Citrix SD-WAN Solution Guide
The following sections describe how you use
the Citrix SD-WAN with Prisma Access to provide next-generation
security on internet-bound traffic:
If
you have any issues after you complete these tasks, Troubleshoot the Citrix SD-WAN Remote Network.
Supported Software Versions and Requirements
The Citrix SD-WAN-Prisma Access solution is
qualified with the following Citrix SD-WAN software versions:
- 10.1
To use this Solution Guide, you need a knowledge
of SD-WAN routing principles.
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using
a remote network connection between the edge device at the branch
site, HQ, or hub to Prisma Access. Use Panorama to create a remote
network connection and create IKE and IPSec crypto profiles; then,
set up an IPSec tunnel between the SD-WAN edge device and Prisma
Access, using the same crypto profiles you used in Panorama.
The
following table documents the IKE/IPSec crypto settings that are
supported with Prisma Access and the Citrix SD-WAN.
A check
mark indicates that the profile or architecture type is supported;
a dash (—) indicates that it is not supported. Default and Recommended
settings are noted in the table.
Crypto Profiles | Prisma Access | Citrix SD-WAN | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel |  | |
GRE Tunnel | — | | |
Routing | Static Routes | | |
Dynamic Routing (BGP) | | | |
Dynamic Routing (OSPF) | — | | |
IKE Versions | IKE v1 | | |
IKE v2 | | | |
IPSec Phase 1 DH-Group | Group 1 | | |
Group 2 | | | |
Group 5 | | | |
Group 14 | | | |
Group 19 | | | |
Group 20 | | | |
IPSec Phase 1 Auth If
you use IKEv2 withcertificate-basedauthentication, onlySHA1 is supportedin
IKE crypto profiles(Phase 1). | MD5 | | |
SHA1 | | | |
SHA256 | | | |
SHA384 | | — | |
SHA512 | | — | |
IPSec Phase 1 Encryption | DES | | — |
3DES | | — | |
AES-128-CBC | | | |
AES-192-CBC | | | |
AES-256-CBC | | | |
IPSec Phase 1 Key Lifetime Default | | | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | | |
Certificate | | | |
IKE Peer Identification | FQDN | | — |
IP Address | | | |
User FQDN | | — | |
IKE Peer | As Static Peer | | |
As Dynamic Peer | | | |
Options | NAT Traversal | | |
Passive Mode | | | |
Ability to Negotiate Tunnel | Per Subnet Pair | | |
Per Pair of Hosts | | | |
Per Gateway Pair | | | |
IPSec Phase 2 DH-Group | Group 1 | | |
Group 2 | | | |
Group 5 | | | |
Group 14 | | | |
Group 19 | | | |
Group 20 | | | |
No PFS | | | |
IPSec Phase 2 Auth | MD5 | | |
SHA1 | | | |
SHA256 | | | |
SHA384 | | — | |
SHA512 | | — | |
None | | | |
IPSec Phase 2 Encryption | DES | | — |
3DES | | — | |
AES-128-CBC | | | |
AES-192-CBC | | | |
AES-256-CBC | | | |
AES-128-CCM | | — | |
AES-128-GCM | | | |
AES-256-GCM | | | |
NULL | | | |
IPSec Protocol | ESP | | |
AH | | | |
IPSec Phase 2 Key Lifetime Default | | | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | | |
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | |
No Regional Hub/Gateway/Data Center | NA | | |
SD-WAN Deployment Architectures Supported by Citrix
Citrix supports the following deployment architectures
for use with Prisma Access. a dash (—) indicates that the deployment is
not supported.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with
1 WAN link (Type 1) |  | Yes |
Securing branch and HQ sites with active/backup SD-WAN connections Securing Traffic
from Branch to internet was Supported through Secure Web Gateway (SWG). A
pair of Citrix SD-WAN appliances secure traffic from branch to branch;
SWGs are not in this traffic path. |  | Yes |
Securing branch and HQ sites with active/active SD-WAN connections You
can configure Citrix tunnels in an active/active configuration if the
traffic that each tunnel carries is distinctive (for example, if
you specify traffic in one subnet to use one tunnel and traffic
in another subnet to use another tunnel). |  | Yes |
Securing branch and HQ sites with SD-WAN edge devices
in HA mode |  | Yes |
Securing SD-WAN deployments with Regional Hub/POP architecture (Type
2) |  | Yes |
