Citrix SD-WAN Solution Guide
The following sections describe how you use
the Citrix SD-WAN with Prisma Access to provide next-generation
security on internet-bound traffic:
If
you have any issues after you complete these tasks, Troubleshoot the Citrix SD-WAN Remote Network.
Supported Software Versions and Requirements
The Citrix SD-WAN-Prisma Access solution is
qualified with the following Citrix SD-WAN software versions:
- 10.1
To use this Solution Guide, you need a knowledge
of SD-WAN routing principles.
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using
a remote network connection between the edge device at the branch
site, HQ, or hub to Prisma Access. To do this you will Onboard a Remote Network (Cloud Management), ensuring
that you use supported IKE and IPSec cryptographic
settings detailed here.
The following table documents
the IKE/IPSec crypto settings that are supported with Prisma Access
and the Citrix SD-WAN.
A check mark indicates that the profile
or architecture type is supported; a dash (—) indicates that it
is not supported. Default and Recommended settings are noted in
the table.
Crypto Profiles | Prisma Access | Citrix SD-WAN | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel | √ | √ |
GRE Tunnel | — | √ | |
Routing | Static Routes | √ | √ |
Dynamic Routing (BGP) | √ | √ | |
Dynamic Routing (OSPF) | — | √ | |
IKE Versions | IKE v1 | √ | √ |
IKE v2 | √ | √ | |
IPSec Phase 1 DH-Group | Group 1 | √ | √ |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | √ | |
Group 20 | √ | √ | |
IPSec Phase 1 Auth If
you use IKEv2 withcertificate-basedauthentication, onlySHA1 is supportedin
IKE crypto profiles(Phase 1). | MD5 | √ | √ |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | — | |
SHA512 | √ | — | |
IPSec Phase 1 Encryption | DES | √ | — |
3DES | √ | — | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | √ | |
AES-256-CBC | √ | √ | |
IPSec Phase 1 Key Lifetime Default | √ | √ | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | √ | √ |
Certificate | √ | √ | |
IKE Peer Identification | FQDN | √ | — |
IP Address | √ | √ | |
User FQDN | √ | — | |
IKE Peer | As Static Peer | √ | √ |
As Dynamic Peer | √ | √ | |
Options | NAT Traversal | √ | √ |
Passive Mode | √ | √ | |
Ability to Negotiate Tunnel | Per Subnet Pair | √ | √ |
Per Pair of Hosts | √ | √ | |
Per Gateway Pair | √ | √ | |
IPSec Phase 2 DH-Group | Group 1 | √ | √ |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | √ | |
Group 20 | √ | √ | |
No PFS | √ | √ | |
IPSec Phase 2 Auth | MD5 | √ | √ |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | — | |
SHA512 | √ | — | |
None | √ | √ | |
IPSec Phase 2 Encryption | DES | √ | — |
3DES | √ | — | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | √ | |
AES-256-CBC | √ | √ | |
AES-128-CCM | √ | — | |
AES-128-GCM | √ | √ | |
AES-256-GCM | √ | √ | |
NULL | √ | √ | |
IPSec Protocol | ESP | √ | √ |
AH | √ | √ | |
IPSec Phase 2 Key Lifetime Default | √ | √ | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | √ | √ |
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | √ |
No Regional Hub/Gateway/Data Center | NA | √ | |
SD-WAN Deployment Architectures Supported by Citrix
Citrix supports the following deployment architectures
for use with Prisma Access. a dash (—) indicates that the deployment
is not supported.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with 1
WAN link (Type 1) |  | Yes |
Securing branch and HQ sites with active/backup SD-WAN
connections Securing Traffic from Branch to internet was Supported
through Secure Web Gateway (SWG). A pair of Citrix SD-WAN
appliances secure traffic from branch to branch; SWGs are not in
this traffic path. |  | Yes |
Securing branch and HQ sites with active/active
SD-WAN connections You can configure Citrix tunnels in an active/active configuration
if the traffic that each tunnel carries is distinctive (for example,
if you specify traffic in one subnet to use one tunnel and traffic
in another subnet to use another tunnel). |  | Yes |
Securing branch and HQ sites with SD-WAN edge
devices in HA mode |  | Yes |
Securing SD-WAN deployments with Regional Hub/POP architecture
(Type 2) |  | Yes |
