SD-WAN plugin 3.3.2 and later 3.3 releases provides Prisma Access hub support, in which 4G/5G capable PAN-OS firewalls connecting to Prisma Access compute nodes (CNs) achieve cloud-based security in an SD-WAN hub-and-spoke topology. In this topology, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are 4G/5G capable PAN-OS firewalls. A maximum of four hubs (any combination of PAN-OS hubs participating in DIA AnyPath and Prisma Access hubs) are supported. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Review the system requirements for SD-WAN and Prisma Access.

Earlier to SD-WAN plugin 3.3.2 version, the SD-WAN generated configurations (such as the IKE ID and tunnel names) uses the active firewall's serial number. Therefore, whenever a HA failover occurs, the SD-WAN generated configurations would reset with the active firewall's serial number that results in temporary tunnel flaps.

We have improved the SD-WAN plugin 3.3.2 version by using the lower serial number among the HA devices for generating the SD-WAN configurations that remove tunnel flaps. This improvement also introduces the following SD-WAN configuration changes:

After upgrading the firewall to SD-WAN plugin 3.3.2 version, you must push the configuration followed by Commit from Panorama to all the managed firewalls in the VPN cluster. Commit and push ensures a full and consistent synchronization, preventing configuration mismatches.

We have introduced the following mongoDB related HA peer synchronization commands that must be executed only on the active HA peer:

Autonomous Digital Experience Management (ADEM) for SD-WAN addresses the challenge of maintaining visibility and control over application performance across distributed branch networks and provides comprehensive, end-to-end monitoring capabilities. ADEM functionality in your SD-WAN deployment enables you to proactively measure and optimize application experience from branch locations to data centers, cloud services, and SaaS applications.

Leverage ADEM in your SD-WAN branch sites to gain insights into both underlay and overlay network performance, ensuring that your SD-WAN paths are operating efficiently. With ADEM integration, run synthetic tests across all available WAN links to make data-driven decisions about path selection and application routing.

By implementing ADEM for SD-WAN, you can quickly identify performance bottlenecks, validate SLA compliance, and troubleshoot issues across your entire SD-WAN fabric. With ADEM for SD-WAN, you can ensure optimal application delivery, streamline branch connectivity, and maintain consistent performance across your distributed enterprise network.

You need PAN-OS 11.1.9 and PAN-OS 11.2.6 versions with ADEM 1.0.1 for monitoring remote site experience on next-generation firewalls.

Additionally, you can also use the ADEM-related CLI commands to monitor the remote site experience.

You can enable 5G capability on the 4G/5G capable firewalls with the interface called ‘cellular interface’. We have now introduced SD-WAN capability to the 5G cellular interface. The SD-WAN enabled 5G cellular interface supports automatic traffic steering based on the collected metrics within the qualified paths and links including cellular and wireless WAN connection. With wireless WAN 5G connectivity, you can achieve a reliable connection in the 4G/5G capable firewalls.

We have introduced support for multiple virtual routers on the SD-WAN branches to have overlapping IP subnet addresses on both hub and branch devices. With this feature, you can have multiple logical routing domains with overlapping subnets.

You can now enable Multi-VR Support on the SD-WAN branch device to keep the traffic of different entities separate. You can configure up to 20 virtual routers on the SD-WAN branch. However, the number of virtual routers supported on the PAN-OS SD-WAN branch varies by platform.

The number of hubs to configure in a VPN cluster has been increased from 4 to 16. Only four of the 16 hubs can have the same hub priority within a VPN cluster due to ECMP.

The number of private link types to configure in an SD-WAN Interface Profile has been increased from 3 to 7.

With PAN-OS 11.2.0, SD-WAN plugin 3.3.0 and later releases support the following private link types in addition to the existing private link types (MPLS, Satellite, Microwave/Radio):

We don't support plain text traffic from SD-WAN branch firewall to SD-WAN hub firewall for these new private link types. When you configure any of the new private link types, ensure that you have an SD-WAN policy rule on the hub that is configured only with public link type. Because when the internet-bound traffic backhauls or fails to the hub from the branch, it must match with this SD-WAN policy rule. Otherwise, the traffic gets dropped as these private links (Private Link1, Private Link2, Private Link3, and Private Link4) are part of the direct internet access (DIA) SD-WAN interface.

For a VPN cluster, you will now be able to view the bandwidth of a tunnel and a physical interface (in addition to existing jitter, latency, and packet loss performance measures) for a selected site by default. There is no configuration required from the user to view the bandwidth of a tunnel.

Supports multiple virtual routers on the SD-WAN hubs that enable you to have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub. Multiple virtual routers can run multiple instances of routing protocols with a neighboring router with overlapping address spaces configured on different virtual router instances. Multiple virtual router deployments provide the flexibility to maintain multiple virtual routers, which are segregated for each virtual router instance.