>
    Strata Copilot
    Features Introduced in June 2026
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN New Features
    4. Prisma SD-WAN Release Information
    5. Prisma SD-WAN Features Introduced in 2026
    6. Features Introduced in June 2026
    Download PDF
    Prisma SD-WAN

    Features Introduced in June 2026

    Table of Contents

    Features Introduced in June 2026

    Learn about the features introduced in the Prisma SD-WAN June release.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN license
    Here's a preview of the new features introduced in Prisma SD-WAN in June 2026.

    Branch HA Optimization

    This release introduces optimizations to HA failover and failback, focusing on reducing downtime and ensuring session persistence.
    Key Enhancements:
    • App-Map Failover: Application identification maps are now replicated to the Standby device in real-time and pre-installed in the data plane. This means mid-flow packets are classified immediately upon failover, ensuring zero interruption to active streaming sessions.
    • Instant Route Availability: LAN-side dynamic routes learned are now replicated and merged into the forwarding table during the role transition. When paired with BGP Graceful Restart, this allows traffic to resume immediately without waiting for protocol re-learning.
    Readiness-Based HA Preemet: The HA manager now performs a full subsystem health check (Routing, Firewall, Interfaces) before allowing a device to resume the Active role. This ensures failback only happens when the device is 100% ready to pass traffic.

    VRF Service Link Multiplexing

    Prisma SD-WAN introduces VRF Service Link Multiplexing to automatically and securely route internet traffic from different Custom VRFs to Prisma Access. This feature makes it easy for Custom VRF users to reach the internet over Global Service Links without requiring complex route-leaking configuration
    Key Enhancements:
    • Implicit Route Leaking: Service Link interfaces function as implicit leak interfaces. This removes the requirement for manual static route leaks between Global and Custom VRFs.
    • Session Integrity: The system encodes the Virtual Network Identifier (VNI) into connection marks. This ensures return traffic maps to the correct VRF and maintains flow symmetry.
    • Dynamic Failover: Custom VRF traffic automatically switches to alternate Global Service Links if the primary link is unavailable.
    Native Path Preference: Traffic defaults to native Custom VRF Service Links before falling back to Global VRF paths.

    VRF - IPFIX

    The IPFIX (IP Flow Information Export) feature has been enhanced with updates to improve visibility and monitoring in Virtual Routing and Forwarding (VRF) environments.
    Key Enhancements (IPFIX):
    • VRF Name in Templates: The Virtual Routing and Forwarding (VRF) name is now included by default in IPFIX template Flow Fields.
    • Flow Record Enrichment: When flow records are forwarded to a collector, they now carry the specific VRF name associated with that flow.
    • Configuration Flexibility: Users can now assign collector and filter contexts to sub-interfaces within a VRF (for example, VRF 005) or any other interface type that supports VRF contexts. Previously, attempting this configuration would result in an error.
    • Multi-VRF Support: The system supports exporting flows from both global VRFs and specific VRF contexts to the collector.
    • Cross-VRF Routing Requirements: If a given VRF interface lacks direct communication to the collector, routes must be manually leaked across VRFs to ensure data can be sent.

    VRF - DNS Service

    The latest update introduces the capability to handle DNS queries across different Virtual Routing and Forwarding (VRF) instances. This allows for increased adaptability in network architecture by enabling DNS clients and servers to reside in separate VRFs while maintaining full communication and operation.
    Key Enhancements (DNS):
    • Multi-VRF Listen and Forward Roles:
      • The DNS listen role, which connects to the DNS client, can now be configured in the global VRF or a custom VRF.
      • The DNS forward role acts as the path to the public or private DNS server, typically connected via a public VPN or Private VPN.
    • Support for Privately Hosted DNS Servers: Users can now host private DNS servers within a specific custom VRF (for example, VRF 100) while serving clients located in different VRFs (for example, VRF 101 or 102).
    • Inter-VRF Route Leaking: To support cross-VRF communication, the system allows for the configuration of "VRF leaks" (for example, leaking routes from VRF 005 to VRF 001) to ensure DNS query packets and responses can reach their destination across virtual boundaries.
    Configurable DNS Profiles: New DNS profiles allow for specific IP configurations and interface assignments for both listener and forwarder roles, supporting complex internal and public DNS routing setups.

    © 2026 Palo Alto Networks, Inc. All rights reserved.