tunnels that connect the branch to the hub. Review
the system requirements for
SD-WAN and Prisma Access.
|
SD-WAN Plugin Improvements
|
Earlier to SD-WAN plugin 3.3.2 version, the SD-WAN generated
configurations (such as the IKE ID and tunnel names) uses the
active firewall's serial number. Therefore, whenever a HA
failover occurs, the SD-WAN generated configurations would reset
with the active firewall's serial number that results in
temporary tunnel flaps.
We have improved the SD-WAN plugin 3.3.2 version by using the
lower serial number among the HA devices for generating the
SD-WAN configurations that remove tunnel flaps. This improvement
also introduces the following SD-WAN configuration changes:
|
MongoDB HA Synchronization CLI Commands |
We have introduced the following mongoDB related HA peer
synchronization commands that must be executed only on the
active HA peer:
|
What’s New in SD-WAN Plugin 3.3.1
Key features introduced with the SD-WAN plugin 3.3.1 release:
New SD-WAN Feature | Description |
---|---|
Add SD-WAN Capability to your Cellular Interfaces
(4G/5G)
|
You can enable 5G capability on the 4G/5G capable firewalls with
the interface called ‘cellular interface’. We have now
introduced SD-WAN capability to
the 5G cellular interface. The SD-WAN enabled 5G cellular
interface supports automatic traffic steering based on the
collected metrics within the qualified paths and links including
cellular and wireless WAN connection. With wireless WAN 5G
connectivity, you can achieve a reliable connection in the 4G/5G
capable firewalls.
|
Multiple Virtual Routers Support on SD-WAN Branches
|
We have introduced support for multiple virtual routers on
the SD-WAN branches to have overlapping IP subnet
addresses on both hub and branch devices. With this feature, you
can have multiple logical routing domains with overlapping
subnets.
You can now enable Multi-VR Support on the
SD-WAN branch device to keep the traffic of different entities
separate. You can configure up to 20 virtual routers on the
SD-WAN branch. However, the number of virtual routers supported
on the PAN-OS SD-WAN branch varies by platform.
|
What’s New in SD-WAN Plugin 3.3.0
Key features introduced with the SD-WAN plugin 3.3.0 release:
New SD-WAN Feature | Description |
---|---|
Additional SD-WAN Hubs in VPN Cluster
|
The number of hubs to configure in a VPN
cluster has been increased from 4 to 16. Only four of
the 16 hubs can have the same hub priority within a VPN cluster
due to ECMP.
|
Additional Private Link Types for SD-WAN Interface
Profile
|
The number of private link types to configure in an SD-WAN
Interface Profile has been increased from 3 to 7.
With PAN-OS 11.2.0, SD-WAN plugin 3.3.0 and later releases
support the following private link types in addition to the
existing private link types (MPLS,
Satellite,
Microwave/Radio):
We don't support plain text traffic from SD-WAN branch firewall
to SD-WAN hub firewall for these new private link types. When
you configure any of the new private link types, ensure that you
have an SD-WAN policy rule on the hub that is configured only
with public link type. Because when the internet-bound traffic
backhauls or fails to the hub from the branch, it must match
with this SD-WAN policy rule. Otherwise, the traffic gets
dropped as these private links (Private
Link1, Private Link2,
Private Link3, and Private
Link4) are part of the direct internet access
(DIA) SD-WAN interface.
|
Monitor Bandwidth on SD-WAN Devices
|
For a VPN cluster, you will now be able to view the
bandwidth of a tunnel and a physical
interface (in addition to existing
jitter, latency,
and packet loss
performance measures)
for a selected site by default. There is no configuration
required from the user to view the bandwidth of a tunnel.
|
Multiple Virtual Routers Support on SD-WAN Hubs
|
Supports multiple virtual routers on
the SD-WAN hubs that enable you to have overlapping
IP subnet addresses on branch devices connecting to the same
SD-WAN hub. Multiple virtual routers can run multiple instances
of routing protocols with a neighboring router with overlapping
address spaces configured on different virtual router instances.
Multiple virtual router deployments provide the flexibility to
maintain multiple virtual routers, which are segregated for each
virtual router instance.
|