Comprehensive Guide to Palo Alto SD-WAN: Architecture, Implementation, and Advanced Features

Software-Defined Wide Area Networks (SD-WAN) have dramatically transformed enterprise networking by providing intelligent, application-aware routing across multiple connection types. Palo Alto Networks, a leader in network security, has integrated robust SD-WAN capabilities into their platform, combining industry-leading security with advanced WAN optimization. This comprehensive guide examines Palo Alto’s SD-WAN solution, diving deep into its architecture, implementation considerations, configuration details, and real-world applications.

Understanding SD-WAN: Foundation and Evolution

Traditional WAN architectures rely heavily on private MPLS circuits that backhaul traffic through centralized data centers. While reliable, these architectures introduce limitations in an increasingly cloud-centric world: they’re expensive, inflexible, and often create performance bottlenecks for cloud applications. SD-WAN addresses these constraints by abstracting the networking hardware from its control mechanism, creating programmable networks that can dynamically route traffic based on application requirements, network conditions, and business policies.

Palo Alto Networks’ approach to SD-WAN stands out by integrating advanced SD-WAN capabilities directly into their Security Operating Platform, delivering what they call a “Next-Generation SD-WAN” that fuses security and networking functions. Unlike bolt-on security for traditional SD-WAN solutions, Palo Alto’s implementation builds SD-WAN on a security foundation.

The core SD-WAN technology enables enterprises to utilize multiple internet and private services to create dynamic routing paths, continuously monitoring connection quality and shifting traffic in real-time. This is achieved through several key technologies:

• Path Monitoring and Selection: Continuous assessment of path quality metrics such as latency, jitter, and packet loss
• Application-Based Forwarding: Intelligent traffic steering based on application identification
• Dynamic Path Selection: Real-time traffic shifting based on network conditions
• Centralized Policy Management: Consistent policy configuration across distributed locations
• Transport Independence: Abstraction that supports MPLS, broadband, LTE, and other connection types

The Palo Alto SD-WAN Architecture

Palo Alto’s SD-WAN implementation consists of several interconnected components forming a cohesive architecture:

Core Architectural Components

The Palo Alto SD-WAN architecture integrates seamlessly with their existing security infrastructure, with the following primary components:

• Next-Generation Firewalls (NGFW): Physical or virtual firewalls deployed at branch locations that serve as SD-WAN edges
• Panorama: Centralized management system that functions as the SD-WAN controller, providing orchestration, visibility, and policy management
• SD-WAN Subscriptions: License-based functionality that activates advanced SD-WAN features
• Link Tags: Identifiers that categorize WAN connections for policy enforcement
• SD-WAN Interface Profiles: Templates that define performance metrics and thresholds
• SD-WAN Path Quality Profiles: Configurations that define performance requirements for applications

This architecture leverages Palo Alto’s existing security capabilities, including application identification, threat prevention, URL filtering, and endpoint protection. The SD-WAN functionality isn’t a separate solution but an integrated part of the PAN-OS operating system.

Data Flow and Traffic Management

When a packet enters a Palo Alto NGFW configured for SD-WAN, it undergoes several processing stages:

1. Traffic is first classified using App-ID technology, which identifies applications regardless of port, protocol, or encryption
2. The firewall applies security policies to permit, deny, or inspect the traffic
3. For permitted traffic, SD-WAN policies determine the optimal egress path based on:
   • Application requirements defined in path quality profiles
   • Real-time measurements of available paths
   • Configured link priorities and costs
4. Traffic is forwarded along the selected path, which may be direct internet breakout or via a VPN tunnel to another location
5. Continuous monitoring adjusts paths if quality degrades

This process happens in real-time with minimal latency impact, ensuring that traffic always follows the best available path while remaining fully secured.

SD-WAN Controller and Orchestration

Panorama serves as the SD-WAN controller in Palo Alto’s architecture. It provides several essential functions:

• Zero-touch provisioning for rapid deployment of new sites
• Centralized policy management and distribution
• Real-time monitoring of path quality across the network
• Historical analytics for network planning and optimization
• Automated VPN mesh configuration for site-to-site connectivity
• Template-based configuration to ensure consistency

Panorama can be deployed on-premises or in the cloud, offering flexibility for different operational models. Its centralized approach eliminates the need to configure individual devices, dramatically reducing management overhead and ensuring consistent policy enforcement.

