(PAN-OS 10.0.3 and later PAN-OS 10.0 releases, and SD-WAN Plugin 2.0.1 and later 2.0 releases) In addition to the hub-spoke topology, SD-WAN now supports a full mesh topology (with or without hubs) so that branches can communicate with each other directly. For branch or hub interfaces that receive their IP address from DHCP or PPPoE, a Dynamic DNS (DDNS) service detects the public-facing IP address of the firewall interface.

(PAN-OS 10.0.3 and later PAN-OS 10.0 releases, and SD-WAN Plugin 2.0.1 and later 2.0 releases) If you place your SD-WAN branch firewall behind a device performing NAT, you need a way to specify the IP address of the public-facing interface on that upstream device, which Auto VPN Configuration uses as the tunnel endpoint for the branch. When you add an SD-WAN branch to Panorama, you can now specify the IP address or FQDN of the upstream device performing NAT for the branch, or you can specify DDNS, which indicates that the IP address for the interface on the NAT device is obtained from the Palo Alto Networks DDNS service. Auto VPN uses the public IP address as the tunnel endpoint for the branch.

When the encoder endpoint of a VPN tunnel is a PAN-OS firewall that uses forward error correction (FEC), the receiving tunnel endpoint can recover lost packets before the link needs to fail over to a better path. Thus, FEC at the network level allows you to maintain a high-quality application experience in your SD-WAN. FEC is especially helpful for applications that are sensitive to packet loss, such as voice and video streaming.

When the encoder endpoint of a VPN tunnel is a PAN-OS firewall that uses packet duplication, and two such tunnels to the same destination exist, the source firewall sends the same packets for an SD-WAN flow over both tunnel links. The destination tunnel endpoint receives the first packet successfully and discards the duplicate packet. Packet duplication allows the receiving firewall to mitigate poor network conditions before the link needs to fail over to a better path, although packet duplication uses twice the bandwidth for every flow because it duplicates all packets. Packet duplication allows you to maintain a high-quality application experience in your SD-WAN. Packet duplication is especially helpful for applications that are sensitive to packet loss, high latency, or jitter, such as voice and video streaming.

SD-WAN plugin 2.0.0 now allows SD-WAN to accurately measure the health of SaaS and Cloud application paths to ensure reliability and user experience. When you have an SD-WAN firewall with a Direct Internet Access (DIA) link, SD-WAN can now fail over to a higher performance path based on accurate measurements of the path health quality.