New Features - Prisma SD-WAN - February 2024

Prisma SD-WAN's tunnel reoptimization feature helps you maintain optimal network performance by automatically switching to the best available network path. By default, this feature is enabled, but you can choose to disable it based on your network needs. This feature is available with ION Device software version 6.3.2 or later.

A service endpoint is a label representing a specific location or network service. It can be Prisma SD-WAN data centers for transit services or third-party data centers.

Prisma SD-WAN will periodically check the latency by default when multiple IP addresses or hosts are provided as part of the standard VPN endpoint. If a destination has better latency, it forces a tunnel change (config_change) to reoptimize the connection. As part of ION Device Release 6.3.2, users now have the option to disable tunnel reoptimization. In this case, the tunnel destination will change only if there is a failure.

Prisma SD-WAN has supported dynamic probing for TCP applications when it detected 3-way handshake failures. The ION device generates these dynamic probes to verify whether a destination service is up or down on that path. If verified as down, the ION device avoids sending additional user requests for the service on the specific path, while continuing to generate synthetic probes to detect any change in service reachability.

Starting with Release 6.3.2, Prisma SD-WAN supports this functionality for UDP DNS traffic along with DNS health visibility also.

The application probes handle DNS probe requests and start a DNS probe on the destination on receiving a DNS probe request. If the DNS server responds to the request, irrespective of whether it responds with the requested domain name, the ION device treats the probe as successful. If the DNS server does not respond, the application probe notifies the flow controller to change the path.

When the probe detects that the DNS server is unreachable, the ION device continues probing once every minute for the first three probes and then once every 5 minutes. If the probe is successful again, the probe notifies the flow controller to use the path again.

The native SASE integration features an onboarding process that effortlessly integrates Prisma SD-WAN with Prisma Access. With previous Prisma Access versions, you needed to configure the additional component — Prisma Access for Networks (Cloud Managed) CloudBlade to onboard Prisma SD-WAN sites to Prisma Access. The native SASE integration between Prisma SD-WAN and Prisma Access further simplifies onboarding by eliminating the need to set up the CloudBlade. Prisma Access currently supports this integration only for new Prisma SASE (Strata Cloud Manager) deployments. For Panorama Managed Prisma Access deployments, continue using CloudBlades for integration with Prisma SD-WAN. Prisma SASE Easy Onboarding works seamlessly with both Prisma Access Cloud Managed and Panorama Managed deployments.

Manually configuring network sites one by one is a time-consuming and error-prone process, especially for large-scale deployments. To streamline this process and ensure consistency, the Prisma SD-WAN configuration tool offers a new Site templates feature. The Prisma SD-WAN configuration tool offers customers a powerful solution for streamlining site deployments at scale. With Site templates, now, you can effortlessly create templates, deploy sites, and provision them at scale through the Prisma SD-WAN user interface, simplifying and optimizing your network management process.

A site template is a predefined blueprint containing a list of variables that encompasses all the necessary configurations for creating fully operational sites and devices. Using this template, you can deploy multiple sites. You can use an existing template, edit an existing one or create a new template to deploy sites.

You can pre-provision sites before an ION device is available to accelerate the deployment. The device shell allows you to create elements, visualize the network, and do simple configurations. If you don't have a physical device at the time of deployment, a virtual configuration–device shell–is created associating a device to a site which can be later assigned to a device.