SD-WAN Features

PAN-OS 9.1 supports SD-WAN with new features.
The PAN-OS software now includes a native SD-WAN subscription to provide intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Secure SD-WAN provides the optimal end user experience by leveraging multiple ISP links to ensure application performance and scale capacity.
The following models support the SD-WAN software capabilities:
  • PA-220
  • PA-220R
  • PA-820
  • PA-850
  • PA-3200 Series
  • PA-5200 Series
  • VM-300
  • VM-500
  • VM-700
Each firewall can be used as a branch or hub location and requires an SD-WAN subscription. Each Panorama requires the SD-WAN plugin.
Some features of SD-WAN require the Panorama management server.
Key features of the SD-WAN implementation include:
New SD-WAN Feature
Description
Centralized Configuration Management
Leverage Panorama to manage your SD-WAN configuration for hub and branch locations, enabling you to reuse configurations across locations, reducing management requirements and operational overhead for your deployment.
Automatic VPN Topology Creation
VPN clusters simplify the creation of complex VPN topologies using logical groupings of branches and hubs to accelerate the configuration and deployment of secure communications between all locations.
Traffic Distribution
Take advantage of multiple ISP links to scale capacity and reduce costs. Path selection and brownout and blackout detection are per application to ensure the best performance and user experience for critical business applications. By default, you can achieve subsecond failover between paths, ensuring the best possible performance of applications.
Monitoring and Troubleshooting
Panorama provides complete operational awareness into your SD-WAN environment, including application performance, link performance, and path health using historical trend analysis tools.
Branch Prefix Redistribution
(
PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) Prior to PAN-OS 9.1.2, branch firewalls automatically redistributed all non-public, connected routes to the hub. Beginning with PAN-OS 9.1.2, you can also redistribute any additional prefixes to the hub.
Automatic Security Policy Rule Allowing BGP
(
PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) For ease of use, you can have Panorama automatically create a Security policy rule to allow BGP between branches and hubs.
IKE Preshared Key Refresh
(
PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) Refresh the IKE preshared key that VPN cluster members use. This action is especially helpful if you have a mandate to refresh preshared keys periodically.
VPN Tunnel IP Address Ranges
(
PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) Specify IP address ranges for Auto VPN configuration to assign to VPN tunnel endpoints to ensure that Auto VPN does not randomly select IP addresses that overlap with those your network uses.
PPPoE Authentication for SD-WAN Links
(
PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) SD-WAN links can enable Point-to-Point Protocol over Ethernet (PPPoE) authentication for DSL links.
Panorama Job Descriptions
(
PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) Panorama now displays additional information in the commit job description to identify the SD-WAN related jobs.
VPN Data Tunnel Support
(
PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) You can now control access to the SD-WAN VPN data tunnel to specify how branch to hub traffic is sent (inside or outside the VPN tunnel). Enable or disable this feature from the
SD-WAN Interface Profile
.
DIA to MPLS Failover
(
PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases
) Direct Internet Access (DIA) traffic can failover to the hub through the MPLS link to take an alternate route to the internet.

Recommended For You