New Features - SD-WAN - 3.4

Panorama now enables more flexible and efficient SD-WAN deployments by allowing you to customize firewall capacity settings. By adjusting the balance between SD-WAN rules, interfaces, and members, you can scale your network to support up to 16 members per VIF while maintaining optimal system performance.

Use these settings when you need to scale high-density environments or optimize resource allocation for specific virtual interfaces.

Benefits of Customizable Capacity

• Enhanced Scalability : Support up to 16 members per VIF to accommodate growing network demands.
• Resource Optimization : Balance system resources between rules and interfaces based on your specific deployment needs.
• Improved Performance : Maintain system stability while pushing the boundaries of standard configuration limits.

When you have Panorama deployed without a public IP address, your SD-WAN devices rely solely on the SD-WAN overlay network for connectivity to Panorama. This creates a single point of failure that can result in significant outages when SD-WAN overlay issues occur. The Dedicated Tunnel to Panorama feature addresses this vulnerability by establishing persistent, dedicated IPSec tunnels from your branch devices to Panorama through designated termination devices using direct internet access (DIA) interfaces.

This feature is valuable in environments where Panorama can’t be exposed over the internet using a public IP address. With dedicated tunnels in place, even if your primary SD-WAN overlay network becomes unavailable, your devices can still reach Panorama to receive configuration updates and troubleshooting commands. This eliminates the need for manual recovery, significantly reducing downtime and operational costs.

You can configure primary and secondary termination devices with preferred and secondary DIA interfaces, ensuring redundant connectivity paths to Panorama. The solution uses a separate VPN address pool for tunnel IP address assignments that must not overlap with existing SD-WAN overlay configurations.

When adding a device in high availability (HA) to SD-WAN Devices, you now have the option to add its HA peer simultaneously. This feature streamlines configuration by enabling you to configure both devices from a single configuration page, ensuring configuration consistency between the active and passive devices. When selected, the system identifies the HA peer and displays the device name, prompting you to specify a site name for the peer. Both devices are then created with matching configurations, which is critical since SD-WAN configurations between HA pairs should be identical except for site names.

Prior to this enhancement, you needed to add each device in an HA pair separately to SD-WAN Devices, which could lead to configuration mismatches. The system would display warnings when such mismatches were detected, but the manual correction process was error-prone.

With this feature, any configuration changes made to one device automatically propagate to its peer, maintaining synchronization between the devices. This feature is useful when adding devices to VPN clusters, as SD-WAN requires both HA peers to have matching configurations for proper functioning during failover events.

If you attempt to configure HA devices separately, the SD-WAN plugin will prevent this operation and guide you to add HA pairs instead. This safeguard, along with visual indicators that alert you to any configuration mismatches between HA pairs, helps maintain the integrity of your SD-WAN deployment and ensures proper failover functionality in your high availability environment.