SD-WAN Features
Focus
Focus

SD-WAN Features

Table of Contents
End-of-Life (EoL)

SD-WAN Features

PAN-OS 9.1 supports SD-WAN with new features.
The PAN-OS software now includes a native SD-WAN subscription to provide intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Secure SD-WAN provides the optimal end user experience by leveraging multiple ISP links to ensure application performance and scale capacity.
The following models support the SD-WAN software capabilities:
  • PA-220
  • PA-220R
  • PA-820
  • PA-850
  • PA-3200 Series
  • PA-5200 Series
  • VM-300
  • VM-500
  • VM-700
Each firewall can be used as a branch or hub location and requires an SD-WAN subscription. Each Panorama requires the SD-WAN plugin.
Some features of SD-WAN require the Panorama management server.
Key features of the SD-WAN implementation include:
New SD-WAN FeatureDescription
Centralized Configuration Management
Leverage Panorama to manage your SD-WAN configuration for hub and branch locations, enabling you to reuse configurations across locations, reducing management requirements and operational overhead for your deployment.
Automatic VPN Topology Creation
VPN clusters simplify the creation of complex VPN topologies using logical groupings of branches and hubs to accelerate the configuration and deployment of secure communications between all locations.
Traffic Distribution
Take advantage of multiple ISP links to scale capacity and reduce costs. Path selection and brownout and blackout detection are per application to ensure the best performance and user experience for critical business applications. By default, you can achieve subsecond failover between paths, ensuring the best possible performance of applications.
Monitoring and Troubleshooting
Panorama provides complete operational awareness into your SD-WAN environment, including application performance, link performance, and path health using historical trend analysis tools.
Branch Prefix Redistribution
(PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) Prior to PAN-OS 9.1.2, branch firewalls automatically redistributed all non-public, connected routes to the hub. Beginning with PAN-OS 9.1.2, you can also redistribute any additional prefixes to the hub.
Automatic Security Policy Rule Allowing BGP
(PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) For ease of use, you can have Panorama automatically create a Security policy rule to allow BGP between branches and hubs.
IKE Preshared Key Refresh
(PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) Refresh the IKE preshared key that VPN cluster members use. This action is especially helpful if you have a mandate to refresh preshared keys periodically.
VPN Tunnel IP Address Ranges
(PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) Specify IP address ranges for Auto VPN configuration to assign to VPN tunnel endpoints to ensure that Auto VPN does not randomly select IP addresses that overlap with those your network uses.
PPPoE Authentication for SD-WAN Links
(PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) SD-WAN links can enable Point-to-Point Protocol over Ethernet (PPPoE) authentication for DSL links.
Panorama Job Descriptions
(PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) Panorama now displays additional information in the commit job description to identify the SD-WAN related jobs.
VPN Data Tunnel Support
(PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) You can now control access to the SD-WAN VPN data tunnel to specify how branch to hub traffic is sent (inside or outside the VPN tunnel). Enable or disable this feature from the SD-WAN Interface Profile.
DIA to MPLS Failover
(PAN-OS 9.1.2-h1 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) Direct Internet Access (DIA) traffic can failover to the hub through the MPLS link to take an alternate route to the internet.
Auto-VPN Configuration for Hub Behind NAT
(PAN-OS 9.1.3 and later 9.1 releases, and SD-WAN Plugin 1.0.3 and later 1.0 releases) If you place your SD-WAN hub firewall behind a device performing NAT, you need a way to specify the IP address of that upstream device, which Auto VPN Configuration uses as the tunnel endpoint on the hub. When you add an SD-WAN hub to Panorama, you can now specify the IP address or FQDN of the upstream device performing NAT for the hub; Auto VPN uses the address as the tunnel endpoint for the hub.
Auto VPN Configuration of Hub Priority for BGP Local Preference
(PAN-OS 9.1.4 and later 9.1 releases, and SD-WAN Plugin 1.0.4 and later 1.0 releases) In an SD-WAN VPN cluster that has more than one hub, you must assign a priority value to each hub, which determines the primary hub to which branches direct traffic and the subsequent hub failover order. Panorama uses the hub priority to calculate a BGP local preference and pushes the local preference to the branches in the cluster. The branches use the local preference to select a route from multiple routes to the same destination.