SD-WAN Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
SD-WAN Features
What new SD-WAN features are in PAN-OS 11.2?
Add SD-WAN Capability to your Cellular Interfaces (4G/5G)
September 2024
|
As 5G becomes increasingly prominent, more organizations use or are
considering wireless WAN links as the primary or secondary WAN transport to share
the load. With wireless WAN 5G connectivity, you can achieve a reliable connection
on 5G-capable firewalls.
On the cellular interface, you can enable SD-WAN support on your 5G-capable
firewalls. When you enable SD-WAN on the 5G cellular interface, you are adding
support for automatic traffic steering based on the collected metrics within
qualified paths and links (which includes cellular and wireless WAN connections).
When you enable SD-WAN on a 5G cellular interface, you gain support for:
- IPv4 SD-WAN cellular traffic
- SD-WAN interface profile and upstream NAT
Multiple Virtual Routers Support on SD-WAN Branches
September 2024
|
Certain deployments require the routing infrastructure to be separated over their
SD-WAN overlays. For this kind of deployments, we have introduced the support for
multiple virtual routers on the SD-WAN branches that enable you to have overlapping
IP subnet addresses on both the hub and branch devices. This feature adds to the
SD-WAN capability to logically separate the routing infrastructure over SD-WAN and
provides the ability to use overlapping IP subnets.
Multiple virtual routers can run multiple instances of routing protocols with a
neighboring router with overlapping address spaces configured on different virtual
router instances. Multiple virtual router deployments provide the flexibility to
maintain multiple virtual routers, which are segregated for each virtual router
instance.
You can now enable Multi-VR Support on the SD-WAN branch
device to keep the traffic of different entities separate. A maximum of 20 virtual
routers can be configured on the SD-WAN branch. However, the number of virtual
routers supported on the PAN-OS SD-WAN branch varies by platform.
The following figure illustrates three SD-WAN branches with each configured with two
virtual routers. By enabling multiple virtual routers support on the SD-WAN
branches, the three branches connecting to the same SD-WAN hub can have overlapping
IP subnets or belong to different entities and function independently because their
traffic goes to different virtual routers. To enable multiple virtual routers on the
SD-WAN branch, the SD-WAN hub connecting to the branches must be
also be configured with multiple virtual routers.
Monitor Bandwidth on SD-WAN Devices
May 2024
|
Currently it's difficult for the network administrators to quickly identify
the cause for an application’s poor performance in an SD-WAN device. It's because
there isn't enough information available to identify the issue and the available
limited information (such as VPN statistics, Panorama's device health statistics,
and link health statistics) are located between Panorama and firewalls. It becomes a
time consuming activity for the administrators to correlate this information and
locate the performance issues on an SD-WAN device.
We’ve introduced bandwidth which is a primary
measure of a link performance in addition to existing
jitter, latency, and
packet loss performance measures. For a VPN cluster, you
will now be able to view the bandwidth of a tunnel and a physical interface for a
selected site by default. There is no configuration required from the user to view
the bandwidth of a tunnel.
Multiple Virtual Routers Support on SD-WAN Hubs
February 2024
May 2024
|
With earlier SD-WAN plugin versions, you can't have SD-WAN configurations on multiple
virtual routers. By default, a sdwan-default virtual router is created and it
enables Panorama to automatically push the router configurations. Due to this
restriction, customers faces difficulty and spends additional effort in some of the
SD-WAN deployments:
User Scenario (in SD-WAN Deployments) | Single Virtual Router Configuration on SD-WAN Hub | Multiple Virtual Routers Configuration on SD-WAN Hub |
---|---|---|
Overlapping IP addresses from different branches connecting to the same hub | Customers may need to reconfigure the overlapping subnets to unique address spaces. |
Enable Multi-VR Support on the
SD-WAN hub device.
The traffic from different branches is directed to
different virtual routers on a single hub to keep the traffic
separate.
|
Government regulations that disallow different entities to function on the same virtual router | Customers won’t be able to separate routing of different entities with a single virtual router. | Enable Multi-VR Support on the SD-WAN hub
device to keep the traffic of different entities separate.
Multiple virtual routers on the SD-WAN hub maps the branches
to different virtual routers on the hub that provides logical
separation between the branches. |
SD-WAN plugin now supports multiple virtual routers on the SD-WAN
hubs that enable you to have overlapping IP subnet addresses on branch
devices connecting to the same SD-WAN hub. Multiple virtual routers can run multiple
instances of routing protocols with a neighboring router with overlapping address
spaces configured on different virtual router instances. Multiple virtual router
deployments provide the flexibility to maintain multiple virtual routers, which are
segregated for each virtual router instance.
However, the number of virtual routers supported on the PAN-OS SD-WAN hub
varies by platform.
Benefits:
- A hub with multiple virtual router configuration logically separates the routing for each branch office that it is connected with.
- Branches sharing the same SD-WAN hub can reuse the same IP subnet address.
The following figure illustrates an SD-WAN hub with two virtual routers. By enabling
multiple virtual routers support on the SD-WAN hub, the four branches
connecting to the same SD-WAN hub (but different virtual routers) can have
overlapping IP subnets or belong to different entities and function independently
because their traffic goes to different virtual routers.
Additional Private Link Types Support on SD-WAN Device
April 2024
May 2024
|
You can now configure additional point-to-point private link
types, Private Link1, Private
Link2, Private Link3, and Private
Link4 along with the existing private link types
(MPLS, Satellite,
Microwave/Radio) for one to one connectivity while
configuring the SD-WAN Interface Profile.
These private link types enable you to avail reliable providers for your remote
regions to establish one to one connection with the overlay network and avoid
provider outages.
Additional SD-WAN Hubs in VPN Cluster
April 2024
May 2024
|
The number of hubs to configure in a VPN cluster has been
increased from 4 to 16. Only four of the 16 hubs can have the same hub priority
within a VPN cluster due to ECMP.