Implementation and Configuration: Step-by-Step Guide

Implementing Palo Alto’s SD-WAN solution involves several key steps, from licensing to advanced configuration. Let’s explore each in detail:

Licensing and Prerequisites

Before configuring SD-WAN on Palo Alto devices, you need to ensure you have the proper licensing and prerequisites:

1. Valid SD-WAN subscription for each NGFW device
2. PAN-OS 9.1 or later (though 10.0+ is recommended for full feature availability)
3. Panorama for centralized management (strongly recommended)
4. Multiple WAN connections at each location for path diversity
5. Basic network connectivity between locations

You can verify your SD-WAN license status through the device web interface under Device > Licenses, or via CLI with the command:

> request license info

SD-WAN Configuration Workflow

Configuring SD-WAN on Palo Alto Networks devices follows this logical workflow:

Step 1: Create Link Tags

Link tags categorize your WAN connections by type (e.g., MPLS, broadband, LTE) and are used in policy definitions. To create link tags:

1. Navigate to Network > SD-WAN > Link Tags
2. Click Add and define meaningful tags like “mpls,” “internet,” or “lte”

Example CLI configuration:

set network virtual-router default sd-wan link-tag mpls
set network virtual-router default sd-wan link-tag internet
set network virtual-router default sd-wan link-tag lte

Step 2: Configure SD-WAN Interface Profiles

Interface profiles define performance monitoring parameters and thresholds:

1. Navigate to Network > SD-WAN > Interface Profiles
2. Create a profile with appropriate monitoring settings:
   • Probe interval: How frequently to test path quality (e.g., 200ms)
   • Exponential moving average samples: Number of samples to consider (e.g., 10)
   • Jitter threshold: Maximum acceptable jitter (e.g., 5ms)
   • Latency threshold: Maximum acceptable latency (e.g., 100ms)
   • Path down threshold: Packet loss percentage to consider path down (e.g., 5%)

Example CLI configuration:

set network virtual-router default sd-wan interface-profile default-profile probe-interval 200
set network virtual-router default sd-wan interface-profile default-profile exponential-avg-sample 10
set network virtual-router default sd-wan interface-profile default-profile jitter-threshold 5
set network virtual-router default sd-wan interface-profile default-profile latency-threshold 100
set network virtual-router default sd-wan interface-profile default-profile path-down-threshold 5

Step 3: Configure SD-WAN Physical Interfaces

Next, apply SD-WAN configuration to your physical WAN interfaces:

1. Navigate to Network > Interfaces
2. Select a WAN interface and configure:
   • Virtual Router assignment
   • IP address configuration
   • SD-WAN tab: Enable SD-WAN, select Interface Profile, assign Link Tag
3. Repeat for all WAN interfaces

Example CLI configuration:

set network interface ethernet1/1 layer3 sd-wan enable yes
set network interface ethernet1/1 layer3 sd-wan interface-profile default-profile
set network interface ethernet1/1 layer3 sd-wan link-tag internet

Step 4: Configure SD-WAN Path Quality Profiles

Path quality profiles define performance requirements for different applications or traffic classes:

1. Navigate to Network > SD-WAN > Path Quality Profiles
2. Add profiles with specific requirements:
   • Voice profile: Low latency (50ms), minimal jitter (10ms), near-zero packet loss (0.5%)
   • Video profile: Moderate latency (100ms), low jitter (20ms), low packet loss (1%)
   • Data profile: Higher latency tolerance (200ms), higher packet loss tolerance (2%)

Example CLI configuration:

set network virtual-router default sd-wan path-quality-profile voice jitter-threshold 10
set network virtual-router default sd-wan path-quality-profile voice latency-threshold 50
set network virtual-router default sd-wan path-quality-profile voice packet-loss-threshold 0.5

Step 5: Define SD-WAN Policy Rules

SD-WAN policy rules determine how traffic is routed based on application, source, destination, and path quality:

1. Navigate to Policies > SD-WAN
2. Create rules that match traffic and specify path selection criteria:
   • Match criteria: Applications, sources, destinations, users
   • Path selection: Primary path, backup paths, path quality profile

