1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Integration Guide (Panorama Managed)
    5. Integrate Third-Party SD-WANs with Prisma Access
    6. Citrix SD-WAN Solution Guide
    7. Configure the Citrix Remote Network

    Configure the Citrix Remote Network

    To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
    Before you start this workflow, perform the following tasks:
    • Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec crypto profiles you used for the remote network tunnel. You must match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
    • When you configure the
      IKE gateway
      , use the following configuration parameters:
      • Specify the Citrix SD-WAN Public IP address as the
        Peer Address
        .
      • Enable
        NAT Traversal
         in the
        Advanced Options
         tab.
    • When you configure the
      IPSec Gateway
      , specify the following configuration parameters:
      • Specify the
        IKE Gateway
         and
        IPSec Crypto Profile
         that you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. Leave
        Enable Replay Protection
         selected to detect and neutralize against replay attacks.
      • Add a
        Proxy ID
         for the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For the
        Local
         entry, use the
        Destination IP/Prefix
         that you configure on the Citrix side in a later task (in this case, 0.0.0.0). For the
        Remote
         entry, use the
        Source IP/Prefix
         that you configure on the Citrix side in a later task.
        The
        Local
         route of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
        For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
    • Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select
      Panorama
      Cloud Services
      Status
      Network Details
      , click the
      Remote Networks
       radio button, and find the address in the
      Service IP Address
       field.
    After you configure the remote network tunnel in Panorama, configure the IPSec tunnel in the Citrix SD-WAN by completing the following task.
    1. Log in to the Citrix SD-WAN UI, select
      Connection
      Site
      IPsec Tunnels
      .
    2. Choose a
      Service Type
       (LAN or Intranet).
    3. Enter a
      Name
       for the service type.
    4. Select the available
      Local IP
       address.
      If you specified a service type of
      Intranet
      , the configured Intranet server determines which Local IP addresses are available.
    5. In the
      Peer IP
       field, specify the
      Service IP Address
       that you noted when you configured the remote network in Prisma Access.
    6. Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.
      Note the
      Source IP/Prefix
       and
      Destination IP/Prefix
       values; those values should match the
      Remote
       and
      Local
       values, respectively, that you configured for the
      Proxy ID
       in Prisma Access.
    7. Click
      Apply
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo