As more internet services move to the cloud, PAN-OS Secure SD-WAN offers security in the cloud using Prisma Access, in addition to security on-premises using PAN-OS firewalls. The SD-WAN hub-and-spoke topology supports a Prisma Access hub. You can secure your internet traffic for specific applications either at the branch location or in the cloud with Prisma Access and have this traffic fail over to any other VPN tunnel if necessary.

In addition to the hub-spoke topology, SD-WAN now supports a full mesh topology (with or without hubs) so that branches can communicate with each other directly. For branch or hub interfaces that receive their IP address from DHCP or PPPoE, a Dynamic DNS (DDNS) service detects the public-facing IP address of the firewall interface.

If you place your SD-WAN branch firewall behind a device performing NAT, you need a way to specify the IP address of the public-facing interface on that upstream device, which Auto VPN Configuration uses as the tunnel endpoint for the branch. When you add an SD-WAN branch to Panorama, you can now specify the IP address or FQDN of the upstream device performing NAT for the branch, or you can specify DDNS, which indicates that the IP address for the interface on the NAT device is obtained from the Palo Alto Networks DDNS service. Auto VPN uses the public IP address as the tunnel endpoint for the branch.

You can now configure an SD-WAN direct internet access (DIA) link to fail over to another link that has a direct or indirect path (through a hub or branch) to the internet, and thus ensure business continuity. The DIA failover is no longer restricted to another DIA link. DIA AnyPath use cases include transitioning from an expensive MPLS link to one or more public internet connections, possibly from different vendors. You can do split tunneling per application, where specific applications initially use a DIA link but fail over to a hub link, or vice versa.

When both endpoints of a VPN tunnel are PAN-OS firewalls that use forward error correction (FEC), the receiving tunnel endpoint can recover lost packets before the link needs to fail over to a better path. Thus, FEC at the network level allows you to maintain a high-quality application experience in your SD-WAN. FEC is especially helpful for applications that are sensitive to packet loss, such as voice and video streaming.

When both endpoints of a VPN tunnel are PAN-OS firewalls that use packet duplication, and two such tunnels to the same destination exist, the source firewall sends the same packets for an SD-WAN flow over both tunnel links. The destination tunnel endpoint receives the first packet successfully and discards the duplicate packet. Packet duplication allows the receiving firewall to mitigate poor network conditions before the link needs to fail over to a better path, although packet duplication uses twice the bandwidth for every flow because it duplicates all packets. Packet duplication allows you to maintain a high-quality application experience in your SD-WAN. Packet duplication is especially helpful for applications that are sensitive to packet loss, high latency, or jitter, such as voice and video streaming.

PAN-OS 10.0.2 now allows SD-WAN to accurately monitor and measure the health of SaaS and Cloud application path to ensure reliability and user experience. When you have an SD-WAN firewall with Direct Internet Access (DIA) link, SD-WAN fails over to a higher performance path based on accurate measurements of the path health quality.