SD-WAN Features
PAN-OS 9.1 supports SD-WAN with new features.
The PAN-OS software now includes a native SD-WAN subscription
to provide intelligent and dynamic path selection on top of the
industry-leading security that PAN-OS software already delivers. Secure SD-WAN provides
the optimal end user experience by leveraging multiple ISP links
to ensure application performance and scale capacity.
The following models support the SD-WAN software capabilities:
- PA-220
- PA-220R
- PA-820
- PA-850
- PA-3200 Series
- PA-5200 Series
- VM-300
- VM-500
- VM-700
Each firewall can be used as a branch or hub location and requires
an SD-WAN subscription. Each Panorama requires the SD-WAN plugin.
Some features of SD-WAN require the Panorama management server.
Key features of the SD-WAN implementation include:
New SD-WAN Feature | Description |
|---|---|
Centralized Configuration Management | Leverage Panorama to manage your SD-WAN configuration
for hub and branch locations, enabling you to reuse configurations
across locations, reducing management requirements and operational
overhead for your deployment. |
Automatic VPN Topology Creation | VPN clusters simplify the creation of complex
VPN topologies using logical groupings of branches and hubs to accelerate
the configuration and deployment of secure communications between
all locations. |
Traffic Distribution | Take advantage of multiple ISP links to
scale capacity and reduce costs. Path selection and brownout and
blackout detection are per application to ensure the best performance
and user experience for critical business applications. By default,
you can achieve subsecond failover between paths, ensuring the best possible
performance of applications. |
Monitoring and Troubleshooting | Panorama provides complete operational awareness
into your SD-WAN environment, including application performance,
link performance, and path health using historical trend analysis
tools. |
Branch Prefix Redistribution | ( PAN-OS 9.1.2 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Prior to PAN-OS
9.1.2, branch firewalls automatically redistributed all non-public,
connected routes to the hub. Beginning with PAN-OS 9.1.2, you can
also redistribute any additional prefixes to the hub. |
Automatic Security Policy Rule Allowing BGP | ( PAN-OS 9.1.2 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) For ease of
use, you can have Panorama automatically create a Security policy
rule to allow BGP between branches and hubs. |
IKE Preshared Key Refresh | ( PAN-OS 9.1.2 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Refresh the
IKE preshared key that VPN cluster members use. This action is especially
helpful if you have a mandate to refresh preshared keys periodically. |
VPN Tunnel IP Address Ranges | ( PAN-OS 9.1.2 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Specify IP
address ranges for Auto VPN configuration to assign to VPN tunnel
endpoints to ensure that Auto VPN does not randomly select IP addresses
that overlap with those your network uses. |
PPPoE Authentication for SD-WAN Links | ( PAN-OS 9.1.2-h1 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) SD-WAN links
can enable Point-to-Point Protocol over Ethernet (PPPoE) authentication
for DSL links. |
Panorama Job Descriptions | ( PAN-OS 9.1.2-h1 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Panorama now
displays additional information in the commit job description to
identify the SD-WAN related jobs. |
VPN Data Tunnel Support | ( PAN-OS 9.1.2-h1 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) You can now
control access to the SD-WAN VPN data tunnel to specify how branch
to hub traffic is sent (inside or outside the VPN tunnel). Enable
or disable this feature from the SD-WAN Interface Profile . |
DIA to MPLS Failover | ( PAN-OS 9.1.2-h1 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Direct Internet
Access (DIA) traffic can failover to the hub through the MPLS link
to take an alternate route to the internet. |
Auto-VPN Configuration for Hub Behind NAT | ( PAN-OS 9.1.3 and later 9.1 releases,
and SD-WAN Plugin 1.0.3 and later 1.0 releases ) If you place
your SD-WAN hub firewall behind a device performing NAT, you need
a way to specify the IP address of that upstream device, which Auto
VPN Configuration uses as the tunnel endpoint on the hub. When you
add an SD-WAN hub to Panorama, you can now specify the IP address
or FQDN of the upstream device performing NAT for the hub; Auto
VPN uses the address as the tunnel endpoint for the hub. |
Auto VPN Configuration of Hub Priority
for BGP Local Preference | ( PAN-OS 9.1.4 and later 9.1 releases,
and SD-WAN Plugin 1.0.4 and later 1.0 releases ) In an SD-WAN
VPN cluster that has more than one hub, you must assign a priority
value to each hub, which determines the primary hub to which branches
direct traffic and the subsequent hub failover order. Panorama uses
the hub priority to calculate a BGP local preference and pushes
the local preference to the branches in the cluster. The branches
use the local preference to select a route from multiple routes
to the same destination. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
