SD-WAN for NGFW

SD-WAN Subscription for NGFWs

SD-WAN for NGFW allows you to easily adopt an end-to- Benefits
end SD-WAN architecture with natively integrated, world- • Deliver consistent, integrated
security across branch, data center,
class security and connectivity. and cloud by leveraging the industry’s
leading ML-powered NGFW to
The effects of the cloud on network and security protect applications, users, and
transformation are undeniable. As the number of devices devices against all threats.
at branch locations grows and applications become more • Optimize your performance by
gaining the flexibility to leverage
bandwidth-intensive, businesses are forced to spend more
Prisma Access hubs, data center
to accommodate demand. As a result, traditional wide hubs, or branches for application
access.
area network (WAN) architectures with multiprotocol
label switching (MPLS), which tend to eat up bandwidth • Simplify branch onboarding using
Prisma Access hubs and data
as they backhaul traffic from branches to the cloud, render centers as the global backbone while
legacy approaches ineffective. centrally managing security and
networking policies.

Strata by Palo Alto Networks | SD-WAN for NGFW | Datasheet 1

Software-defined wide area networking (SD-WAN), an approach that uses commodity links and allows
you to intelligently manage as well as control connectivity between branches and cloud instances, is
now a necessity for distributed enterprises. According to Gartner, by 2023, more than 90% of WAN edge
infrastructure refreshes will be based on vCPE platforms or SD-WAN vs. traditional routers.1 However,
with its benefits, SD-WAN also brings many challenges, such as a lack of security, unreliable perfor-
mance, and complexity.
When security is an afterthought, it tends to be either subpar or bolted on, introducing management
complexity. Moreover, network performance becomes less reliable because enterprises use the con-
gested internet as the WAN middle mile—and when they try to address this by building their own SD-
WAN hub infrastructures, they run into complexity. Ultimately, enterprises turn to multiple vendors
or service providers to solve performance issues, which increases costs while decreasing control and
visibility.

SD-WAN for NGFW by Palo Alto Networks

SD-WAN for NGFW from Palo Alto Networks lets you easily adopt an end-to-end SD-WAN architec-
ture with natively integrated, world-class security and connectivity. Using hub-and-spoke and/or
full-mesh branch-to-branch topologies, you can optimize the performance of your entire network.
This minimizes latency and ensures reliability, resulting in an exceptional user experience at the
branches. Each site automatically creates a meshed VPN connection to all other sites to load balance
sessions, failover to a better-performing link, and take advantage of all available bandwidth to maxi-
mize throughput capacity. Regardless of your deployment model, our tight integration will allow you to
manage security and SD-WAN on a single, intuitive interface.

Optimized Connectivity for Improved User Experience

PAN-OS SD-WAN lets you measure and monitor specific paths as well as dynamically move sessions to
the optimal path, guaranteeing the best branch user experience. You can simply enable the subscription
on your next-generation firewalls and begin intelligently and securely routing branch traffic to your
cloud applications and between other sites. Through a concept called “link bundling,” the firewall will
automatically combine all service provider links labeled with the same link tag to aggregate bandwidth
and distribute traffic between them, maximizing all available capacity.

Complete Application Control

SD-WAN for NGFW gives you full control of when to select a better path for your applications. Us-
ing profiles for path health quality, software-as-a-service (SaaS) application path monitoring, error
correction (forward error correction and packet duplication), and traffic distribution, each application
can have its own set of thresholds and path forwarding rules. With DIA AnyPath, you can tailor exactly
how an internet application fails over—either to another DIA internet path at the same site or through a
private VPN path to another location to get better internet service. This ensures that all mission-critical
applications are performing at their best to provide the highest level of usability.

1. Gartner® Magic Quadrant™ for WAN Edge Infrastructure, Gartner, October 18, 2018, https://www.gartner.com/en/documents/3891709.

