>
    Strata Copilot
    Features Introduced in February 2025
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN New Features
    4. Prisma SD-WAN Release Information
    5. Prisma SD-WAN Features Introduced in 2025
    6. Features Introduced in February 2025
    Download PDF
    Prisma SD-WAN

    Features Introduced in February 2025

    Table of Contents

    Features Introduced in February 2025

    Here's a preview of what’s new in Prisma SD-WAN in February 2025.
    Here's a preview of the new features introduced in Prisma SD-WAN in February 2025.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN license

    Flow Visualization Enhancements

    Flows give insights into various network flows, such as branch-to-branch, branch-to-data center, and branch-to-third-party VPN connections. This view helps identify network issues, understand traffic routing, and assess how network policies impact specific flows.
    Flow details improve visibility into network traffic by offering end-to-end session details. They allow you to visualize a flow’s path across multiple sites and network segments, enhancing troubleshooting, traffic analysis, and network optimization.

    Secure Group Tag (SGT) Propagation

    Secure Group Tag (SGT) enables identity-based security and enforces policies across networks. It preserves SGT information end-to-end, controlling access over public and private VPN overlays. You can customize SGT propagation per site, including Branch, Data Center, and Branch Gateway locations. When enabled at the site level, SGT allows the ION device to parse Cisco Metadata headers, extract Security Group Information (SGI) values, and preserve them across the Prisma SD-WAN. The system parses Cisco Metadata headers to extract and apply SGT values across the network. It also introduces LAN to LAN propagation and static SGT configuration for ION initiated traffic.
    You can configure Static Tag values for ION-initiated traffic (e.g., NTP, DHCP, App Probes) and enable or disable SGT settings at the interface level. Static SGT tagging ensures effective routing and consistent propagation across the network, regardless of topology.
    SGT information can be accessed through the Flow Browser and Device Toolkit commands, allowing for enhanced troubleshooting and monitoring capabilities.

    Support for GCM Encryption

    The Galois/Counter Mode (GCM) support in Prisma SD-WAN enhances your network security by offering advanced encryption for both fabric tunnels and standard VPN connections. This feature introduces AES-GCM-128 and AES-GCM-256 algorithms, providing Authenticated Encryption with Associated Data (AEAD) capabilities. By implementing GCM, you gain improved performance and stronger security compared to traditional CBC modes.
    You can now configure GCM encryption for specific tunnels, ensuring compatibility with both static and dynamic IPsec setups. This feature is particularly beneficial when connecting to third-party services or when you require heightened security measures for sensitive data transmission. The implementation supports IKEv2 authentication protocols and integrates seamlessly with existing key management processes.

    Support for Prisma SD-WAN Copilot

    Copilot harnesses the data from your Prisma SD-WAN and combines it with Palo Alto Networks best practice guidance, to give you clear, actionable answers based on your input and can open a support case for you when needed. With increasing usage, Copilot will learn from your interactions to improve and refine its responses.
    Chat with Copilot to get real-time, actionable insights on the health and security of your network:
    • Find, understand, and resolve threats before they turn into problems.
    • Identify the cause of degraded network and app experience.
    • Open support cases when you want help to fix an issue quickly.
    The data and insights that Copilot shares with you depends on your onboarded products and licenses.

    Port Channel Interface

    The LAG (Link Aggregation Group) and LACP (Link Aggregation Control Protocol), commonly called port-channel, on Layer 3 ports on the LAN side. LAG and LACP support enhances your network infrastructure by allowing you to combine multiple physical interfaces into a single logical interface.
    LAG and LACP support aligns with industry standards, allowing seamless integration with your existing network equipment. By leveraging this capability, you can enhance your network performance, simplify management, and improve overall user experience across your distributed enterprise environments. Link Aggregation Groups enable combining one or two network connections in scenarios where higher throughput or fail-over capabilities are essential.
    LACP, on the other hand, is a protocol that manages the bundling of these physical links, ensuring proper load balancing and link status monitoring. This includes details on creating and modifying LACP on supported interfaces.

    Support for Easy Onboarding of Panorama Managed Prisma Access

    Effortlessly integrate Prisma SD-WAN with Prisma Access through a native onboarding process. Prisma SD-WAN supports this integration for both Cloud Managed and Panorama Managed Prisma Access.
    Earlier, you needed the Prisma Access for Networks (Cloud Managed) CloudBlade and Prisma Access for Networks (Panorama Managed) CloudBlade to connect Prisma Access to Prisma SD-WAN. With the native SASE Integration with Prisma SD-WAN feature, you can directly onboard Prisma SD-WAN sites to Prisma Access, bypassing the need of a CloudBlade.
    In case you have previously set up a CloudBlade to establish the connection between Prisma SD-WAN and Prisma Access, you must first deactivate the CloudBlade and contact Palo Alto Networks Customer Support before using this workflow.

