Configure the Citrix Remote Network

To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
Before you start this workflow, perform the following tasks:
  • Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec crypto profiles you used for the remote network tunnel. You must match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
  • When you configure the
    IKE gateway
    , use the following configuration parameters:
    • Specify the Citrix SD-WAN Public IP address as the
      Peer Address
    • Enable
      NAT Traversal
      in the
      Advanced Options
  • When you configure the
    IPSec Gateway
    , specify the following configuration parameters:
    • Specify the
      IKE Gateway
      IPSec Crypto Profile
      that you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. Leave
      Enable Replay Protection
      selected to detect and neutralize against replay attacks.
    • Add a
      Proxy ID
      for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the
      entry, use the
      Destination IP/Prefix
      that you configure on the Citrix side in a later task (in this case, For the
      entry, use the
      Source IP/Prefix
      that you configure on the Citrix side in a later task.
      route of means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address ( in this example) is protected by Prisma Access.
      For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
  • Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select
    Cloud Services
    Network Details
    , click the
    Remote Networks
    radio button, and find the address in the
    Service IP Address
After you configure the remote network tunnel in Panorama, configure the IPSec tunnel in the Citrix SD-WAN by completing the following task.
  1. Log in to the Citrix SD-WAN UI, select
    IPsec Tunnels
  2. Choose a
    Service Type
    (LAN or Intranet).
  3. Enter a
    for the service type.
  4. Select the available
    Local IP
    If you specified a service type of
    , the configured Intranet server determines which Local IP addresses are available.
  5. In the
    Peer IP
    field, specify the
    Service IP Address
    that you noted when you configured the remote network in Prisma Access.
  6. Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.
    Note the
    Source IP/Prefix
    Destination IP/Prefix
    values; those values should match the
    values, respectively, that you configured for the
    Proxy ID
    in Prisma Access.
  7. Click

Recommended For You