Strata by Palo Alto Networks | SD-WAN for NGFW | Datasheet 2

 PN Centrally Managed by Panorama

Benefits

Expedite cloud
Branch PAN-OS on-ramp
SD-WAN
Best security with
zero upgrades
Faster middle-mile
cloud connections
Branch PAN-OS
SD-WAN

Global Backbone

Figure 1: SD-WAN for NGFW for Global Interconnect

Benefits

Direct connectivity
between branches
No hub required
Ideal for small-scale,
regional deployments

Figure 2: SD-WAN for NGFW mesh approach

Strata by Palo Alto Networks | SD-WAN for NGFW | Datasheet 3

 Benefits

Branches connect to
nearest hubs
Build and maintain hubs
and interconnect: DIY
Simple to manage
Ideal for large-scale,
global deployments
who prefer DIY

Figure 3: SD-WAN for NGFW hub-and-spoke approach

Central Management for Security and Connectivity

Eliminate the need to manage multiple disparate consoles from different vendors by using Panorama
network security management for both security and connectivity. Integrated SD-WAN configuration
and monitoring allow you to leverage the familiar Panorama user and application workflow, cutting the
time you need to spend reconfiguring policies and visualizations. Additionally, you get granular SD-WAN
monitoring data and a dedicated configuration tree, giving you greater visibility into your network.

Simplified Branch Onboarding

Provisioning a new branch requires IT staff to configure and deploy appliances. Doing this on a large
scale and at distributed locations makes branch onboarding costly and slow. With Zero Touch Provi-
sioning (ZTP), you can automate tedious onboarding processes. Appliances can be drop shipped to your
branch locations, where they are powered up and connected to the internet. To complete onboarding,
administrators simply need to register on a web portal. Then, they can immediately start managing
deployment and configuration from a single location through Panorama.

Flexible Deployment Options

Palo Alto Networks supports multiple SD-WAN deployment options, including mesh, hub-and-spoke,
and cloud-based deployments. SD-WAN for NGFW is supported on all PA-Series (hardware) and
VM-Series (virtual) NGFW platforms.

SD-WAN Software Licenses

(Required) SD-WAN for NGFW subscription on all PA-Series and VM-Series firewalls (VM-50 and
above). This license requires PAN-OS 9.1 and above.

Strata by Palo Alto Networks | SD-WAN for NGFW | Datasheet 4

 Table 1: Palo Alto Networks SD-WAN-Supported Features and Capabilities
Category Features
AAA/Authentication RADIUS, local authentication and authorization, multitenant three-tier RBAC architecture,
auditing, roles, and privileges

Availability Hardware high availability in active/passive mode

SD-WAN Features • Link metric collection, jitter, drop, delay

• Intelligent path selection based on metric; dynamic application steering
• Application and network condition-aware sub-second steering
• Session-based link aggregation
• Scalable bidirectional path health measurements, QoS, traffic shaping
• Predefined application thresholds for common application categories
• Forward error correction (FEC)
• Packet duplication
• SaaS application path monitoring: end-to-end application monitoring from the branch to the
SaaS app server
• DIA AnyPath: failover DIA internet applications to any other link (DIA, VPN, or MPLS)
• Single and double NAT support
• DDNS support
• Priority-based hub failover
• Per-application split tunneling
Network Services IPv4, DNS, DHCP client, DHCP server, DHCP relay, NAT
Dynamic QoS/Traffic Shaping • QoS shaping, policing, and rate limiting with per-flow queueing and separate cleartext and
tunnel treatment
• Support for eight queues, type of service (ToS), and DSCP code points with patented bidirec-
tional session-based DSCP tagging
Routing • Static routes
• OSPF
• BGP
» Local route ID and local AS, path selection, BGP confederations, route flap dampening,
graceful restart, IGP-BGP route injection
» Route import, export, and advertisement; prefix-based filtering; address aggregation
• Multiple virtual routers
• Authentication by MD5