Example CLI configuration for a VoIP traffic policy:

set network virtual-router default sd-wan policy rules voip-traffic applications voip-apps
set network virtual-router default sd-wan policy rules voip-traffic path-quality-profile voice
set network virtual-router default sd-wan policy rules voip-traffic primary-path mpls
set network virtual-router default sd-wan policy rules voip-traffic secondary-path internet backup

VPN Tunnel Configuration for SD-WAN

One of the key benefits of Palo Alto’s SD-WAN is its ability to automatically establish and manage IPsec VPN tunnels between locations. This creates a secure, encrypted overlay network across diverse transport links:

Automatic VPN Mesh Configuration

For multi-site deployments, Palo Alto simplifies VPN configuration through automation:

1. Configure each site as an SD-WAN branch using identical configuration templates
2. Define tunnel interfaces and IPsec crypto profiles
3. Enable “Auto-Discovery” through Panorama
4. The system automatically establishes VPN tunnels between all locations

Example tunnel interface configuration:

set network interface tunnel units tunnel.1 comment "SD-WAN VPN Tunnel"
set network interface tunnel units tunnel.1 ip enable-sdwan yes
set network profiles ipsec-crypto SD-WAN-Crypto esp authentication sha256
set network profiles ipsec-crypto SD-WAN-Crypto esp encryption aes-256-cbc

BGP for SD-WAN Routing

To handle dynamic routing across the SD-WAN overlay, Palo Alto leverages BGP:

1. Configure BGP within the virtual router on each firewall
2. Define BGP peer relationships between locations
3. Use BGP to advertise local networks to remote sites
4. Enable BGP route selection based on SD-WAN metrics

Example BGP configuration:

set network virtual-router default protocol bgp enable yes
set network virtual-router default protocol bgp router-id 10.1.1.1
set network virtual-router default protocol bgp local-as 65001
set network virtual-router default protocol bgp peer-group SD-WAN-Peers type ibgp
set network virtual-router default protocol bgp peer-group SD-WAN-Peers export-nexthop resolve
set network virtual-router default protocol bgp peer-group SD-WAN-Peers peer 10.2.2.1 connect-via tunnel.1
set network virtual-router default protocol bgp peer-group SD-WAN-Peers peer 10.2.2.1 enable yes
set network virtual-router default protocol bgp peer-group SD-WAN-Peers peer 10.2.2.1 peer-as 65001

Advanced SD-WAN Features and Capabilities

Palo Alto’s SD-WAN solution includes several advanced features that distinguish it from traditional offerings. Let’s explore these capabilities in depth:

Application-Based Forwarding and QoS

One of the most powerful features of Palo Alto’s SD-WAN is its deep application awareness through App-ID technology, enabling truly intelligent application-based forwarding decisions:

App-ID Integration

Unlike SD-WAN solutions that rely on port numbers or simple DPI, Palo Alto’s App-ID uses multiple identification techniques:

• Application protocol detection independent of port
• SSL/TLS decryption capabilities for encrypted traffic (when configured)
• Application signatures and heuristics
• Behavioral analysis

This means the SD-WAN can make routing decisions based on the actual application, not just transport characteristics. For example, you can create policies that route:

• Microsoft Teams voice traffic over MPLS primary, Internet backup
• Office 365 email over Internet primary, LTE backup
• Salesforce.com traffic direct to Internet
• ERP traffic through headquarters

Quality of Service Integration

Palo Alto integrates QoS with SD-WAN for comprehensive traffic management:

1. Define QoS profiles with bandwidth allocation and priority queues
2. Apply QoS marking based on application identification
3. Ensure critical applications receive appropriate treatment even during congestion

Example QoS configuration that works alongside SD-WAN:

set qos profile QoS-Policy-1 class voice priority real-time
set qos profile QoS-Policy-1 class video priority high
set qos profile QoS-Policy-1 class web-browsing priority medium
set qos profile QoS-Policy-1 default priority low

Security Integration and Zero Trust

A key differentiator for Palo Alto’s SD-WAN is its security-first approach, integrating comprehensive security capabilities:

Integrated Threat Prevention

Unlike solutions that require separate security products, Palo Alto’s SD-WAN includes:

• Advanced threat prevention with intrusion prevention
• Antivirus/anti-spyware capabilities
• DNS security
• URL filtering
• File blocking and WildFire integration for unknown threat analysis

