New Features - Prisma SD-WAN - February 2025

Managing access to network devices and controller nodes can be complex and challenging to audit. To provide centralized control, enhance security, and simplify compliance, Prisma SD-WAN now supports the TACACS+ authentication (Terminal Access Controller Access Control System+) authentication protocol that controls network device access and SSH login for controller nodes in a network infrastructure. TACACS+ uses TACACS+ server profiles to log user activity, including when a user starts or stops using a service and the session duration. These logs and records of the initiation and termination of services and any services in progress during the user’s session provide valuable records for auditing and compliance.

A device TACACS+ profile consists of multiple configured TACACS+ servers. You can add a maximum of four servers. Based on their reachability, the system attempts to connect to the servers sequentially. If a user is present in the TACACS+ server and enters the correct credentials, the user will be able to log in successfully. If a device is not online, the AAA server is reachable and the user is in the TACACS+ database, the user can log in using an SSH/remote connection. Based on their reachability, the system attempts to connect to the servers sequentially.

After you create a TACACS+ profile, you must associate it with a device to enable authentication.

The Move Flows action now offers greater flexibility for managing traffic, maintaining performance, and enforcing SLA requirements. With the addition of the App/Network SLA Rule Type, Move Flows provides better traffic control.

Previously, the action only excluded SLA violating paths for new flows, leaving existing flows unchanged and relying on Link Quality and Application Metrics unless the field was empty. Now, you can choose between Move Flows Graceful and Move Flows Forced for more control:

• Move Flows Graceful moves existing flows and excludes paths for new flows that violate SLAs, considering Link Quality and Probe Metrics.
• Move Flows Forced actively shifts flows from non-performing paths to better ones, even across NAT boundaries, using Link Quality and Application/Probe Metrics. It is triggered by events such as WAN interface changes, link degradation, app unreachability, probe failures, or path revalidation.

The action supports a wide range of path types, including Private L2, Direct (Public/Private), SD-WAN VPNs (Public/Private), and Third-Party VPNs (Public/Private). It works across combinations of active and backup paths like Direct Internet, Direct Private, Public/Private VPN, Standard VPN, and enterprise VPN configurations.

Link Aggregation Group (LAG) and the associated Link Aggregation Control Protocol (LACP), commonly called port-channel, combine multiple physical interfaces into a single logical interface. This capability enhances throughput and link redundancy between your device and an adjacent switch. Use LAG and LACP when configuring Layer 3 ports on the LAN side to ensure your mission-critical applications have consistent, high-availability network connections.

LAG and LACP support aligns with industry standards to allow seamless integration with your existing network equipment. Leverage this capability to enhance network performance, simplify management, and improve overall user experience across your distributed enterprise environments. Link Aggregation Groups combine one or two network connections in scenarios where higher throughput or fail-over capabilities are essential.

LACP is a protocol that manages the bundling of these physical links, ensuring proper load balancing and link status monitoring. You can now use LAG and LACP with Prisma® SD-WAN (available in software version 6.5 and later).

Prisma® SD-WAN Secure Fabric Tunnels enables seamless and secure communication between data centers, including on-premises and cloud environments. You use Secure Fabric Tunnels to establish inter-DC connectivity, eliminating the need for third-party solutions or complex MPLS configurations.

This feature allows you to efficiently connect multiple data centers across diverse environments:

• Cloud providers such as AWS, Azure, Equinix, and GCP.
• Physical on-premises locations.

Secure Fabric Tunnels provides a flexible and manageable inter-DC solution by supporting:

• High availability configurations.
• Multi-pathing.
• Load sharing across multiple links.

To provision and manage these connections, use the Prisma SD-WAN controller UI or APIs, similar to how you set up branch-to-branch tunnels. You can view LQM and statistics available for data center sites on the Site Summary page.

Secure Group Tag (SGT) enables identity-based security and enforces policies across networks. It preserves SGT information end-to-end, controlling access over public and private VPN overlays. SGT propagation can be customized per site, including Branch, Data Center, and Branch Gateway locations. When enabled at the site level, SGT allows the ION device to parse Cisco Metadata headers, extract Security Group Information (SGI) values, and preserve them across the Prisma SD-WAN. The system parses Cisco Metadata headers to extract and apply SGT values across the network. It also introduces LAN to LAN propagation and static SGT configuration for ION initiated traffic.

Static tag values can be configured for ION-initiated traffic (e.g., NTP, DHCP, App Probes) and SGT settings can be enabled or disabled at the interface level. Static SGT tagging ensures effective routing and consistent propagation across the network, regardless of topology.

SGT information can be accessed through the Flow Browser and Device Toolkit commands, allowing for enhanced troubleshooting and monitoring capabilities.

Traditional encryption modes like Cipher Block Chaining (CBC) can introduce performance overhead and lack the combined authentication and encryption needed for modern network security. To address these limitations, Prisma SD-WAN introduces Galois/Counter Mode (GCM) support for fabric tunnels and standard VPN connections. This feature introduces AES-GCM-128 and AES-GCM-256 algorithms, providing Authenticated Encryption with Associated Data (AEAD) capabilities. By implementing GCM, you gain improved performance and stronger security compared to traditional CBC modes.

GCM encryption provides compatibility with both static and dynamic IPsec setups across specific tunnels. This feature is particularly beneficial when connecting to third-party services or when you require heightened security measures for sensitive data transmission. The implementation supports IKEv2 authentication protocols and integrates seamlessly with existing key management processes.

Copilot is your new virtual assistant in Prisma SD-WAN. Powered by Palo Alto Networks Precision AI™, Copilot allows you to get real-time, actionable insights on the health and security of your network, no matter where you are in Prisma SD-WAN. Copilot harnesses the data from your Prisma SD-WAN and combines it with Palo Alto Networks best practice guidance, to give you clear, actionable answers based on your input and can open a support case for you when needed. With increasing usage, Copilot will learn from your interactions to improve and refine its responses.

Copilot provides real-time, actionable insights, helping you to:

• Find, understand, and resolve threats before they turn into problems.
• Identify the cause of degraded network and app experience.
• Open support cases when you want help to fix an issue quickly.

The data and insights that Copilot shares with you depends on your onboarded products and licenses.