| NAT Policy Configuration | Prisma SD-WAN introduces NAT policy configuration
through the portal, enabling translation of public and private IP
addresses to ensure privacy of internal networks connected to public
or private networks, including reuse of the same IP address or mapping
of multiple IP addresses to a single IP address. By default, Prisma SD-WAN
provides an out-of-the-box configuration that automatically performs Source
NAT for traffic that is destined directly to public internet interfaces.
In scenarios where more specific configuration is required, Prisma
SD-WAN enables granular NAT control for a variety of use cases.
NAT policies apply only to branch ION devices. They are configured
through NAT policy sets that are attached to sites and contain NAT
policy rules and actions. Prior to configuring NAT, review the migration
considerations included in the NAT Policy Guide. Device Software Version
Required: 5.2.1 and later |
| Virtual Interface for Enhanced Redundancy | Prisma SD-WAN enables the creation of a virtual
interface by combining two controller ports or two non-controller
ports for port and cable-level redundancy. If a port malfunctions,
the interface will continue to be accessible through the redundant
port. Note that a virtual interface cannot be created by combining
a controller and a non-controller port. A virtual interface cannot
be created on an interface that is a sub-interface, is part of a
virtual interface such as a bypass pair, contains PPPoE or static
or dynamic IP configuration, or has the option Use this Port For
configured for internet, private WAN, or LAN. Both, Use this Port
For and Circuit Label fields, should be left empty for the interface
to be eligible for configuration as a virtual member interface. Device
Software Version Required: 5.2.1 and later |
| VPN-to-VPN Traffic | Prisma SD-WAN enables the forcing of VPN-to-VPN
traffic to the local next hop in the Data Center. When configuring
a data center device, toggle the option Force VPN-to-VPN Traffic
to Local Next Hop to Yes to force traffic from one branch site to another
to the local next hop within a data center site. By default, the
option Force VPN-to-VPN Traffic to Local Next Hop is toggled to
No. Device Software Version Required: 5.2.1 and later |
| Branch-Site LAN BGP Routing | LAN-side routing now can be enabled on a branch
site. The branch ION device, in conjunction with the L3 device,
participates in routing as follows:- Learns the prefixes behind
the L3 device and forwards traffic to those prefixes.
- Advertises BGP-learned prefixes from the WAN-side (e.g. MPLS
PE) or a default route to the LAN L3 device.
- Advertises prefixes learned from the L3 device to other branches
and data centers.
Device Software Version Required:
5.2.1 and later |
| Enhanced Filtering in Activity Charts | Prisma SD-WAN provides improved capability
to search application definitions by name or domain, port number,
L3 or L4 protocols, prefix filters, or transfer types. With improved
search capability, it is now possible to find applications of interest with
ease. For example: Filter all applications that match port 80. This
helps with locating and managing applications. In addition, it can
be used to confirm if any application definitions are being referenced
explicitly in a policy set and if the policy sets are used at a
site. |
| DHCP Option 60 | Prisma SD-WAN supports Vendor Class Identifier
(VCI) or option 60 for a DHCP Server. A DHCP client sends an option
code 60 (VCI) in its communication with the DHCP server. On receiving
option 60 or VCI, the DHCP server matches the received VCI with
a VCI from its own table. It then returns a value corresponding
to the VCI to the DHCP client. Option 60 or VCI can be configured
by selecting Vendor Class ID under Custom Options. For Vendor Class
ID, enter a VCI value. Enter definition and corresponding values
for Definition and Value fields. The table shows the data types supported
for definitions and values. Device Software Version Required:
5.2.1 and later |
| Path of Last Resort Option per Path Policy
Rule | If all active and backup paths are down, the
L3 failure path, if configured, will be used as a path of last resort.- L3 Failure paths can include any path type.
- The L3 Failure Path will not be considered if at least one active
or one backup path is available.
- A backup path is not required to be configured in order to use
an L3 Failure Path.
L3 Failure Path is only available in
Stacked Policies. Device Software Version Required: 5.2.1 and
later |
| Custom Application Definition Options | Prisma SD-WAN introduces additional Custom
Application definition options that include the ability to configure
source-based prefix filters for TCP applications and the ability
to flag an application as a network scan application.- Prefix
Filters for TCP Applications – Prefix filters with respective ports are
required for a custom application. Include a mandatory server port
number, an optional DSCP value between 0 to 63, and an optional
server prefix filter.
- Network Scan App – Network Scan App is a categorization or attribute
for applications used for purposes of tracking and eliminating flows
from a path to make room for new incoming flows, if and when concurrent
flow thresholds are reached. This attribute, when flagged for an
existing custom application, will be applicable only for new flows
coming in and hitting the application definition after the configuration.
Existing flows hitting the custom application definition will not inherit
the configuration.
Device Software Version Required:
5.2.1 and later |
| Device Toolkit Access through the Portal | Prisma SD-WAN now enables remote access to
the device toolkit from the Prisma SD-WAN portal. Note that the
ION device must be claimed and online in order to access the device
toolkit. In addition, only users with Root, Administrator, Super, Network
Administrator, Security Administrator, or View Only permissions
can access the Device Toolkit. Through or ,
navigate to the device configuration screen to select remote access
to the Device Toolkit. |
| Enhancements in Application Definitions | Administrators now have the ability
to optionally disable Unreachability Detection per application.
Prior to Release 5.2.1, all TCP applications use application Unreachability
Detection. Flows for all TCP applications, except HTTP, SSL,
Prisma SD-WAN-Control, Prisma SD-WAN-LQM, Prisma SD-WAN-PCM, Prisma
SD-WAN-Probe, are eligible for application Unreachability Detection.
Application Unreachability Detection can be turned On or Off for
applications on the Prisma SD-WAN portal. Application reachability
is used to determine if a given application is reachable on a given
path. This information is useful when making path selection decisions.
If an application is deemed to be unreachable on a given path, then that
path will not be used. If all paths are marked unreachable, then
the primary path will always be selected. - Prisma SD-WAN introduces the ‘Use Parent App Network Policy’
option specifically for Google suite of applications. Child applications
for Google can be configured to use its network policy. This behavior
is turned off by default but can be enabled by adding an Application
Override.
Device Software Version Required: 5.2.1
and later |
