New Features - Prisma SD-WAN - October 2025

Prisma SD-WAN is introducing CDSS (Cloud Delivered Security Services) Branch Security to extend on-box protection at the branch, complementing our SASE platform with capabilities such as intra-branch policy enforcement and local guest URL filtering.

Note: The branch security feature requires a subscription license and is supported starting with the release 6.5.3-I. Logging to SLS also requires a valid SLS license for your tenant/devices.

• Simplified Security Policy Enforcement : A Security Profile Group is a collection of security profiles (including Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, and DNS) that function as a single unit. This structure allows for the assignment of multiple profiles to a security policy rule in one step. Both Prisma Access and Prisma SD-WAN use these Security Profile Groups to maintain a consistent security posture across the network. By applying the same profile group, traffic from mobile users (cloud-connected) and branch offices (local-edge-connected) receives an identical set of threat prevention checks, which simplifies policy management.
• Integrated Threat Coverage : The feature provides integrated Threat Prevention, DNS Security, and URL Filtering services for your branch networks.
• Centralized Logging : Prisma SD-WAN now offers the option to log all traffic and security events directly to the Strata Logging Service (SLS), providing centralized visibility, scalable cloud-native storage, and enhanced forensic capabilities.

Shared configuration management eliminates the complexity of managing security policies across multiple Palo Alto Networks services by allowing other Palo Alto Networks services to subscribe to and receive configuration objects from Strata Cloud Manager. Shared configuration management allows you to independently implement features without introducing inconsistencies or delays by providing a unified way for subscribers like Prisma SD-WAN Controller or Branch Sites for Prisma SD-WAN Ion devices to access and use Strata Cloud Manager managed NGFW and Prisma Access configurations.

Palo Alto Networks services can access Strata Cloud Manager configuration objects on a read-only basis while maintaining proper synchronization and usage tracking. Shared configurations enable you to share Security Profiles such as Threat Prevention, Anti-Spyware, Vulnerability Protection, URL Filtering, and DNS Security with Prisma SD-WAN Controller instances. You can track which shared objects are actively referenced by external services, and Strata Cloud Manager automatically blocks deletion of configuration objects that are currently in use by external subscribers to prevent configuration conflicts.

When making pushes to other services, reverting those pushes should be avoided as it may cause issues with your configuration.