Limitations related to SD-WAN plugin.
The following are limitations associated with SD-WAN Plugin:
Introduced in SD-WAN Plugin 2.0
Installation of SD-WAN Plugin 2.0 requires Panorama to be running PAN-OS 10.0.2 or a later 10.0 release and should fail on a Panorama running PAN-OS 9.1.x. The issue is that installation of SD-WAN Plugin 2.0 is currently being allowed on a Panorama running PAN-OS 9.1.4.
If you configure a PA-220 firewall as an SD-WAN branch or hub with an Error Correction Profile for FEC or packet duplication, the branch or hub achieves little or no performance gain due to the CPU limitations on a PA-220 firewall.
Adaptive SaaS monitoring using a SaaS Quality profile (
) is supported only for TCP SaaS applications. Adaptive SaaS monitoring is not supported for any SSL-proxied traffic.
SD-WAN Link Management
SaaS Quality Profile
Introduced in SD-WAN Plugin 1.0
SD-WAN Failover from a DIA Link to an MPLS Link) Direct Internet Access (DIA) failover to MPLS is for traffic with new sessions, not for existing sessions.
SD-WAN Failover from a DIA Link to an MPLS Link) All firewalls in a VPN cluster must have one or more routes to reach the MPLS interface IP addresses on a peer firewall.
SD-WAN Failover from a DIA Link to an MPLS Link) The first SYN packet for FTP data over MPLS is always dropped in FTP active mode only.
SD-WAN Failover from a DIA Link to an MPLS Link) The
VPN Data Tunnel Supportsetting in an SD-WAN interface profile must be the same on all devices in a cluster: disabled or enabled. Otherwise, hub-initiated traffic will not work, nor will traffic going from a branch to another branch through the hub.
SD-WAN Failover from a DIA Link to an MPLS Link) When
VPN Data Tunnel Supportis disabled, branch-to-branch traffic doesn’t work if BranchA-to-Hub selects a tunnel over DIA link and Hub-to-BranchB selects the MPLS link.
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Devices already added are not removed when importing a new CSV device list. If needed, delete devices manually in the web interface or CLI.
SD-WAN Failover from a DIA Link to an MPLS Link) A predict session cannot be matched for traffic through a tunnel: FTP data sometimes fails on firewalls with multiple data planes. This limitation exists for traffic between a branch and hubs, including DIA traffic that fails over to an MPLS tunnel.
Recommended For You
Recommended videos not found.