The Prisma SD-WAN DNS Service runs locally on branch ION devices and can act as a caching or authoritative server. Enabling the Prisma SD-WAN DNS Service serves to speed up domain name resolution time, increase overall resiliency in the domain name resolution system, and provide a local platform for enabling secure DNS. The Prisma SD-WAN DNS Service is enabled using global DNS Service Profiles, binding them to sites, and assigning the ION interfaces to DNS Service Roles. DNS Service Profiles are used to specify configuration parameters for the Prisma SD-WAN DNS Service. Once created, a DNS Service Profile is bound to a device.

Event Correlation enables the Prisma SD-WAN controller to identify events versus individual issues. This change reduces the overall number of alarms that an administrator receives and improves the operational efficiency of the App-Fabric. The Prisma SD-WAN controller analyzes incoming alarms from the ION devices to determine if they are related. If the controller detects the events are related, the alarms are aggregated into a single alarm. For example, if the controller receives multiple VPN down alarms, they are analyzed in real time, determined to be related, and a single Secure Fabric Link alarm is generated for the event, while suppressing the original list of alarms.

VPN keep-alive parameters for Prisma SD-WAN VPNs can now be specified at the Circuit Category, Circuit Label, or Secure Fabric Link. By adjusting the Keep-Alive Failure Count and Keep-Alive Interval values, you can specify VPN liveliness checks that fit the business requirements of the network. Higher timers use less bandwidth but detect an outage less quickly, while the inverse is true for lower timers.

The Prisma SD-WAN Policies user interface has the following improvements: In a QoS New Policy Rule, the DSCP Mark/Remark section is improved to simplify configured Hex Value selection. There are several user interface improvements to Stacked Policies administration, including the Bindings view, Sets view, Stacks view, and Rules view.The Bulk Edit for policy rules allows you to update information for multiple Path, QoS, and NAT policy rules at the same time.The default view for Zone-based Firewall policy rules has been changed to the table view. To access the spine view, hold Shift and click the Rules button.

The ION device interface configuration has the following improvements: The Description field in the Configure Interface screen of the Prisma SD-WAN is now increased to display 5 lines. The interface used as App Probe Source is now configurable. This is a required configuration for the ION 1000 and will default to the controller port for other ION models.

The IP directed broadcast for L3 interfaces enables traffic from remote networks to be broadcast over LAN networks using L3 LAN interfaces, if explicitly enabled. This allows for a unicast packet to be converted to a broadcast packet when passing from the WAN to a LAN interface.

Users can enable or disable the Application Probe feature from the Basic Info or Interface Config screens of the user interface when configuring an ION device. You can configure a LAN port to be the application probe source interface. The controller port is used as the default source interface. The ION 1000 does not have a controller port, therefore you need to configure the port for the application probe.

The MSS adjustment is automatically performed for overlay paths such as Service links and CG-VPNs. Prior to the 5.4.1 device image, the MSS was statically set to 1300. This behavior works in most cases, but in cases when MTU is lowered, this setting may not be sufficient. Thus, for accommodating these cases, the TCP MSS is automatically adjusted down based on the MTU configured.