    Cellular Carrier Certification Enhancements

    New modem firmware is introduced for ION 1200-C5G-WW and ION 1200-S-C5G-WW. If an ION device is running on old firmware, a notification is displayed on the Strata Cloud Manager web interface informing the user to upgrade the software. The firmware applies to ION software version 5.6.1 and higher, however, Palo Alto Networks recommends moving to software version 6.1.6 or above before upgrading to recommended modem firmware.

    Device TACACS+

    Prisma SD-WAN supports TACACS+ (Terminal Access Controller Access Control System+)
    authentication protocol that controls network device access, and SSH login for controller nodes in a network infrastructure. TACACS+ uses a TACACS+ server profile to record user behavior, such as when a user started using a specific service, the duration, and when they stopped using it. This helps to create logs and records of the initiation and termination of services and any services in progress during the user’s session, which you can use for auditing purposes.
    A device TACACS+ profile consists of multiple configured TACACS+ servers. You can add a maximum of four servers, depending on servers reachability, the system tries to sequentially connect to the available servers in the profile. If a user is present in the TACACS+ server and enters the correct credentials, the user logs in successfully.

    Enhanced DC Routing Capabilities

    Enhanced DC routing capabilities address critical challenges and adapt to your network's evolving needs, ensuring it remains efficient and effective.
    1. Optimized Data Center (DC) Prefix Advertising: DC Site or ION devices now support advertising specific DC prefixes or learned prefixes to the overlay Fabric. Your branch locations can now prioritize traffic through their preferred data center, ensuring faster and more reliable connections tailored to your organizational needs.
    2. Enhanced Prefix Management: DC ION devices can now advertise summary prefixes to the Core network, effectively addressing scale limitations. Our solution simplifies and scales your network's ability to handle large numbers of prefixes effortlessly.
    3. Automated Asymmetry Correction: Network asymmetry can pose a risk in scenarios where branch traffic routes through Prisma Access or other cloud security platforms. Our new functionality automatically detects and corrects asymmetry, ensuring smoother, more balanced traffic flows and compliance with security protocols.
    4. Intelligent Traffic Rerouting: DC ION devices can detect core network connectivity failures. When such issues arise, traffic is seamlessly redirected to alternative overlay paths within the same data center, maintaining uninterrupted service and enhancing network resilience.

    Secure Fabric Prisma SD-WAN Tunnels for DC to DC and Multicloud Connectivity Visibility Enhancements

    Prisma SD-WAN's Secure Fabric Tunnels between data centers enables seamless and secure communication between data centers, including on-premises and cloud environments. This capability allows you to establish Secure Fabric tunnels between data center sites, eliminating the need for third-party solutions or complex MPLS configurations.
    With this feature, you can efficiently connect multiple data centers across different cloud providers such as AWS, Azure, Equinix, and GCP, as well as physical locations. The solution supports high availability configurations, multi-pathing, and load sharing across multiple links. You can easily provision and manage these inter-DC connections through the Prisma SD-WAN controller UI or via APIs, similar to how you set up branch-to-branch tunnels. This feature addresses the growing need for flexible, cost-effective, and manageable inter-DC connectivity in today's distributed and multicloud environments.
    You can now view LQM and statistics for data center sites on the Site Summary page.

    Performance Policy Enhancements

    The Move Flows action in performance policy rules now offers greater flexibility for managing traffic, maintaining performance, and enforcing SLA requirements. With the addition of the App/Network SLA Rule Type, you can use Move Flows to better control traffic.
    Previously, the action only excluded SLA-violating paths for new flows, leaving existing flows unchanged and relying on Link Quality and Application Metrics unless the field was empty. Now, you can choose between Move Flows Graceful and Move Flows Forced for more control:
    • Move Flows Graceful moves existing flows and excludes paths for new flows that violate SLAs, considering Link Quality and Probe Metrics.
    • Move Flows Forced actively shifts flows from non-performing paths to better ones, even across NAT boundaries, using Link Quality and Application/Probe Metrics.
    Move Flows Forced triggers on events such as WAN interface changes, link degradation, app unreachability, probe failures, or path revalidation. It supports various path types, including private/public VPNs, Direct Internet, and enterprise VPNs, across active and backup configurations.

    © 2025 Palo Alto Networks, Inc. All rights reserved.