All traffic, regardless of which path it takes through the SD-WAN, receives consistent security inspection:

set security rules protect-all-traffic application any
set security rules protect-all-traffic service application-default
set security rules protect-all-traffic action allow
set security rules protect-all-traffic profile-setting group security-profiles
set security rules protect-all-traffic profile-setting virus default
set security rules protect-all-traffic profile-setting spyware default
set security rules protect-all-traffic profile-setting vulnerability default

Zero Trust Implementation

Palo Alto’s SD-WAN supports Zero Trust Network Access (ZTNA) principles:

• User-ID technology identifies and authenticates users regardless of location
• Continuous monitoring of user behavior and traffic patterns
• Least-privilege access to applications and resources
• Integration with Prisma Access for consistent cloud-delivered security

This enables secure remote access without traditional VPN clients, using capabilities like:

set user-id-collector setting enable yes
set user-id-collector setting user-mapping-timeout 60
set user-id-collector setting group-mapping-timeout 60
set user-id-collector setting captive-portal roles all

Cloud Integration and SaaS Optimization

Modern enterprises require optimal access to cloud services, which Palo Alto’s SD-WAN facilitates through several mechanisms:

Direct Internet Access and Local Breakout

Rather than backhauling all traffic to a central location, Palo Alto’s SD-WAN enables secure local internet breakout:

1. Identify cloud-bound traffic using App-ID
2. Apply security policies locally
3. Route traffic directly to the internet
4. Monitor performance and adjust routing as needed

Example policy for Office 365 local breakout:

set network virtual-router default sd-wan policy rules o365-direct applications ms-office-365
set network virtual-router default sd-wan policy rules o365-direct path-quality-profile cloud-apps
set network virtual-router default sd-wan policy rules o365-direct primary-path internet
set network virtual-router default sd-wan policy rules o365-direct backend-path all

SaaS Application Optimization

For critical SaaS applications, Palo Alto integrates special optimizations:

• Cloud intelligence that maps optimal paths to popular SaaS providers
• Dynamic path selection based on real-time performance to specific SaaS destinations
• Application-specific monitoring for common SaaS platforms

The system can automatically discover the optimal entry points into cloud provider networks and adapt as conditions change.

Analytics, Monitoring, and Troubleshooting

Effective SD-WAN management requires comprehensive visibility, which Palo Alto provides through:

SD-WAN Dashboard

Panorama includes a dedicated SD-WAN dashboard providing:

• Real-time path quality metrics across all connections
• Application performance data
• Path utilization statistics
• Alert visualization for threshold violations
• Historical trend analysis

This dashboard helps identify problems before they impact users and provides data for capacity planning and optimization.

Advanced Troubleshooting Tools

For in-depth troubleshooting, Palo Alto provides several specialized tools:

• Path quality monitoring with detailed metrics for each link
• Packet capture capabilities integrated with SD-WAN awareness
• Policy trace to verify rule matches and path selection
• Log filtering specific to SD-WAN events

Example CLI commands for troubleshooting:

> show sd-wan path-quality
> show sd-wan path-selection application ms-teams
> show sd-wan policy-log
> test sd-wan policy source 10.1.1.10 destination 8.8.8.8 application web-browsing

Real-World Deployment Scenarios and Case Studies

Understanding how Palo Alto’s SD-WAN solution performs in real-world scenarios provides valuable insights for planning and implementation:

Branch Office Connectivity Case Study

A multinational manufacturing company with 50 branch locations was struggling with expensive MPLS connections and poor cloud application performance. They implemented Palo Alto’s SD-WAN solution with the following architecture:

• Each branch: PA-3220 with dual internet connections (fiber and LTE backup)
• Regional hubs: PA-5260 with MPLS and multiple internet connections
• Headquarters: PA-7080 cluster with diverse carrier connections
• Panorama management servers in HA configuration

The implementation resulted in:

• 60% reduction in WAN costs by reducing MPLS dependence
• 75% improvement in SaaS application performance
• 99.99% uptime through connection diversity
• Consistent security enforcement across all locations
• Deployment time reduced from weeks to days per site

Key configuration aspects included:

# Hub configuration excerpt
set network virtual-router default sd-wan enable yes
set network virtual-router default sd-wan hub-mode yes
set network profiles ipsec-crypto HQ-Crypto esp authentication sha384
set network profiles ipsec-crypto HQ-Crypto esp encryption aes-256-gcm

