Prisma Access
Citrix SD-WAN Solution Guide
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Citrix SD-WAN Solution Guide
The following sections describe how you use the Citrix SD-WAN with Prisma Access to
provide next-generation security on internet-bound traffic.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To use this Solution Guide, you need a knowledge of SD-WAN routing principles.
You onboard your SD-WAN edge devices using a remote network connection between the edge
device at the branch site, HQ, or hub to Prisma Access. To do this you Onboard a Remote Network, ensuring that you
use supported IKE and IPSec cryptographic settings detailed here.
The following table documents the IKE/IPSec crypto settings that are supported with
Prisma Access and the Citrix SD-WAN.
A check mark indicates that the profile or architecture type is supported; a dash (—)
indicates that it's not supported. Default and Recommended settings are noted in the
table.
Crypto Profiles | Prisma Access | Citrix SD-WAN | |
---|---|---|---|
Tunnel Type | IPSec Tunnel | √ | √ |
GRE Tunnel | — | √ | |
Routing | Static Routes | √ | √ |
Dynamic Routing (BGP) | √ | √ | |
Dynamic Routing (OSPF) | — | √ | |
IKE Versions | IKE v1 | √ | √ |
IKE v2 | √ | √ | |
IPSec Phase 1 DH-Group | Group 1 | √ | √ |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | √ | |
Group 20 | √ | √ | |
IPSec Phase 1 Auth If you use IKEv2
with certificate-based authentication, onlySHA1 is supported IKE
Crypto profiles (Phase 1). | MD5 | √ | √ |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | — | |
SHA512 | √ | — | |
IPSec Phase 1 Encryption | DES | √ | — |
3DES | √ | — | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | √ | |
AES-256-CBC | √ | √ | |
IPSec Phase 1 Key Lifetime Default | √ | √ | |
IPSec Phase 1 Peer
Authentication | Pre-Shared Key | √ | √ |
Certificate | √ | √ | |
IKE Peer Identification | FQDN | √ | — |
IP Address | √ | √ | |
User FQDN | √ | — | |
IKE Peer | As Static Peer | √ | √ |
As Dynamic Peer | √ | √ | |
Options | NAT Traversal | √ | √ |
Passive Mode | √ | √ | |
Ability to Negotiate Tunnel | Per Subnet Pair | √ | √ |
Per Pair of Hosts | √ | √ | |
Per Gateway Pair | √ | √ | |
IPSec Phase 2 DH-Group | Group 1 | √ | √ |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | √ | |
Group 20 | √ | √ | |
No PFS | √ | √ | |
IPSec Phase 2 Auth | MD5 | √ | √ |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | — | |
SHA512 | √ | — | |
None | √ | √ | |
IPSec Phase 2 Encryption | DES | √ | — |
3DES | √ | — | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | √ | |
AES-256-CBC | √ | √ | |
AES-128-CCM | √ | — | |
AES-128-GCM | √ | √ | |
AES-256-GCM | √ | √ | |
NULL | √ | √ | |
IPSec Protocol | ESP | √ | √ |
AH | √ | √ | |
IPSec Phase 2 Key Lifetime Default | √ | √ | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | √ | √ |
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | √ |
No Regional Hub/Gateway/Data Center | NA | √ |