Prisma SD-WAN
Features Introduced in February 2025
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Features Introduced in February 2025
Here's a preview of what’s new in Prisma SD-WAN in February
2025.
Here's a preview of the new features introduced in Prisma SD-WAN in
February 2025.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Flow Visualization Enhancements
Flows give insights into various network flows, such as branch-to-branch,
branch-to-data center, and branch-to-third-party VPN connections. This view helps
identify network issues, understand traffic routing, and assess how network policies
impact specific flows.
Flow details improve visibility into
network traffic by offering end-to-end session details. They allow you to visualize
a flow’s path across multiple sites and network segments, enhancing troubleshooting,
traffic analysis, and network optimization.
Secure Group Tag (SGT) Propagation
Secure Group Tag (SGT) enables
identity-based security and enforces policies across networks. It preserves SGT
information end-to-end, controlling access over public and private VPN overlays. You
can customize SGT propagation per site, including Branch, Data Center, and Branch
Gateway locations. When enabled at the site level, SGT allows the ION device to
parse Cisco Metadata headers, extract Security Group Information (SGI) values, and
preserve them across the Prisma SD-WAN. The system parses Cisco Metadata headers to
extract and apply SGT values across the network. It also introduces LAN to LAN
propagation and static SGT configuration for ION initiated traffic.
You can configure Static Tag values for ION-initiated traffic (e.g., NTP,
DHCP, App Probes) and enable or disable SGT settings at the interface level. Static
SGT tagging ensures effective routing and consistent propagation across the network,
regardless of topology.
SGT information can be accessed through the Flow Browser and
Device Toolkit commands, allowing for enhanced troubleshooting and
monitoring capabilities.
Support for GCM Encryption
The Galois/Counter Mode (GCM) support in
Prisma SD-WAN enhances your network security by offering advanced encryption for
both fabric tunnels and standard VPN connections. This feature introduces
AES-GCM-128 and AES-GCM-256 algorithms, providing Authenticated Encryption with
Associated Data (AEAD) capabilities. By implementing GCM, you gain improved
performance and stronger security compared to traditional CBC modes.
You can now configure GCM encryption for specific tunnels, ensuring
compatibility with both static and dynamic IPsec setups. This feature is
particularly beneficial when connecting to third-party services or when you require
heightened security measures for sensitive data transmission. The implementation
supports IKEv2 authentication protocols and integrates seamlessly with existing key
management processes.
Support for Prisma SD-WAN Copilot
Copilot harnesses the data from your
Prisma SD-WAN and combines it with Palo Alto Networks best practice guidance, to
give you clear, actionable answers based on your input and can open a support case
for you when needed. With increasing usage, Copilot will learn from your
interactions to improve and refine its responses.
Chat with Copilot to get real-time, actionable insights on the health and security of
your network:
- Find, understand, and resolve threats before they turn into problems.
- Identify the cause of degraded network and app experience.
- Open support cases when you want help to fix an issue quickly.
The data and insights that Copilot shares with you depends on your
onboarded products and licenses.
Port Channel Interface
The LAG (Link Aggregation Group) and LACP (Link Aggregation Control Protocol),
commonly called port-channel, on Layer 3 ports on the LAN
side. LAG and LACP support enhances your network infrastructure by allowing you to
combine multiple physical interfaces into a single logical interface.
LAG and LACP support aligns with industry standards, allowing seamless integration
with your existing network equipment. By leveraging this capability, you can enhance
your network performance, simplify management, and improve overall user experience
across your distributed enterprise environments. Link Aggregation Groups enable
combining one or two network connections in scenarios where higher throughput or
fail-over capabilities are essential.
LACP, on the other hand, is a protocol that manages the bundling of these physical
links, ensuring proper load balancing and link status monitoring. This includes
details on creating and modifying LACP on supported interfaces.
Support for Easy Onboarding of Panorama Managed Prisma Access
Effortlessly integrate Prisma SD-WAN with Prisma Access through a native onboarding process. Prisma SD-WAN
supports this integration for both Cloud Managed and Panorama Managed Prisma
Access.
Earlier, you needed the Prisma Access for Networks (Cloud Managed)
CloudBlade and Prisma Access for Networks (Panorama Managed) CloudBlade to connect
Prisma Access to Prisma SD-WAN. With the native SASE Integration with Prisma SD-WAN
feature, you can directly onboard Prisma SD-WAN sites to Prisma Access, bypassing
the need of a CloudBlade.