SD-WAN High Availability Active/Passive HA; dual power supply

• Hub-and-spoke IPsec tunnels with automatic configuration

Connectivity Architecture • Full mesh
• Prisma Access Hub support

• Single pane of glass for security and SD-WAN management

• Panorama-managed, API, syslog, SNMP
• RBAC
• Scale up to 5,000 devices per Panorama
• Zero Touch Provisioning (ZTP)
Management
• Monitoring and visualization
• Dashboard views of SD-WAN-impacted applications and links with drill down
• SD-WAN link down alerts to detect blackout situations
• SD-WAN reporting
• Link jitter, delay, and drop trend charts

• Physical and Virtual Next-Generation Firewalls for both branch and hub
• Hub and spoke
Deployment Flexibility
• Full mesh
• Cloud-delivered with Prisma Access hubs

Strata by Palo Alto Networks | SD-WAN for NGFW | Datasheet 5

 Table 2: SD-WAN Device Specifications (Hardware)*†
PA-400 PA-800 PA-1400 PA-3200 PA-3400 PA-5200 PA-5400 PA-7000
PA-5450
Series Series Series Series Series Series Series Series

Branch Office 800

200 Mbps– 50–700 21–58
Bandwidth (recom- 2.5–4 Gbps Mbps–3 5–10 Gbps — — —
1.25 Gbps Mbps Gbps
mended range) Gbps

Max. Overlay IPsec

1K–2.8K 1K 2.8K 2K–3K 5K–8K 3K–5K 24K 24K 8–12K
Tunnels

IPsec Overlay
900 Mbps 4–6.5 2–3.5 6.5–14 7–22.5 20–80 22–300
Performance with 1 Gbps TBD
–1.5 Gbps Gbps Gbps Gbps Gbps Gbps Gbps
App-ID

Max. Concurrent 128K– 945K– 3.2M– 3.2M– 19.2M–

64K–400K 1M–3M 1.4M–3M 4M–64M
Sessions 196K 1.4M 100M 200M 80M

Max. Number of
2.5K–10K 5K–10K 10K 16K–44K 10K–24K 100K 228K 228K 32K–64K
Routes
Connectivity Options
Depends Depends Depends
LAN/WAN 1G RJ-45 7–8 4 8 — 12 —
on cards on cards on cards

Depends Depends Depends

LAN/WAN 1G SFP — 8 6 — — —
on cards on cards on cards

LAN/WAN 1G/10G Depends Depends Depends

— 4 4 8 10 16
SFP on cards on cards on cards

2
Depends Depends Depends
LAN/WAN 40G QSFP — — — 0–4 PA-3430 4
on cards on cards on cards
PA-3440

HA—Dual Power Yes

Optional Optional Optional Yes Yes Yes Yes Yes
Input (PA-850)

Learn Learn Learn Learn Learn Learn Learn

Appliance Datasheet
more more more more more more more
* Any appliance can be used as a hub or branch.
† Ranges shown represent the span of appliance SKUs in a given series.

Table 3: SD-WAN Device Specifications (Virtual Machines)*

VM-50 VM-100 VM-300 VM-500 VM-700
Branch Office Bandwidth
1–250 Mbps 200–450 Mbps 400 Mbps–1 Gbps — —
(recommended range)

IPsec Overlay Performance

945 Mbps 967 Mbps 1.6 Gbps 3.5 Gbps 6.9 Gbps
with App-ID

Max. Overlay IPsec Tunnels 250 1K 2K 4K 8K

Max. Concurrent Sessions 64K 256K 819K 2M 10M

Max. Number of Routes 2.5K 5K 10K 32K 100K

Appliance Datasheet Learn more

* Any appliance can be used as a hub or branch.

To compare performance and specifications for all our firewall offerings, visit
paloaltonetworks.com/products/product-selection.

3000 Tannery Way © 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
Santa Clara, CA 95054 trademark of Palo Alto Networks, Inc. A list of our trademarks can be found
at https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 strata_ds_sd-wan-for-ngfw_031423
Support: +1.866.898.9087

www.paloaltonetworks.com