# Branch configuration excerpt
set network virtual-router default sd-wan enable yes
set network virtual-router default sd-wan spoke-mode yes
set network virtual-router default sd-wan hub-priority 1 address 198.51.100.1
set network virtual-router default sd-wan hub-priority 2 address 203.0.113.1

Retail SD-WAN Implementation

A large retail chain with 500+ stores implemented Palo Alto’s SD-WAN to address PCI compliance concerns and improve reliability. Their configuration included:

• Each store: PA-220 with broadband primary, LTE backup
• Distribution centers: PA-3260 with redundant connections
• Corporate offices: PA-5280 clusters
• Cloud-hosted Panorama for management

The implementation enabled:

• PCI-compliant segment isolation
• Point-of-sale transaction prioritization
• Secure guest WiFi with local breakout
• Inventory system traffic routed via distribution centers
• Corporate applications through secured paths

Their policy configuration prioritized payment traffic:

set network virtual-router default sd-wan policy rules pos-traffic applications pos-system
set network virtual-router default sd-wan policy rules pos-traffic path-quality-profile high-priority
set network virtual-router default sd-wan policy rules pos-traffic primary-path mpls
set network virtual-router default sd-wan policy rules pos-traffic secondary-path internet backup

Healthcare Network Transformation

A healthcare provider with hospitals and clinics implemented Palo Alto’s SD-WAN to improve reliability for critical systems and maintain HIPAA compliance. Their implementation included:

• Hospitals: PA-5260 with diverse carrier connections
• Clinics: PA-850 with broadband and LTE
• Data centers: PA-7080 clusters

The deployment featured:

• Strict application segmentation for EMR systems
• Prioritization of telemedicine traffic
• Automatic failover for critical applications
• Comprehensive security across all sites
• Consistent patient experience regardless of location

Special considerations included:

# High-priority medical devices
set network virtual-router default sd-wan policy rules medical-devices source medical-device-subnet
set network virtual-router default sd-wan policy rules medical-devices path-quality-profile critical
set network virtual-router default sd-wan policy rules medical-devices qos-class voice
set network virtual-router default sd-wan policy rules medical-devices primary-path mpls

Scaling and Optimizing Palo Alto SD-WAN

As organizations grow their SD-WAN deployments, several scaling and optimization considerations become important:

Performance Tuning and Optimization

To ensure optimal SD-WAN performance, consider these tuning parameters:

Probe Settings Optimization

Default probe settings may not be optimal for all environments. Consider adjusting:

• Probe interval: Lower values (e.g., 100ms) provide more responsive failover but increase overhead
• Exponential average samples: Higher values (e.g., 15-20) smooth out temporary fluctuations
• Thresholds: Adjust based on application requirements and typical network behavior

Example optimized settings for sensitive environments:

set network virtual-router default sd-wan interface-profile voip-profile probe-interval 100
set network virtual-router default sd-wan interface-profile voip-profile exponential-avg-sample 15
set network virtual-router default sd-wan interface-profile voip-profile jitter-threshold 3
set network virtual-router default sd-wan interface-profile voip-profile latency-threshold 80
set network virtual-router default sd-wan interface-profile voip-profile path-down-threshold 3

Traffic Engineering Techniques

Beyond basic path selection, advanced traffic engineering can improve performance:

• Link aggregation for increased bandwidth
• Path affinity to maintain consistent paths for sensitive sessions
• Symmetric routing for applications requiring it
• Time-based policies for predictable bandwidth requirements

Example load sharing configuration:

set network virtual-router default sd-wan policy rules load-share applications [ web-browsing salesforce-base ]
set network virtual-router default sd-wan policy rules load-share path-quality-profile standard
set network virtual-router default sd-wan policy rules load-share primary-path internet
set network virtual-router default sd-wan policy rules load-share secondary-path internet2 equal

Large-Scale Deployment Considerations

For enterprises deploying SD-WAN across hundreds or thousands of sites, special considerations apply:

Hierarchical Management Structure

Implement a hierarchical management approach:

• Multiple Panorama instances for different regions or business units
• Template stacking for configuration inheritance
• Device groups for policy management
• Log collectors for distributed log management

This structure enables delegation of administration while maintaining consistent security policies.

