New Features - Prisma SD-WAN - April 2024

Measuring application performance and delivering App SLAs is a core component of Prisma SD-WAN. Performance Policy builds upon the existing App SLA configuration to deliver a policy framework for the measurement, enforcement, and alerts for application SLAs.

Performance Policy Enhancements

• Packet Duplication

  In addition to Forward Error Correction, Prisma SD-WAN now supports replication of an application session across up to three VPN paths simultaneously, ensuring consistent and optimized application experiences for end users. Packet Duplication assures the delivery of packets for critical applications, even when all underlay paths are degraded beyond application SLA. Packet Duplication is configured in the performance policy, where it is an additional action within the policy, selectable on a per-app and/or per-path basis. Leveraging this capability requires explicit selection of all paths onto which packets will be duplicated (secondary/alternate paths) and duplicated by the (primary path).

• Service Health Probes

  Prisma SD-WAN now supports always-on probing to measure key metrics such as round trip latency, packet loss, and jitter to any ICMP/DNS/HTTP/HTTPS service across any transport (Direct, Fabric, Standard VPN). The results are available to the user and they can also be used to make path selection decisions with precise control using performance policy. Additionally, the same application health probes can be used by the system to determine the L3 Reachability.

• Incidents for System & Site Health Metrics

  In addition to Incidents for link and application health metrics, Prisma SD-WAN now supports the ability to generate incidents for critical system metrics such as CPU Utilization, Memory Utilization, Disk Utilization, and Concurrent Flow table usage as well as Circuit Utilization.

Geographically distributed organizations often have smaller regional datacenters colocated with users, manufacturing, and other business operations presenting both configuration and operations challenges. The single-click capability to create Regional Branch Gateways simplifies the adoption of this use case by automatically creating VPN topologies and instantiating Hub (Policy Transit, LQM Server, etc ) & Branch (App visibility, path selection, etc) services to simplify Day 1 and Day 2 operations for all traffic types and vectors.

Prisma SD-WAN offers two types of site configurations — branch sites and data center sites. There may be situations where the services provided by a given location do not fit cleanly into either of these configurations. To maximize the flexibility of the system, Prisma SD-WAN offers a new hybrid site type — Branch Gateway.

The Branch Gateway provides the policy transit and LQM server capabilities of a data center site along with the visibility and path selection of a branch site. You can enable the branch gateway functionality on an existing branch site in the control mode using a site level configuration setting. Upon enabling the Branch Gateway mode, VPN tunnels will automatically form to each branch site in the domain.

Prisma SD-WAN generates alerts and incidents when the system reaches system-defined or customer-defined thresholds or there is a fault in the system. Use the Incidents and Alerts to troubleshoot the system.An alert may or may not be an indication of a fault in the network. An alert is raised when the system reaches system-defined or customer-defined thresholds.

Prisma SD-WAN now supports clickable impacted objects to help navigate to the appropriate impacted incident name, enhancing the incident's debuggability. Filter and sort alerts and incidents based on the following criteria. You can now select more than one incident for bulk acknowledgement or unacknowledgement.

You Acknowledge only unresolved incidents. Acknowledging an incident enables you to display and focus on incidents that require attention. You can select one or more incidents (bulk acknowledge) for Acknowledge.

You Unacknowledge only acknowledged incidents. You can select one or more incidents for Unacknowledge.

Prisma SD-WAN supports using Open Shortest Path First ( OSPF available in software version 6.4 and later) to manage network routes dynamically. OSPF is an interior gateway protocol (IGP) that simplifies routing for large enterprise networks at Branch sites, the Aggregation Layer on campus, and Data Center sites. The protocol determines routes dynamically by obtaining information from other routers and advertising them through Link State Advertisements (LSAs). Routers use the information collected from the LSAs to create and share a network topology map across the network, which populates the IP routing table.

OSPF simplifies network management and helps ensure high availability by dynamically adjusting routes to network changes.

To configure OSPF, you must enable L3 Direct Private WAN Forwarding, which allows your ION device to pair with an OSPF router via a private WAN interface. You must enable both L3 Direct Private WAN Forwarding and L3 LAN Forwarding to use dynamic LAN routing.

