Prisma SD-WAN Features Introduced in July 2020
Focus
Focus

Prisma SD-WAN Features Introduced in July 2020

Table of Contents

Prisma SD-WAN Features Introduced in July 2020

Learn what’s new in Prisma SD-WAN in July 2020.
FeatureDescription
Prisma SD-WAN DNS Service
The Prisma SD-WAN DNS Service runs locally on branch ION devices and can act as a caching or authoritative server. Enabling the Prisma SD-WAN DNS Service serves to speed up domain name resolution time, increase overall resiliency in the domain name resolution system, and provide a local platform for enabling secure DNS. The Prisma SD-WAN DNS Service is enabled using global DNS Service Profiles, binding them to sites, and assigning the ION interfaces to DNS Service Roles. DNS Service Profiles are used to specify configuration parameters for the Prisma SD-WAN DNS Service. Once created, a DNS Service Profile is bound to a device.
Device Software Version Required: 5.4.1 and later
Event Correlation
Event Correlation enables the Prisma SD-WAN controller to identify events versus individual issues. This change reduces the overall number of alarms that an administrator receives and improves the operational efficiency of the App-Fabric. The Prisma SD-WAN controller analyzes incoming alarms from the ION devices to determine if they are related. If the controller detects the events are related, the alarms are aggregated into a single alarm. For example, if the controller receives multiple VPN down alarms, they are analyzed in real time, determined to be related, and a single Secure Fabric Link alarm is generated for the event, while suppressing the original list of alarms.
Enhanced VPN Keep-Alive Configuration
VPN keep-alive parameters for Prisma SD-WAN VPNs can now be specified at the Circuit Category, Circuit Label, or Secure Fabric Link. By adjusting the Keep-Alive Failure Count and Keep-Alive Interval values, you can specify VPN liveliness checks that fit the business requirements of the network. Higher timers use less bandwidth but detect an outage less quickly, while the inverse is true for lower timers.
Device Software Version Required: 5.4.1 and later
New and Enhanced AlarmsThe following lists the new and enhanced alarms for Release 5.4.1: NETWORK_SECUREFABRICLINK_DEGRADED: This alarm is triggered when a secure fabric link is degraded. This happens when at least one VPN link is UP and one or more VPN links are DOWN from the active device. NETWORK_SECUREFABRICLINK_DOWN: This alarm is triggered when a secure fabric link and all its VPN links are DOWN from the active device. SITE_NETWORK_SERVICE_ABSENT_FOR_POLICY: This alarm is triggered when a site belongs to a domain with a blank data center group used in a path policy rule.APPLICATION_PROBE_DISABLED: This alarm is triggered when the configured probe source interface is not operational. DEVICESW_DISCONNECTED_FROM_CONTROLLER: The hold time for this alarm is reduced to 10 minutes. Prior to the 5.4.1 controller release the hold time was 30 minutes. Alarms now have an optional description field when Acknowledged, to include Notes that will help in troubleshooting an issue.
Enhanced Site Summary and Overlay ConnectionsWhen a branch site or data center is selected from the Map screen, it provides the site summary and details of the overlay connections in a full screen experience. The Site Summary tab provides details on the selected site. For example, you can view the Connectivity, Mode, Domain, Attached Policies, Internet Circuits, Private WAN Circuits, Devices, and IP Prefixes associated with the site. The Advanced option allows you to bind Security Zones, manage HA Groups, and configure Ciphers for the branch site or data center. The Overlay Connections tab provides a graphical view of the overlay connectivity status for the site. It displays the status of the secure fabric links of each connected site with its corresponding data center. You can add a new secure fabric link from the same screen.
Enhanced Activity Screen with ION System InformationThe Activity screen now includes the System tab which displays the ION system related information like CPU Utilization, Free Memory, and Free Disk space for both branch and data center ION devices.
Enhanced BGP 32-bit AS SupportThe user interface now accepts and displays the converted values of the plain or dot format of an Autonomous System (AS) number. If the AS number is in an (A.B) format, the user interface displays the corresponding as plain (decimal) conversion below the entered value. If the AS number is in an as plain (decimal) format, the user interface displays the corresponding as a dot (A.B) format below the entered value.
Enhanced User Interface in Policies
The Prisma SD-WAN Policies user interface has the following improvements: In a QoS New Policy Rule, the DSCP Mark/Remark section is improved to simplify configured Hex Value selection. There are several user interface improvements to Stacked Policies administration, including the Bindings view, Sets view, Stacks view, and Rules view.The Bulk Edit for policy rules allows you to update information for multiple Path, QoS, and NAT policy rules at the same time.The default view for Zone-based Firewall policy rules has been changed to the table view. To access the spine view, hold Shift and click the Rules button.
Enhanced Interface Configuration for ION Device
The ION device interface configuration has the following improvements: The Description field in the Configure Interface screen of the Prisma SD-WAN is now increased to display 5 lines. The interface used as App Probe Source is now configurable. This is a required configuration for the ION 1000 and will default to the controller port for other ION models.
Device Software Version Required: 5.4.1 and later
IP Directed Broadcast
The IP directed broadcast for L3 interfaces enables traffic from remote networks to be broadcast over LAN networks using L3 LAN interfaces, if explicitly enabled. This allows for a unicast packet to be converted to a broadcast packet when passing from the WAN to a LAN interface.
Device Software Version Required: 5.4.1 and later
Configurable Application Reachability Probe
Users can enable or disable the Application Probe feature from the Basic Info or Interface Config screens of the user interface when configuring an ION device. You can configure a LAN port to be the application probe source interface. The controller port is used as the default source interface. The ION 1000 does not have a controller port, therefore you need to configure the port for the application probe.
Device Software Version Required: 5.4.1 and later
Automatic MSS Adjustment based on Configured MTU
The MSS adjustment is automatically performed for overlay paths such as Service links and CG-VPNs. Prior to the 5.4.1 device image, the MSS was statically set to 1300. This behavior works in most cases, but in cases when MTU is lowered, this setting may not be sufficient. Thus, for accommodating these cases, the TCP MSS is automatically adjusted down based on the MTU configured.
Device Software Version Required: 5.4.1 and later
New ION 1000 and ION 9000 Hardware
The new ION 1000 is our most lightweight branch appliance, ideally suited for retail locations, small branch offices, and home offices. The ION 1000 supports all the software features as the rest of the product line, which enables the deployment of a cost-effective, cloud-delivered branch.
The new ION 9000 is our high-end platform designed for large branch, campus, and data center locations. It is designed to install seamlessly in the data center by peering with adjacent data center devices using standard routing protocols.