Next-Generation Firewall
SD-WAN Features
Table of Contents
SD-WAN Features
What new SD-WAN features are in PAN-OS 12.1?
The following section describes new SD-WAN features introduced in PAN-OS 12.1.
NGFW with Prisma SD-WAN Data Center Integration
|
August 2025
|
You can now integrate the Palo Alto Networks next-generation
firewalls with Prisma® SD-WAN at the data centers. This integration
enables Prisma SD-WAN devices at branch locations to connect to a unified data
center platform. It addresses challenges with traditional networks that rely on
separate appliances for security and SD-WAN, that often lead to complexity,
inconsistent policies, and limited adaptability to cloud demands, ultimately
impacting user experience and productivity.
With SD-WAN capabilities, data centers establish secure tunnels with branch Prisma
SD-WAN devices, enabling traffic steering based on SD-WAN policy rules while
delivering advanced security features.
This integrated data center solution provides the following benefits:
- Delivers advanced security and SD-WAN capabilities in a single streamlined offering.
- Combines the advanced networking capabilities of Prisma SD-WAN and the robust security features of PAN-OS®, delivering a comprehensive and secure SD-WAN solution.
- Ensures uninterrupted connectivity between branch locations and data centers. Traffic is intelligently routed across the WAN, optimizing performance based on application requirements, network conditions, and security policy rules.
- Simplifies operations and enhances overall efficiency through a unified platform, Strata Cloud Manager.
Overall, this integration addresses the challenges of network complexity, security
integration, performance optimization, and operational efficiency that many
enterprises face as they evolve their WANs.
You need the following licenses for integrating Palo Alto Networks NGFW with Prisma
SD-WAN data center:
- Advanced SD-WAN license for the next-generation firewalls
- Prisma SD-WAN branch subscriptions for the Prisma SD-WAN devices
We support this feature on PA-5440 firewall.
Simplified HA Device Configuration in SD-WAN
|
August 2025
|
When adding a device in high availability (HA) to SD-WAN Devices, you now have the
option to add its HA peer simultaneously. This feature streamlines configuration by
enabling you to configure both devices from a single
configuration page, ensuring configuration consistency between the active
and passive devices. When selected, the system identifies the HA peer and displays
the device name, prompting you to specify a site name for the peer. Both devices are
then created with matching configurations, which is critical since SD-WAN
configurations between HA pairs should be identical except for site names.
Prior to this enhancement, you needed to add each device in an HA pair separately to
SD-WAN Devices, which could lead to configuration mismatches. The system would
display warnings when such mismatches were detected, but the manual correction
process was error-prone.
With this feature, any configuration changes made to one device
automatically propagate to its peer, maintaining synchronization between the
devices. This feature is useful when adding devices to VPN clusters, as SD-WAN
requires both HA peers to have matching configurations for proper functioning during
failover events.
If you attempt to configure HA devices separately, the SD-WAN plugin will prevent
this operation and guide you to add HA pairs instead. This safeguard, along with
visual indicators that alert you to any configuration mismatches between HA pairs,
helps maintain the integrity of your SD-WAN deployment and ensures proper failover
functionality in your high availability environment.