: Features Introduced in SD-WAN Plugin 3.3
Focus
Focus

Features Introduced in SD-WAN Plugin 3.3

Table of Contents

Features Introduced in SD-WAN Plugin 3.3

New features for SD-WAN 3.3.
The SD-WAN Administrator’s Guide 3.2 & Later provides information about how to use the SD-WAN plugin features in this release.

What’s New in SD-WAN Plugin 3.3.2

Key features introduced with the SD-WAN plugin 3.3.2 release:
New SD-WAN FeatureDescription
Prisma Access Hub Support for SD-WAN enabled Cellular Interfaces (4G/5G)
SD-WAN Plugin 3.3.2 and later 3.3 releases provides Prisma Access hub support, in which 4G/5G capable PAN-OS firewalls connecting to Prisma Access compute nodes (CNs) achieve cloud-based security in an SD-WAN hub-and-spoke topology. In this topology, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are 4G/5G capable PAN-OS firewalls. A maximum of four hubs (any combination of PAN-OS hubs participating in DIA AnyPath and Prisma Access hubs) are supported. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Review the system requirements for SD-WAN and Prisma Access.
SD-WAN Plugin Improvements
Earlier to SD-WAN plugin 3.3.2 version, the SD-WAN generated configurations (such as the IKE ID and tunnel names) uses the active firewall's serial number. Therefore, whenever a HA failover occurs, the SD-WAN generated configurations would reset with the active firewall's serial number that results in temporary tunnel flaps.
We have improved the SD-WAN plugin 3.3.2 version by using the lower serial number among the HA devices for generating the SD-WAN configurations that remove tunnel flaps. This improvement also introduces the following SD-WAN configuration changes:
  • the IKE key ID is formed with the lower serial number between the HA devices.
  • the SD-WAN generated configurations, such as route table entry in virtual router, tunnel name, IKE gateway name, BGP import rule name, routing profile, BGP peer, and BGP filtering profile will be reset.
  • Tunnel names and corresponding IP address would change as the tunnel names are created from a lower serial number among the two HA devices.
MongoDB HA Synchronization CLI Commands
We have introduced the following mongoDB related HA peer synchronization commands that must be executed only on the active HA peer:
  • debug plugins sd_wan mongo-db sync-db-to-peer—Use this command to synchronize the SD-WAN mongo database from active HA peer with the passive HA peer. You must execute this command in the following cases:
    We recommend you to check the status of the operation log by executing debug plugins sd_wan mongo-db sync-status command before executing debug plugins sd_wan mongo-db sync-db-to-peer command. Because, the SD-WAN mongo DB operation log synchronization must be successful before you synchronize the HA peers.
  • debug plugins sd_wan mongo-db sync-status—Use this command to check the synchronization status of the operation log (oplog). This command only checks the operation logs.

What’s New in SD-WAN Plugin 3.3.1

Key features introduced with the SD-WAN plugin 3.3.1 release:
New SD-WAN FeatureDescription
Add SD-WAN Capability to your Cellular Interfaces (4G/5G)
You can enable 5G capability on the 4G/5G capable firewalls with the interface called ‘cellular interface’. We have now introduced SD-WAN capability to the 5G cellular interface. The SD-WAN enabled 5G cellular interface supports automatic traffic steering based on the collected metrics within the qualified paths and links including cellular and wireless WAN connection. With wireless WAN 5G connectivity, you can achieve a reliable connection in the 4G/5G capable firewalls.
Multiple Virtual Routers Support on SD-WAN Branches
We have introduced support for multiple virtual routers on the SD-WAN branches to have overlapping IP subnet addresses on both hub and branch devices. With this feature, you can have multiple logical routing domains with overlapping subnets.
You can now enable Multi-VR Support on the SD-WAN branch device to keep the traffic of different entities separate. You can configure up to 20 virtual routers on the SD-WAN branch. However, the number of virtual routers supported on the PAN-OS SD-WAN branch varies by platform.

What’s New in SD-WAN Plugin 3.3.0

Key features introduced with the SD-WAN plugin 3.3.0 release:
New SD-WAN FeatureDescription
Additional SD-WAN Hubs in VPN Cluster
The number of hubs to configure in a VPN cluster has been increased from 4 to 16. Only four of the 16 hubs can have the same hub priority within a VPN cluster due to ECMP.
Additional Private Link Types for SD-WAN Interface Profile
The number of private link types to configure in an SD-WAN Interface Profile has been increased from 3 to 7.
With PAN-OS 11.2.0, SD-WAN plugin 3.3.0 and later releases support the following private link types in addition to the existing private link types (MPLS, Satellite, Microwave/Radio):
  • Private Link1
  • Private Link2
  • Private Link3
  • Private Link4
We don't support plain text traffic from SD-WAN branch firewall to SD-WAN hub firewall for these new private link types. When you configure any of the new private link types, ensure that you have an SD-WAN policy rule on the hub that is configured only with public link type. Because when the internet-bound traffic backhauls or fails to the hub from the branch, it must match with this SD-WAN policy rule. Otherwise, the traffic gets dropped as these private links (Private Link1, Private Link2, Private Link3, and Private Link4) are part of the direct internet access (DIA) SD-WAN interface.
Monitor Bandwidth on SD-WAN Devices
For a VPN cluster, you will now be able to view the bandwidth of a tunnel and a physical interface (in addition to existing jitter, latency, and packet loss performance measures) for a selected site by default. There is no configuration required from the user to view the bandwidth of a tunnel.
Multiple Virtual Routers Support on SD-WAN Hubs
Supports multiple virtual routers on the SD-WAN hubs that enable you to have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub. Multiple virtual routers can run multiple instances of routing protocols with a neighboring router with overlapping address spaces configured on different virtual router instances. Multiple virtual router deployments provide the flexibility to maintain multiple virtual routers, which are segregated for each virtual router instance.