Prisma Access
Panorama
Table of Contents
Panorama
Panorama
To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
Before you start this workflow, perform the following tasks:
- Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. Match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
- When you configure theIKE gateway, use the following configuration parameters:
- Specify the Citrix SD-WAN Public IP address as thePeer Address.
- EnableNAT Traversalin theAdvanced Optionstab.
- When you configure theIPSec Gateway, specify the following configuration parameters:
- Specify theIKE GatewayandIPSec Crypto Profilethat you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. LeaveEnable Replay Protectionselected to detect and neutralize against replay attacks.
- Add aProxy IDfor the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For theLocalentry, use theDestination IP/Prefixthat you configure on the Citrix side in a later task (in this case, 0.0.0.0). For theRemoteentry, use theSource IP/Prefixthat you configure on the Citrix side in a later task.TheLocalroute of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
- Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select , click theRemote Networksradio button, and find the address in theService IP Addressfield.
After you configure the remote network tunnel in Panorama, configure the IPSec tunnel
in the Citrix SD-WAN by completing the following task.
- Log in to the Citrix SD-WAN web interface, select .
- Choose aService Type(LAN or Intranet).
- Enter aNamefor the service type.
- Select the availableLocal IPaddress.If you specified a service type ofIntranet, the configured Intranet server determines which Local IP addresses are available.
- In thePeer IPfield, specify theService IP Addressthat you noted when you configured the remote network in Prisma Access.
- Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.Note theSource IP/PrefixandDestination IP/Prefixvalues; those values should match theRemoteandLocalvalues, respectively, that you configured for theProxy IDin Prisma Access.
- ClickApply.
Troubleshoot the Citrix SD-WAN Remote Network
To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open
the Citrix SD-WAN UI and select and .
For more troubleshooting information, see the following Citrix documents:
In addition, Prisma Access provides logs that provide you with the status of
remote tunnels and the status of each tunnel. To view these logs in Panorama,
select .
To debug tunnel issues, you can filter for tunnel-specific logs by using the
object identifier corresponding to that tunnel. The following figures show
errors related to tunnel misconfiguration and negotiation issues.