Prisma® SD-WAN now supports Single Root I/O Virtualization ( SR-IOV) for the Intel XL710 Ethernet Network Adapter. This support is available on all hypervisors when using Virtual ION (vION).

SR-IOV is a hardware specification and technology that enables a single Peripheral Component Interconnect Express (PCIe) Network Interface Card (NIC) to share its resources directly among multiple Virtual Machines (VMs).

Implementing SR-IOV reduces the overhead associated with I/O virtualization and provides the following key benefits for your deployment:

• Improved Performance: Achieve higher throughput and lower latency because data bypasses the host CPU's virtualization layer.
• Reduced CPU Utilization: Offload I/O processing from the host CPU, freeing up resources for other critical tasks.
• Enhanced Security: Maintain data integrity because multiple VMs share a single device without compromising security boundaries.
• Efficient Resource Utilization: Use resources more efficiently, leading to significant cost savings.

Configuring a large-scale network deployment often requires creating complex, repetitive, and slightly varied site configurations. To help you manage this complexity, Prisma SD-WAN Site Templates now support JINJA conditional statements. This allows you to execute different actions based on specific site data, ensuring your deployments are both tailored and streamlined. These JINJA conditional statements, which include powerful capabilities like IF statements and comparison functions, let you create a single, highly adaptable template that addresses many deployment variances.

Prisma SD-WAN supports creating bulk site configurations that allow you to create tailored site templates that cater to your deployment requirements, allowing you to efficiently deploy branches and data centers at scale. A site template is a predefined blueprint containing a list of variables that encompasses all the necessary configurations for creating fully operational sites and devices.

Prisma® SD-WAN supports standard VPN for connections between two data center ION devices. Both the DC ION devices may try to initiate a tunnel, in which case, the tunnel will not be established. To overcome this issue, Prisma SD-WAN now supports the responder-only mode for the DC ION devices, so that the ION device only responds to the IKE connection and does not initiate it. Prisma SD-WAN supports a standard VPN tunnel configuration option that controls IKE initiator & responder behavior. This is useful in many scenarios including establishing DC to DC ION tunnels when one or both sides are behind a NAT device.

Prisma® SD-WAN currently supports this feature only for IPsec VPNs and not for GRE VPNs. Prisma SD-WAN supports both IKEv1 and IKEv2.

The enhancements to Prisma SD-WAN Subscription Usage provide administrators access to comprehensive visibility on both site and tenant bandwidth consumption. This capability allows administrators to effectively monitor their bandwidth usage, facilitate the tracking and trending of monthly bandwidth utilization across all branch sites to ensure compliance with licensing agreements.

Applications are at the core of the Prisma SD-WAN solution. ION devices deployed in the network actively analyze each application flow to ensure that policies for performance, compliance, and security are maintained, and optimum network connections are used for each flow. Prisma SD-WAN identifies each flow using various techniques such as prefix, port, signature, and SaaS. It leverages this information to build a dynamic application map cache, ensuring an optimal first packet match experience.

Prisma SD-WAN now supports over 4,000 system applications.

Relying solely on predefined probes to verify the Layer 3 service status of circuits can limit the flexibility and accuracy of path selection. To provide more granular control and leverage existing performance monitoring, Prisma SD-WAN now supports configurable service health probes to determine the Layer 3 service status of a circuit. This feature allows you to optionally use application and link performance probes to verify the Layer 3 service status of a circuit, providing a unified and consistent approach to path health verification.

Prisma SD-WAN introduced a SVI (Switch Virtual Interface) state configuration called Auto Operation State which can be configured to remain up, when all VLAN member ports are down, or, to be brought down if all member ports are down. This feature lets you control the SVI's operational status based on the link status of its member ports and ensures that the SVI's state accurately reflects the connectivity of the underlying VLAN member ports.

By default, the Auto Operational State is enabled and the SVI is up only when SVI is configured Admin Up and at least one L2 switch port-access or trunk port-is a member of the SVI and has its link up. When Auto Operational State is disabled, if the SVI is configured Admin Up, it will remain up.

When configuring an SVI for HA, if Auto Operational State is enabled and all VLAN member ports go down, the device will enter the backup High Availability (HA) mode. This is recommended for HA deployments. You can configure the SVI Auto Operational State when adding or modifying a VLAN/SVI on your ION devices.