Integrate Prisma Access with Citrix SD-WAN
Focus
Focus
Prisma Access

Integrate Prisma Access with Citrix SD-WAN

Table of Contents

Integrate Prisma Access with Citrix SD-WAN

The following sections describe how you use the Citrix SD-WAN with Prisma Access to provide next-generation security on internet-bound traffic.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Citrix supports the following deployment architectures for use with Prisma Access. A dash (—) indicates that the deployment isn't supported.
Use Case
Architecture
Supported?
Securing traffic from each branch site with 1 WAN link (Type 1)
Yes
Securing branch and HQ sites with active/backup SD-WAN connections
Securing Traffic from Branch to internet was supported through secure web gateway (SWG).
A pair of Citrix SD-WAN appliances secure traffic from branch to branch; SWGs are not in this traffic path.
Yes
Securing branch and HQ sites with active/active SD-WAN connections
You can configure Citrix tunnels in an active/active configuration if the traffic that each tunnel carries is distinctive (for example, if you specify traffic in one subnet to use one tunnel and traffic in another subnet to use another tunnel).
Yes
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Yes
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
Yes

Cloud Management

To configure the Citrix SD-WAN remote network tunnel in Prisma Access and in Citrix, use the following workflow.
    • Choose a
      Prisma Access Location
      that is close to the remote network location that you want to onboard.
    • When creating the IPSec tunnel, use a
      Branch Device Type
      of
      Citrix
      .
    • Specify an
      IKE Peer Identification
      of
      IP Address
      and enter the Citrix SD-WAN Public IP address.
  1. Add
    a
    Proxy ID
    for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the
    Local
    entry, use the
    Destination IP/Prefix
    that you configure on the Citrix side in a later task (in this case, 0.0.0.0). For the
    Remote
    entry, use the
    Source IP/Prefix
    that you configure on the Citrix side in a later task.
    The
    Local
    route of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
  2. Select
    IPSec Advanced Options
    and select an IPSec Crypto profile of
    Citrix-IPSec-Crypto-Default
    .
  3. Select
    IKE Advanced Options
    and select an IKEv1 crypto profile of
    Citrix-IKE-Crypto-Default
    .
  4. Set up routing for the remote network.
    Set Up
    Routing and
    Add
    the IP subnets for Static Routing.
    Add
    a
    Branch IP Subnet
    .
    Choose Static Routing and
    Add
    a subnet you have reserved for this remote network connection.
  5. Push your configuration changes.
    1. Return to
      Manage
      Service Setup
      Remote Networks
      and select
      Push Config
      Push
      .
    2. Select
      Remote Networks
      .
    3. Push
      your changes.
  6. Make a note of the
    Service IP
    of the Prisma Access side of the tunnel. To find this address in
    Prisma Access (Cloud Management)
    , select
    Manage
    Service Setup
    Remote Networks
    , click the
    Remote Networks
    . Look for the
    Service IP
    field corresponding to the remote network configuration you created.
  7. Log in to the Citrix SD-WAN web interface, select
    Connection
    Site
    IPsec Tunnels
    .
  8. Choose a
    Service Type
    (LAN or Intranet).
  9. Enter a
    Name
    for the service type.
  10. Select the available
    Local IP
    address.
    If you specified a service type of
    Intranet
    , the configured Intranet server determines which Local IP addresses are available.
  11. In the
    Peer IP
    field, specify the
    Service IP
    that you noted when you configured the remote network in Prisma Access.
  12. Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.
    Note the
    Source IP/Prefix
    and
    Destination IP/Prefix
    values; those values should match the
    Remote
    and
    Local
    values, respectively, that you configured for the
    Proxy ID
    in Prisma Access.
  13. Click
    Apply
    .

Troubleshoot the Citrix SD-WAN Remote Network

To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open the Citrix SD-WAN web interface and select
Monitoring
Statistics
and
Monitoring
IKE/IPSec
.
In addition, Prisma Access provides logs and widgets that provide you with the status of remote tunnels and the status of each tunnel.
  • Go to
    Manage
    Service Setup
    Remote Networks
    and check the
    Status
    of the tunnel.
  • Go to
    Activity
    Log Viewer
    and check the
    Common/System
    logs for IPSec- and IKE-related messages.
    To view VPN-relates messages, set the filter to
    sub_type.value = vpn
    .
    The message
    ignoring unauthenticated notify payload
    indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
  • Check the
    Firewall/Traffic
    logs and view the messages that are coming from the zone that has the same name as the remote network.
    In the logs, the remote network name is used as the source zone.

Panorama

To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
Before you start this workflow, perform the following tasks:
  • Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. Match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
  • When you configure the
    IKE gateway
    , use the following configuration parameters:
    • Specify the Citrix SD-WAN Public IP address as the
      Peer Address
      .
    • Enable
      NAT Traversal
      in the
      Advanced Options
      tab.
  • When you configure the
    IPSec Gateway
    , specify the following configuration parameters:
    • Specify the
      IKE Gateway
      and
      IPSec Crypto Profile
      that you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. Leave
      Enable Replay Protection
      selected to detect and neutralize against replay attacks.
    • Add a
      Proxy ID
      for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the
      Local
      entry, use the
      Destination IP/Prefix
      that you configure on the Citrix side in a later task (in this case, 0.0.0.0). For the
      Remote
      entry, use the
      Source IP/Prefix
      that you configure on the Citrix side in a later task.
      The
      Local
      route of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
      For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
  • Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select
    Panorama
    Cloud Services
    Status
    Network Details
    , click the
    Remote Networks
    radio button, and find the address in the
    Service IP Address
    field.
After you configure the remote network tunnel in Panorama, configure the IPSec tunnel in the Citrix SD-WAN by completing the following task.
  1. Log in to the Citrix SD-WAN web interface, select
    Connection
    Site
    IPsec Tunnels
    .
  2. Choose a
    Service Type
    (LAN or Intranet).
  3. Enter a
    Name
    for the service type.
  4. Select the available
    Local IP
    address.
    If you specified a service type of
    Intranet
    , the configured Intranet server determines which Local IP addresses are available.
  5. In the
    Peer IP
    field, specify the
    Service IP Address
    that you noted when you configured the remote network in Prisma Access.
  6. Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.
    Note the
    Source IP/Prefix
    and
    Destination IP/Prefix
    values; those values should match the
    Remote
    and
    Local
    values, respectively, that you configured for the
    Proxy ID
    in Prisma Access.
  7. Click
    Apply
    .

Troubleshoot the Citrix SD-WAN Remote Network

To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open the Citrix SD-WAN UI and select
Monitoring
Statistics
and
Monitoring
IKE/IPSec
.
For more troubleshooting information, see the following Citrix documents:
In addition, Prisma Access provides logs that provide you with the status of remote tunnels and the status of each tunnel. To view these logs in Panorama, select
Monitor
Logs
System
.
To debug tunnel issues, you can filter for tunnel-specific logs by using the object identifier corresponding to that tunnel. The following figures show errors related to tunnel misconfiguration and negotiation issues.

Recommended For You