In case you have previously set up a CloudBlade to establish the connection
between Prisma SD-WAN and Prisma Access, you must first deactivate the CloudBlade
and contact Palo Alto Networks Customer Support before using this workflow.
Cellular Carrier Certification Enhancements
New modem firmware is introduced for ION 1200-C5G-WW and ION
1200-S-C5G-WW. If an ION device is running on old firmware, a notification
is displayed on the Strata Cloud Manager web interface informing the user to upgrade
the software. The firmware applies to ION software version 5.6.1 and higher,
however, Palo Alto Networks recommends moving to software version 6.1.6 or above
before upgrading to recommended modem firmware.
Device TACACS+
Prisma SD-WAN supports TACACS+ (Terminal Access Controller Access Control
System+)
authentication protocol that controls network device access, and SSH login
for controller nodes in a network infrastructure. TACACS+ uses a TACACS+ server
profile to record user behavior, such as when a user started using a specific
service, the duration, and when they stopped using it. This helps to create logs and
records of the initiation and termination of services and any services in progress
during the user’s session, which you can use for auditing purposes.
A device TACACS+ profile consists of multiple configured TACACS+ servers.
You can add a maximum of four servers, depending on servers reachability, the system
tries to sequentially connect to the available servers in the profile. If a user is
present in the TACACS+ server and enters the correct credentials, the user logs in
successfully.
Enhanced DC Routing Capabilities
Enhanced DC routing capabilities address critical challenges and adapt to your
network's evolving needs, ensuring it remains efficient and effective.
- Optimized Data Center (DC) Prefix Advertising: DC Site or ION devices now support advertising specific DC prefixes or learned prefixes to the overlay Fabric. Your branch locations can now prioritize traffic through their preferred data center, ensuring faster and more reliable connections tailored to your organizational needs.
- Enhanced Prefix Management: DC ION devices can now advertise summary prefixes to the Core network, effectively addressing scale limitations. Our solution simplifies and scales your network's ability to handle large numbers of prefixes effortlessly.
- Automated Asymmetry Correction: Network asymmetry can pose a risk in scenarios where branch traffic routes through Prisma Access or other cloud security platforms. Our new functionality automatically detects and corrects asymmetry, ensuring smoother, more balanced traffic flows and compliance with security protocols.
- Intelligent Traffic Rerouting: DC ION devices can detect core network connectivity failures. When such issues arise, traffic is seamlessly redirected to alternative overlay paths within the same data center, maintaining uninterrupted service and enhancing network resilience.
Secure Fabric Prisma SD-WAN Tunnels for DC to DC and Multicloud Connectivity Visibility Enhancements
Prisma SD-WAN's Secure Fabric Tunnels between data centers
enables seamless and secure communication between data centers, including
on-premises and cloud environments. This capability allows you to establish Secure
Fabric tunnels between data center sites, eliminating the need for third-party
solutions or complex MPLS configurations.
With this feature, you can efficiently connect multiple data centers
across different cloud providers such as AWS, Azure, Equinix, and GCP, as well as
physical locations. The solution supports high availability configurations,
multi-pathing, and load sharing across multiple links. You can easily provision and
manage these inter-DC connections through the Prisma SD-WAN controller UI or via
APIs, similar to how you set up branch-to-branch tunnels. This feature addresses the
growing need for flexible, cost-effective, and manageable inter-DC connectivity in
today's distributed and multicloud environments.
You can now view LQM and statistics for data center sites on the
Site Summary page.
Performance Policy Enhancements
The Move Flows action in performance policy rules now offers
greater flexibility for managing traffic, maintaining performance, and enforcing SLA
requirements. With the addition of the App/Network SLA Rule Type, you can use
Move Flows to better control traffic.
Previously, the action only excluded SLA-violating paths for new flows,
leaving existing flows unchanged and relying on Link Quality and Application Metrics
unless the field was empty. Now, you can choose between Move Flows
Graceful and Move Flows Forced for more
control:
- Move Flows Graceful moves existing flows and excludes paths for new flows that violate SLAs, considering Link Quality and Probe Metrics.
- Move Flows Forced actively shifts flows from non-performing paths to better ones, even across NAT boundaries, using Link Quality and Application/Probe Metrics.
Move Flows Forced triggers on events such as WAN
interface changes, link degradation, app unreachability, probe failures, or path
revalidation. It supports various path types, including private/public VPNs, Direct
Internet, and enterprise VPNs, across active and backup configurations.