Prisma SD-WAN Features Introduced in July 2020
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
-
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
-
-
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades
Prisma SD-WAN Features Introduced in July 2020
Learn what’s new in Prisma SD-WAN in July 2020.
Feature | Description |
---|---|
Prisma SD-WAN DNS Service | The Prisma SD-WAN DNS Service runs locally
on branch ION devices and can act as a caching or authoritative
server. Enabling the Prisma SD-WAN DNS Service serves to speed up
domain name resolution time, increase overall resiliency in the
domain name resolution system, and provide a local platform for
enabling secure DNS. The Prisma SD-WAN DNS Service is enabled using global
DNS Service Profiles, binding them to sites, and assigning the ION
interfaces to DNS Service Roles. DNS Service Profiles are used to
specify configuration parameters for the Prisma SD-WAN DNS Service.
Once created, a DNS Service Profile is bound to a device. Device
Software Version Required: 5.4.1 and later |
Event Correlation | Event Correlation enables the Prisma SD-WAN controller
to identify events versus individual issues. This change reduces
the overall number of alarms that an administrator receives and
improves the operational efficiency of the App-Fabric. The Prisma
SD-WAN controller analyzes incoming alarms from the ION devices to
determine if they are related. If the controller detects the events
are related, the alarms are aggregated into a single alarm. For
example, if the controller receives multiple VPN down alarms, they
are analyzed in real time, determined to be related, and a single
Secure Fabric Link alarm is generated for the event, while suppressing
the original list of alarms. |
Enhanced VPN Keep-Alive Configuration | VPN keep-alive parameters for Prisma SD-WAN VPNs
can now be specified at the Circuit Category, Circuit Label, or
Secure Fabric Link. By adjusting the Keep-Alive Failure Count and
Keep-Alive Interval values, you can specify VPN liveliness checks
that fit the business requirements of the network. Higher timers
use less bandwidth but detect an outage less quickly, while the inverse
is true for lower timers. Device Software Version Required:
5.4.1 and later |
New and Enhanced Alarms | The following lists the new and enhanced alarms for Release 5.4.1: NETWORK_SECUREFABRICLINK_DEGRADED: This alarm is triggered when a secure fabric link is degraded. This happens when at least one VPN link is UP and one or more VPN links are DOWN from the active device. NETWORK_SECUREFABRICLINK_DOWN: This alarm is triggered when a secure fabric link and all its VPN links are DOWN from the active device. SITE_NETWORK_SERVICE_ABSENT_FOR_POLICY: This alarm is triggered when a site belongs to a domain with a blank data center group used in a path policy rule.APPLICATION_PROBE_DISABLED: This alarm is triggered when the configured probe source interface is not operational. DEVICESW_DISCONNECTED_FROM_CONTROLLER: The hold time for this alarm is reduced to 10 minutes. Prior to the 5.4.1 controller release the hold time was 30 minutes. Alarms now have an optional description field when Acknowledged, to include Notes that will help in troubleshooting an issue. |
Enhanced Site Summary and Overlay Connections | When a branch site or data center is selected from the Map screen, it provides the site summary and details of the overlay connections in a full screen experience. The Site Summary tab provides details on the selected site. For example, you can view the Connectivity, Mode, Domain, Attached Policies, Internet Circuits, Private WAN Circuits, Devices, and IP Prefixes associated with the site. The Advanced option allows you to bind Security Zones, manage HA Groups, and configure Ciphers for the branch site or data center. The Overlay Connections tab provides a graphical view of the overlay connectivity status for the site. It displays the status of the secure fabric links of each connected site with its corresponding data center. You can add a new secure fabric link from the same screen. |
Enhanced Activity Screen with ION System Information | The Activity screen now includes the System tab which displays the ION system related information like CPU Utilization, Free Memory, and Free Disk space for both branch and data center ION devices. |
Enhanced BGP 32-bit AS Support | The user interface now accepts and displays the converted values of the plain or dot format of an Autonomous System (AS) number. If the AS number is in an (A.B) format, the user interface displays the corresponding as plain (decimal) conversion below the entered value. If the AS number is in an as plain (decimal) format, the user interface displays the corresponding as a dot (A.B) format below the entered value. |
Enhanced User Interface in Policies | The Prisma SD-WAN Policies user interface
has the following improvements: In a QoS New Policy Rule, the DSCP
Mark/Remark section is improved to simplify configured Hex Value
selection. There are several user interface improvements to Stacked
Policies administration, including the Bindings view, Sets view, Stacks
view, and Rules view.The Bulk Edit for policy rules allows you to
update information for multiple Path, QoS, and NAT policy rules
at the same time.The default view for Zone-based Firewall policy
rules has been changed to the table view. To access the spine view,
hold Shift and click the Rules button. |
Enhanced Interface Configuration for ION Device | The ION device interface configuration has
the following improvements: The Description field
in the Configure Interface screen of the Prisma SD-WAN is now increased
to display 5 lines. The interface used as App Probe Source is now
configurable. This is a required configuration for the ION 1000
and will default to the controller port for other ION models. Device
Software Version Required: 5.4.1 and later |
IP Directed Broadcast | The IP directed broadcast for L3 interfaces
enables traffic from remote networks to be broadcast over LAN networks
using L3 LAN interfaces, if explicitly enabled. This allows for
a unicast packet to be converted to a broadcast packet when passing
from the WAN to a LAN interface. Device Software Version
Required: 5.4.1 and later |
Configurable Application Reachability Probe | Users can enable or disable the Application
Probe feature from the Basic Info or Interface
Config screens of the user interface when configuring
an ION device. You can configure a LAN port to be the application
probe source interface. The controller port is used as the default
source interface. The ION 1000 does not have a controller port, therefore
you need to configure the port for the application probe. Device
Software Version Required: 5.4.1 and later |
Automatic MSS Adjustment based on Configured MTU | The MSS adjustment is automatically performed
for overlay paths such as Service links and CG-VPNs. Prior to the
5.4.1 device image, the MSS was statically set to 1300. This behavior
works in most cases, but in cases when MTU is lowered, this setting
may not be sufficient. Thus, for accommodating these cases, the
TCP MSS is automatically adjusted down based on the MTU configured. Device
Software Version Required: 5.4.1 and later |
New ION 1000 and ION 9000 Hardware | The new ION 1000 is our most lightweight
branch appliance, ideally suited for retail locations, small branch offices,
and home offices. The ION 1000 supports all the software features
as the rest of the product line, which enables the deployment of
a cost-effective, cloud-delivered branch. The new ION 9000
is our high-end platform designed for large branch, campus, and
data center locations. It is designed to install seamlessly in the
data center by peering with adjacent data center devices using standard
routing protocols. |