Automation and Orchestration

Leverage automation for large-scale deployments:

• API-driven configuration using Palo Alto’s XML API or REST API
• Terraform providers for infrastructure-as-code deployments
• Ansible modules for configuration management
• Custom scripts for repetitive tasks

Example Python script for checking SD-WAN status across multiple devices:

import requests
import xml.etree.ElementTree as ET
import json

# Disable warnings for self-signed certs
requests.packages.urllib3.disable_warnings()

def check_sdwan_status(firewall, api_key):
    url = f"https://{firewall}/api/?type=op&cmd=<show><sd-wan><path-quality></path-quality></sd-wan></show>&key={api_key}"
    response = requests.get(url, verify=False)
    
    if response.status_code == 200:
        root = ET.fromstring(response.text)
        status_data = []
        
        for entry in root.findall('.//entry'):
            source = entry.find('source').text
            destination = entry.find('destination').text
            latency = entry.find('latency').text
            jitter = entry.find('jitter').text
            packet_loss = entry.find('packet-loss').text
            
            status_data.append({
                'source': source,
                'destination': destination,
                'latency': latency,
                'jitter': jitter,
                'packet_loss': packet_loss
            })
        
        return status_data
    else:
        return f"Error: {response.status_code} - {response.text}"

# Example usage
firewalls = ["192.168.1.1", "192.168.1.2", "192.168.1.3"]
api_key = "YOUR_API_KEY"

results = {}
for fw in firewalls:
    results[fw] = check_sdwan_status(fw, api_key)

print(json.dumps(results, indent=2))

Future Directions: SD-WAN and SASE

The SD-WAN market continues to evolve toward complete Secure Access Service Edge (SASE) solutions. Palo Alto Networks is positioning its SD-WAN technology as a component of their broader SASE framework, Prisma Access.

Integration with Prisma Access

Prisma Access represents Palo Alto’s cloud-delivered security platform that incorporates SD-WAN as part of a comprehensive SASE solution:

• Cloud-native security services delivered from a distributed cloud platform
• Consistent security for all users, regardless of location
• Integration between on-premises SD-WAN and cloud-delivered security
• Single management interface for network and security functions

This integration enables hybrid deployments where some locations use physical SD-WAN appliances while others leverage cloud-delivered services, all with consistent policy enforcement.

Emerging Trends and Technologies

Several emerging trends will impact SD-WAN evolution:

• 5G Integration: Incorporating 5G as a high-performance transport option
• AI-Driven Operations: Using machine learning for predictive path selection and automated troubleshooting
• IoT Security: Extending SD-WAN capabilities to protect distributed IoT deployments
• Multi-Cloud Networking: Optimizing connectivity across multiple cloud providers
• Zero Trust Network Access: Deeper integration of zero trust principles into SD-WAN architecture

Palo Alto continues to invest in these areas, with regular feature updates through their PAN-OS releases.

Conclusion: Evaluating Palo Alto’s SD-WAN Solution

Palo Alto Networks’ approach to SD-WAN represents a security-first strategy that differentiates it from traditional networking-focused solutions. By integrating SD-WAN capabilities directly into their Next-Generation Firewall platform, they provide a unified approach to secure networking that addresses many of the challenges organizations face as they migrate to cloud services.

The key strengths of Palo Alto’s solution include:

• Comprehensive security integration without performance compromises
• Sophisticated application identification and intelligent routing
• Centralized management and visibility through Panorama
• Flexible deployment options supporting physical, virtual, and cloud implementations
• Seamless integration with broader SASE frameworks

While not the least expensive option in the market, the total cost of ownership benefits can be significant when considering the elimination of separate security appliances and simplified management. Organizations evaluating SD-WAN solutions should carefully consider their security requirements alongside networking needs and assess whether Palo Alto’s integrated approach aligns with their architectural vision and operational capabilities.

For existing Palo Alto customers, leveraging the built-in SD-WAN capabilities offers a logical expansion path that maximizes the value of current investments while enabling network transformation. For organizations new to Palo Alto, the SD-WAN capabilities provide a compelling entry point into their broader security ecosystem.

As enterprises continue their digital transformation journeys, solutions like Palo Alto’s SD-WAN that bridge the gap between networking and security will play an increasingly important role in enabling secure, flexible, and high-performance connectivity across distributed environments.

Frequently Asked Questions About Palo Alto SD-WAN