Prisma SD-WAN Features Introduced in February 2020

Learn what’s new in Prisma SD-WAN in February 2020.
NAT Policy Configuration
Prisma SD-WAN introduces NAT policy configuration through the portal, enabling translation of public and private IP addresses to ensure privacy of internal networks connected to public or private networks, including reuse of the same IP address or mapping of multiple IP addresses to a single IP address. By default, Prisma SD-WAN provides an out-of-the-box configuration that automatically performs Source NAT for traffic that is destined directly to public internet interfaces. In scenarios where more specific configuration is required, Prisma SD-WAN enables granular NAT control for a variety of use cases. NAT policies apply only to branch ION devices. They are configured through NAT policy sets that are attached to sites and contain NAT policy rules and actions. Prior to configuring NAT, review the migration considerations included in the NAT Policy Guide.
Device Software Version Required: 5.2.1 and later
Virtual Interface for Enhanced Redundancy
Prisma SD-WAN enables the creation of a virtual interface by combining two controller ports or two non-controller ports for port and cable-level redundancy. If a port malfunctions, the interface will continue to be accessible through the redundant port. Note that a virtual interface cannot be created by combining a controller and a non-controller port. A virtual interface cannot be created on an interface that is a sub-interface, is part of a virtual interface such as a bypass pair, contains PPPoE or static or dynamic IP configuration, or has the option Use this Port For configured for internet, private WAN, or LAN. Both, Use this Port For and Circuit Label fields, should be left empty for the interface to be eligible for configuration as a virtual member interface.
Device Software Version Required: 5.2.1 and later
VPN-to-VPN Traffic
Prisma SD-WAN enables the forcing of VPN-to-VPN traffic to the local next hop in the Data Center. When configuring a data center device, toggle the option Force VPN-to-VPN Traffic to Local Next Hop to Yes to force traffic from one branch site to another to the local next hop within a data center site. By default, the option Force VPN-to-VPN Traffic to Local Next Hop is toggled to No.
Device Software Version Required: 5.2.1 and later
Branch-Site LAN BGP Routing
LAN-side routing now can be enabled on a branch site. The branch ION device, in conjunction with the L3 device, participates in routing as follows:
  • Learns the prefixes behind the L3 device and forwards traffic to those prefixes.
  • Advertises BGP-learned prefixes from the WAN-side (e.g. MPLS PE) or a default route to the LAN L3 device.
  • Advertises prefixes learned from the L3 device to other branches and data centers.
Device Software Version Required: 5.2.1 and later
Enhanced Filtering in Activity Charts
Prisma SD-WAN provides improved capability to search application definitions by name or domain, port number, L3 or L4 protocols, prefix filters, or transfer types. With improved search capability, it is now possible to find applications of interest with ease. For example: Filter all applications that match port 80. This helps with locating and managing applications. In addition, it can be used to confirm if any application definitions are being referenced explicitly in a policy set and if the policy sets are used at a site.
DHCP Option 60
Prisma SD-WAN supports Vendor Class Identifier (VCI) or option 60 for a DHCP Server. A DHCP client sends an option code 60 (VCI) in its communication with the DHCP server. On receiving option 60 or VCI, the DHCP server matches the received VCI with a VCI from its own table. It then returns a value corresponding to the VCI to the DHCP client. Option 60 or VCI can be configured by selecting Vendor Class ID under Custom Options. For Vendor Class ID, enter a VCI value. Enter definition and corresponding values for Definition and Value fields. The table shows the data types supported for definitions and values.
Device Software Version Required: 5.2.1 and later
Path of Last Resort Option per Path Policy Rule
If all active and backup paths are down, the L3 failure path, if configured, will be used as a path of last resort.
  • L3 Failure paths can include any path type.
  • The L3 Failure Path will not be considered if at least one active or one backup path is available.
  • A backup path is not required to be configured in order to use an L3 Failure Path.
L3 Failure Path is only available in Stacked Policies.
Device Software Version Required: 5.2.1 and later
Custom Application Definition Options
Prisma SD-WAN introduces additional Custom Application definition options that include the ability to configure source-based prefix filters for TCP applications and the ability to flag an application as a network scan application.
  • Prefix Filters for TCP Applications – Prefix filters with respective ports are required for a custom application. Include a mandatory server port number, an optional DSCP value between 0 to 63, and an optional server prefix filter.
  • Network Scan App – Network Scan App is a categorization or attribute for applications used for purposes of tracking and eliminating flows from a path to make room for new incoming flows, if and when concurrent flow thresholds are reached. This attribute, when flagged for an existing custom application, will be applicable only for new flows coming in and hitting the application definition after the configuration. Existing flows hitting the custom application definition will not inherit the configuration.
Device Software Version Required: 5.2.1 and later
Device Toolkit Access through the Portal
Prisma SD-WAN now enables remote access to the device toolkit from the Prisma SD-WAN portal. Note that the ION device must be claimed and online in order to access the device toolkit. In addition, only users with Root, Administrator, Super, Network Administrator, Security Administrator, or View Only permissions can access the Device Toolkit. Through
Claimed Devices
, navigate to the device configuration screen to select remote access to the Device Toolkit.
Enhancements in Application Definitions
  • Administrators now have the ability to optionally disable Unreachability Detection per application. Prior to Release 5.2.1, all TCP applications use application Unreachability Detection.
    Flows for all TCP applications, except HTTP, SSL, Prisma SD-WAN-Control, Prisma SD-WAN-LQM, Prisma SD-WAN-PCM, Prisma SD-WAN-Probe, are eligible for application Unreachability Detection. Application Unreachability Detection can be turned On or Off for applications on the Prisma SD-WAN portal.
    Application reachability is used to determine if a given application is reachable on a given path. This information is useful when making path selection decisions. If an application is deemed to be unreachable on a given path, then that path will not be used. If all paths are marked unreachable, then the primary path will always be selected.
  • Prisma SD-WAN introduces the ‘Use Parent App Network Policy’ option specifically for Google suite of applications. Child applications for Google can be configured to use its network policy. This behavior is turned off by default but can be enabled by adding an Application Override.
Device Software Version Required: 5.2.1 and later

Recommended For You