>
    Strata Copilot
    Features Introduced in Prisma SD-WAN ION Release 6.3
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN ION Device Release 6.3
    4. Features Introduced in Prisma SD-WAN ION Release 6.3
    Download PDF
    Prisma SD-WAN

    Features Introduced in Prisma SD-WAN ION Release 6.3

    Table of Contents

    Features Introduced in Prisma SD-WAN ION Release 6.3

    Learn about the features introduced in Prisma SD-WAN ION Release 6.3.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • license
      • Physical and/or virtual ION devices running software versions 6.3.1 or higher.
    Learn about new features introduced in Prisma SD-WAN ION Release 6.3.

    Enhancements in Prisma SD-WAN Release 6.3.6

    Learn about the enhancements available in the following features in Prisma SD-WAN Release 6.3.6.

    Flow Acceptance Profile

    Prisma SD-WAN ION devices have a limited ability to measure and throttle the number of flows per user/source. When a Flow Acceptance Profile (FAP) key's flow count exceeds a pre-defined threshold, the FLOW LIMIT PER SOURCE EXCEEDED incident is generated. The incident is specific to the source IP and VNI (Virtual Network Identifier) associated with the key.

    Application Probe

    Prisma SD-WAN has supported dynamic probing for TCP applications when it detected 3-way handshake failures. The ION device generates these dynamic probes to verify whether a destination service is up or down on that path. If verified as down, the ION device avoids sending additional user requests for the service on the specific path, while continuing to generate synthetic probes to detect any change in service reachability.
    • A new command, dump app-probe history all, is added to display the last 1000 app-map entries received by the flow collector (FC), providing historical data.
    • The dump app-probe flow count command is enhanced to show the total number of app-map entries in the flow collector at a specified time.
    • The dump app-probe status command is enhanced to display the dropped_app_probes count and the total number of entries in the app_path_sla/* path.
    • The inspect flow details command is enhanced to include a new field to indicate whether a flow is an app-probe flow.

    SpeedTest

    The speedtest-cli utility was accessible only via the support shell, limiting its use to a small number of technical users. This update enables all standard CLI users to measure and troubleshoot network bandwidth and performance easily.

    Performance Improvements

    • Stability and reliability of Prisma SD-WAN ION software versions is enhanced in this release.
    • Enhanced memory management for fragmented memory allocation in datapath.

    Features Introduced in Prisma SD-WAN Release 6.3.2

    Learn about the new features and enhancements for Prisma SD-WAN Release 6.3.2.

    Site Templates

    Prisma SD-WAN supports creating bulk site configurations that allow you to create tailored site templates that cater to your deployment requirements, allowing you to efficiently deploy branches and data centers at scale. A site template is a predefined blueprint containing a list of variables that encompasses all the necessary configurations for creating fully operational sites and devices. You can deploy multiple sites using an existing template, edit an existing one, or create a new template to deploy sites.
    Here's the workflow for creating site templates.
    Site Templates are supported on Prisma SD-WAN Controller version 6.3.2 and above and ION device software 5.6 and above.
    Device Prestaging
    You can pre-provision sites before an ION device is available to accelerate the deployment. The device shell allows you to create elements, visualize the network, and do simple configurations. If you don't have a physical device at the time of deployment, a virtual configuration–device shell–is created associating a device to a site which can be later assigned to a device.

    DNS Reachability

    Prisma SD-WAN has supported dynamic probing for TCP applications when it detected 3-way handshake failures. The ION device generates these dynamic probes to verify whether a destination service is up or down on that path. If verified as down, the ION device avoids sending additional user requests for the service on the specific path, while continuing to generate synthetic probes to detect any change in service reachability.
    Starting with Release 6.3.2, Prisma SD-WAN supports this functionality for UDP DNS traffic along with DNS health visibility also.

    Event Optimization

    The following deprecated incident codes will no longer be emitted by the controller:
    • APPLICATION_APP_UNREACHABLE
    • NETWORK_VPNBFD_DOWN

    Disable Tunnel Reoptimization

    Prisma SD-WAN will periodically check the latency by default when multiple IP addresses or hosts are provided as part of the standard VPN endpoint. If a destination has better latency, it forces a tunnel change (config_change) to reoptimize the connection. As part of Release 6.3.2, users now have the option to disable tunnel reoptimization. In this case, the tunnel destination will change only if there is a failure.

