Focus

Prisma Access

Citrix SD-WAN Solution Guide

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

Integrate Prisma Access with Arista VeloCloud SD-WAN

Integrate Prisma Access with Citrix SD-WAN

Citrix SD-WAN Solution Guide

The following sections describe how you use the Citrix SD-WAN with Prisma Access to provide next-generation security on internet-bound traffic.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license Citrix SD-WAN software version: 10.1

To use this Solution Guide, you need a knowledge of SD-WAN routing principles.

You onboard your SD-WAN edge devices using a remote network connection between the edge device at the branch site, HQ, or hub to Prisma Access. To do this you Onboard a Remote Network, ensuring that you use supported IKE and IPSec cryptographic settings detailed here.

The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and the Citrix SD-WAN.

A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it's not supported. Default and Recommended settings are noted in the table.

Crypto Profiles		Prisma Access	Citrix SD-WAN
Tunnel Type	IPSec Tunnel	√	√
Tunnel Type	GRE Tunnel	—	√
Routing	Static Routes	√	√
	Dynamic Routing (BGP)	√	√
	Dynamic Routing (OSPF)	—	√
IKE Versions	IKE v1	√	√
IKE Versions	IKE v2	√	√
IPSec Phase 1 DH-Group	Group 1	√	√
	Group 2	√ (Default)	√
	Group 5	√	√
	Group 14	√	√
	Group 19	√	√
	Group 20	√ (Recommended)	√
IPSec Phase 1 Auth If you use IKEv2 with certificate-based authentication, onlySHA1 is supported IKE Crypto profiles (Phase 1).	MD5	√	√
	SHA1	√ (Default)	√
	SHA256	√	√
	SHA384	√	—
	SHA512	√ (Recommended)	—
IPSec Phase 1 Encryption	DES	√	—
	3DES	√ (Default)	—
	AES-128-CBC	√ (Default)	√
	AES-192-CBC	√	√
	AES-256-CBC	√ (Recommended)	√
IPSec Phase 1 Key Lifetime Default		√ (8 Hours)	√ (1 day)
IPSec Phase 1 Peer Authentication	Pre-Shared Key	√	√
IPSec Phase 1 Peer Authentication	Certificate	√	√
IKE Peer Identification	FQDN	√	—
	IP Address	√	√
	User FQDN	√	—
IKE Peer	As Static Peer	√	√
IKE Peer	As Dynamic Peer	√	√
Options	NAT Traversal	√	√
Options	Passive Mode	√	√
Ability to Negotiate Tunnel	Per Subnet Pair	√	√
	Per Pair of Hosts	√	√
	Per Gateway Pair	√	√
IPSec Phase 2 DH-Group	Group 1	√	√
	Group 2	√ (Default)	√
	Group 5	√	√
	Group 14	√	√
	Group 19	√	√
	Group 20	√ (Recommended)	√
	No PFS	√	√ (Default)
IPSec Phase 2 Auth	MD5	√	√
	SHA1	√ (Default)	√
	SHA256	√	√
	SHA384	√	—
	SHA512	√ (Recommended)	—
	None	√	√
IPSec Phase 2 Encryption	DES	√	—
	3DES	√ (Default)	—
	AES-128-CBC	√ (Default)	√
	AES-192-CBC	√	√
	AES-256-CBC	√	√
	AES-128-CCM	√	—
	AES-128-GCM	√	√
	AES-256-GCM	√ (Recommended)	√
	NULL	√	√
IPSec Protocol	ESP	√	√
IPSec Protocol	AH	√	√
IPSec Phase 2 Key Lifetime Default		√ (1 Hour)	√ (1 Day Max)
Tunnel Monitoring Fallback	Dead Peer Detection (DPD)	√	√
	ICMP	—	—
	Bidirectional Forwarding Detection (BFD)	—	—
SD-WAN Architecture Type	With Regional Hub/Gateway/Data Center	N/A	√
SD-WAN Architecture Type	No Regional Hub/Gateway/Data Center	NA	√

Integrate Prisma Access with Arista VeloCloud SD-WAN

Integrate Prisma Access with Citrix SD-WAN

Prisma Access Docs

Citrix SD-WAN Solution Guide

Prisma Access Docs

Citrix SD-WAN Solution Guide

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner