Prisma Access
Integrate Prisma Access with Citrix SD-WAN (Panorama)
Table of Contents
Integrate Prisma Access with Citrix SD-WAN (Panorama)
To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
Before you start this workflow, perform the following tasks:
- Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. Match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
- When you configure the IKE gateway, use the following configuration parameters:
- Specify the Citrix SD-WAN Public IP address as the Peer Address.
- Enable NAT Traversal in the Advanced Options tab.
- When you configure the IPSec Gateway, specify the following configuration parameters:
- Specify the IKE Gateway and IPSec Crypto Profile that you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
- Add a Proxy ID for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the Local entry, use the Destination IP/Prefix that you configure on the Citrix side in a later task (in this case, 0.0.0.0). For the Remote entry, use the Source IP/Prefix that you configure on the Citrix side in a later task.The Local route of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
- Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select , click the Remote Networks radio button, and find the address in the Service IP Address field.
After you configure the remote network tunnel in Panorama, configure the IPSec tunnel
in the Citrix SD-WAN by completing the following task.
- Log in to the Citrix SD-WAN web interface, select .
- Choose a Service Type (LAN or Intranet).
- Enter a Name for the service type.
- Select the available Local IP address.If you specified a service type of Intranet, the configured Intranet server determines which Local IP addresses are available.
- In the Peer IP field, specify the Service IP Address that you noted when you configured the remote network in Prisma Access.
- Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.Note the Source IP/Prefix and Destination IP/Prefix values; those values should match the Remote and Local values, respectively, that you configured for the Proxy ID in Prisma Access.
- Click Apply.
Troubleshoot the Citrix SD-WAN Remote Network
To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open
the Citrix SD-WAN UI and select and .
For more troubleshooting information, see the following Citrix documents:
In addition, Prisma Access provides logs that provide you with the status of
remote tunnels and the status of each tunnel. To view these logs in Panorama,
select .
To debug tunnel issues, you can filter for tunnel-specific logs by using the
object identifier corresponding to that tunnel. The following figures show
errors related to tunnel misconfiguration and negotiation issues.