    Features Introduced in Prisma SD-WAN Release 6.3.1

    Learn about the new features and enhancements for Prisma SD-WAN Release 6.3.1.

    Virtual Routing Forwarding for WAN Segmentation

    Prisma SD-WAN supports Virtual Routing and Forwarding (VRFs) for WAN segmentation of application traffic. Network segmentation will help achieve isolation of application traffic for the same customer between different business units or customers who share the same WAN infrastructure by carrying the segment identifier over the WAN overlay.
    WAN Segments are first defined in global VRF profiles. These VRF profiles are then bound to sites. After that, interfaces are configured with the appropriate VRF. When traffic enters the interface, it only considers destinations with the same VRF locally or across the fabric. If the traffic is destined to go across the fabric, it gets automatically encapsulated with a unique identifier specific to that VRF. Once the traffic reaches the remote ION, it can egress onto the VRF that is appropriately configured.

    Performance Policy

    Measuring application performance and delivering app SLAs is a core component of Prisma SD-WAN. Performance Policy builds upon the existing App SLA configuration to deliver a policy framework for the measurement, enforcement, and alerting for application SLAs.
    Performance Policy utilizes link quality metrics such as Latency, Loss, and Jitter as well as application performance metrics such as Application RTT and Init failure % as SLA metrics. If the SLA metrics are violated, the system takes action to ensure that the SLA is enforced including moving flows to a compliant path (if available) and invoking line conditioning such as Forward Error Correction (FEC) to ensure the SLA is met. Optionally, an incident can be generated for critical applications when an SLA is violated. Although default policies work well for most environments, policies can be granularly tuned per application, path type, DC group, and circuit category to align to the performance needs of the business.
    FEC is available as a preview feature in 6.3.1 for testing purposes.

    SNMP-based Discovery for IoT

    Prisma SD-WAN supports the discovery of devices that are not directly connected to the Prisma SD-WAN branch ION devices by using SNMP (Simple Network Management Protocol) to discover IoT devices within a branch network.
    The system uses LLDP (Link Layer Discovery Protocol) to identify neighboring networking devices in a branch ION, launching an SNMP MIB to gather IP address and MAC Address entries. SNMP discovery involves querying LLDP information for IP and MAC address bindings, retrieving data from neighboring devices one by one until it discovers all the IoT devices. The ION device transmits these discovered bindings, alongside VLAN, subnet details, and so on, as Enhanced Application logs (EAL) to Cortex Data Lake (CDL). IoT Security uses this information to enhance visibility in its portal by identifying the devices.

    Incident Dampening

    You can now suppress incidents for a selected period of time using Incident Policies. With incident policy rules, you can specify the dampening interval during which the system suppresses events generated by resources during the specified period.

    Layer 2 Switching Capabilities in ION 3200

    Prisma SD-WAN supports ION 3200 with Layer 2 switch. The Layer 2 switch ports enable connecting multiple devices directly on the L2 LAN or add downstream switches or Wireless Access Points (WAP).

    Used-for-HA Capability on Layer 3 Interfaces

    Generation One ION devices use the control port to exchange HA heartbeat and manage the controller traffic between the active and the standby device. With the introduction of used-for-HA (referred to as Used-for-Control in earlier releases) as a port type, the NextGen ION devices such as the ION 1200-S, ION 3200, ION 5200, ION 9200 do not need a dedicated controller port for the management services. The used-for-HA interface allows you to exchange HA heartbeat and connect the standby device to the controller through the active ION device. You can use the control interface to send management traffic like App Probe, NTP, SNMP, RADIUS, and IPFIX.
    Support for used-for-HA capability is extended on the main interface on all routed ports. This capability was available on SVI and sub-interfaces in the previous release. Used for HA is supported on all the ION devices.

    IPv6 BGP Support

    Prisma SD-WAN now supports IPv6 for BGP.

    © 2025 Palo Alto Networks, Inc. All rights reserved.