Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
To configure the Citrix SD-WAN remote network tunnel in Prisma Access and in Citrix,
use the following workflow.
- Follow the steps to Connect a remote network to Prisma Access.
- Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- When creating the IPSec tunnel, use aBranch Device TypeofCitrix.
- Specify anIKE Peer IdentificationofIP Addressand enter the Citrix SD-WAN Public IP address.
- AddaProxy IDfor the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For theLocalentry, use theDestination IP/Prefixthat you configure on the Citrix side in a later task (in this case, 0.0.0.0). For theRemoteentry, use theSource IP/Prefixthat you configure on the Citrix side in a later task.TheLocalroute of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
- SelectIPSec Advanced Optionsand select an IPSec Crypto profile ofCitrix-IPSec-Crypto-Default.
- SelectIKE Advanced Optionsand select an IKEv1 crypto profile ofCitrix-IKE-Crypto-Default.
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.AddaBranch IP Subnet.Choose Static Routing andAdda subnet you have reserved for this remote network connection.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPof the Prisma Access side of the tunnel. To find this address inPrisma Access (Cloud Management), select, click theManageService SetupRemote NetworksRemote Networks. Look for theService IPfield corresponding to the remote network configuration you created.
- Log in to the Citrix SD-WAN web interface, select.ConnectionSiteIPsec Tunnels
- Choose aService Type(LAN or Intranet).
- Enter aNamefor the service type.
- Select the availableLocal IPaddress.If you specified a service type ofIntranet, the configured Intranet server determines which Local IP addresses are available.
- In thePeer IPfield, specify theService IPthat you noted when you configured the remote network in Prisma Access.
- Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.Note theSource IP/PrefixandDestination IP/Prefixvalues; those values should match theRemoteandLocalvalues, respectively, that you configured for theProxy IDin Prisma Access.
- ClickApply.
Troubleshoot the Citrix SD-WAN Remote Network
To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open
the Citrix SD-WAN web interface and select and .
Monitoring
Statistics
Monitoring
IKE/IPSec
In addition, Prisma Access provides logs and widgets that provide you with the
status of remote tunnels and the status of each tunnel.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter tosub_type.value = vpn.The messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.