Citrix SD-WAN Solution Guide
Focus
Focus
Prisma Access

Citrix SD-WAN Solution Guide

Table of Contents

Citrix SD-WAN Solution Guide

The following sections describe how you use the Citrix SD-WAN with Prisma Access to provide next-generation security on internet-bound traffic.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
To use this Solution Guide, you need a knowledge of SD-WAN routing principles.
You onboard your SD-WAN edge devices using a remote network connection between the edge device at the branch site, HQ, or hub to Prisma Access. To do this you Onboard a Remote Network, ensuring that you use supported IKE and IPSec cryptographic settings detailed here.
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and the Citrix SD-WAN.
A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it's not supported. Default and Recommended settings are noted in the table.
Crypto Profiles
Prisma Access
Citrix SD-WAN
Tunnel Type
IPSec Tunnel
GRE Tunnel
Routing
Static Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE Versions
IKE v1
IKE v2
IPSec Phase 1 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, onlySHA1 is supported IKE Crypto profiles (Phase 1).
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
(1 day)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
Certificate
IKE Peer Identification
FQDN
IP Address
User FQDN
IKE Peer
As Static Peer
As Dynamic Peer
Options
NAT Traversal
Passive Mode
Ability to Negotiate Tunnel
Per Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
No PFS
(Default)
IPSec Phase 2 Auth
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
None
IPSec Phase 2 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
NULL
IPSec Protocol
ESP
AH
IPSec Phase 2 Key Lifetime Default
(1 Hour)
(1 Day Max)
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
ICMP
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
N/A
No Regional Hub/Gateway/Data Center
NA

Recommended For You