>
    Integrate Prisma Access with Citrix SD-WAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Integrate Third-Party SD-WANs with Prisma Access
    4. Citrix SD-WAN Solution Guide
    5. Integrate Prisma Access with Citrix SD-WAN
    Download PDF
    Prisma Access

    Integrate Prisma Access with Citrix SD-WAN

    Table of Contents

    Integrate Prisma Access with Citrix SD-WAN

    The following sections describe how you use the Citrix SD-WAN with Prisma Access to provide next-generation security on internet-bound traffic.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Citrix supports the following deployment architectures for use with Prisma Access. A dash (—) indicates that the deployment isn't supported.
    Use CaseArchitectureSupported?
    Securing traffic from each branch site with 1 WAN link (Type 1)
    		Yes
    Securing branch and HQ sites with active/backup SD-WAN connections
    Securing Traffic from Branch to internet was supported through secure web gateway (SWG).
    A pair of Citrix SD-WAN appliances secure traffic from branch to branch; SWGs are not in this traffic path.
    		Yes
    Securing branch and HQ sites with active/active SD-WAN connections
    You can configure Citrix tunnels in an active/active configuration if the traffic that each tunnel carries is distinctive (for example, if you specify traffic in one subnet to use one tunnel and traffic in another subnet to use another tunnel).
    		Yes
    Securing branch and HQ sites with SD-WAN edge devices in HA mode
    		Yes
    Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
    		Yes

    Integrate Prisma Access with Citrix SD-WAN (Strata Cloud Manager)

    To configure the Citrix SD-WAN remote network tunnel in Prisma Access and in Citrix, use the following workflow.
    1. Follow the steps to Connect a remote network to Prisma Access.
      • Choose a Prisma Access Location that is close to the remote network location that you want to onboard.
      • When creating the IPSec tunnel, use a Branch Device Type of Citrix.
      • Specify an IKE Peer Identification of IP Address and enter the Citrix SD-WAN Public IP address.
    2. Add a Proxy ID for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the Local entry, use the Destination IP/Prefix that you configure on the Citrix side in a later task (in this case, 0.0.0.0). For the Remote entry, use the Source IP/Prefix that you configure on the Citrix side in a later task.
      The Local route of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
    3. Select IPSec Advanced Options and select an IPSec Crypto profile of Citrix-IPSec-Crypto-Default.
    4. Select IKE Advanced Options and select an IKEv1 crypto profile of Citrix-IKE-Crypto-Default.
    5. Set up routing for the remote network.
      Set Up Routing and Add the IP subnets for Static Routing.
      Add a Branch IP Subnet.
      Choose Static Routing and Add a subnet you have reserved for this remote network connection.
    6. Push your configuration changes.
      1. Return to ManageService SetupRemote Networks and select Push ConfigPush.
      2. Select Remote Networks.
      3. Push your changes.
    7. Make a note of the Service IP of the Prisma Access side of the tunnel. To find this address in Prisma Access (Managed by Strata Cloud Manager), select ManageService SetupRemote Networks, click the Remote Networks. Look for the Service IP field corresponding to the remote network configuration you created.
    8. Log in to the Citrix SD-WAN web interface, select ConnectionSiteIPsec Tunnels.
    9. Choose a Service Type (LAN or Intranet).
    10. Enter a Name for the service type.
    11. Select the available Local IP address.
      If you specified a service type of Intranet, the configured Intranet server determines which Local IP addresses are available.
    12. In the Peer IP field, specify the Service IP that you noted when you configured the remote network in Prisma Access.
    13. Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.
      Note the Source IP/Prefix and Destination IP/Prefix values; those values should match the Remote and Local values, respectively, that you configured for the Proxy ID in Prisma Access.
    14. Click Apply.

    Troubleshoot the Citrix SD-WAN Remote Network

    To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open the Citrix SD-WAN web interface and select MonitoringStatistics and MonitoringIKE/IPSec.
    In addition, Prisma Access provides logs and widgets that provide you with the status of remote tunnels and the status of each tunnel.
    • Go to ManageService SetupRemote Networks and check the Status of the tunnel.
    • Go to ActivityLog Viewer and check the Common/System logs for IPSec- and IKE-related messages.
      To view VPN-relates messages, set the filter to sub_type.value = vpn.
      The message ignoring unauthenticated notify payload indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
    • Check the Firewall/Traffic logs and view the messages that are coming from the zone that has the same name as the remote network.
      In the logs, the remote network name is used as the source zone.

    Integrate Prisma Access with Citrix SD-WAN (Panorama)

    To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
    Before you start this workflow, perform the following tasks:
    • Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. Match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
    • When you configure the IKE gateway, use the following configuration parameters:
      • Specify the Citrix SD-WAN Public IP address as the Peer Address.
      • Enable NAT Traversal in the Advanced Options tab.
    • When you configure the IPSec Gateway, specify the following configuration parameters:
      • Specify the IKE Gateway and IPSec Crypto Profile that you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
      • Add a Proxy ID for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the Local entry, use the Destination IP/Prefix that you configure on the Citrix side in a later task (in this case, 0.0.0.0). For the Remote entry, use the Source IP/Prefix that you configure on the Citrix side in a later task.
        The Local route of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
        For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
    • Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select PanoramaCloud ServicesStatusNetwork Details, click the Remote Networks radio button, and find the address in the Service IP Address field.
    After you configure the remote network tunnel in Panorama, configure the IPSec tunnel in the Citrix SD-WAN by completing the following task.
    1. Log in to the Citrix SD-WAN web interface, select ConnectionSiteIPsec Tunnels.
    2. Choose a Service Type (LAN or Intranet).
    3. Enter a Name for the service type.
    4. Select the available Local IP address.
      If you specified a service type of Intranet, the configured Intranet server determines which Local IP addresses are available.
    5. In the Peer IP field, specify the Service IP Address that you noted when you configured the remote network in Prisma Access.
    6. Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.
      Note the Source IP/Prefix and Destination IP/Prefix values; those values should match the Remote and Local values, respectively, that you configured for the Proxy ID in Prisma Access.
    7. Click Apply.

    Troubleshoot the Citrix SD-WAN Remote Network

    To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open the Citrix SD-WAN UI and select MonitoringStatistics and MonitoringIKE/IPSec.
    For more troubleshooting information, see the following Citrix documents:
    In addition, Prisma Access provides logs that provide you with the status of remote tunnels and the status of each tunnel. To view these logs in Panorama, select MonitorLogsSystem.
    To debug tunnel issues, you can filter for tunnel-specific logs by using the object identifier corresponding to that tunnel. The following figures show errors related to tunnel misconfiguration and negotiation issues.

    © 2024 Palo Alto Networks, Inc. All rights reserved.