Prisma Access
Integrate Prisma Access with Citrix SD-WAN
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrate Prisma Access with Citrix SD-WAN
The following sections describe how you use the Citrix SD-WAN with Prisma Access to
provide next-generation security on internet-bound traffic.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Citrix supports the following deployment architectures for use with Prisma Access. A dash
(—) indicates that the deployment isn't supported.
Use Case | Architecture | Supported? |
---|---|---|
Securing traffic from each branch site with 1 WAN link
(Type 1) | Yes | |
Securing branch and HQ sites with active/backup SD-WAN
connections Securing Traffic from Branch to internet was supported
through secure web gateway (SWG). A pair of Citrix SD-WAN
appliances secure traffic from branch to branch; SWGs are not in
this traffic path. | Yes | |
Securing branch and HQ sites with active/active SD-WAN
connections You can configure Citrix tunnels in an active/active
configuration if the traffic that each tunnel carries is distinctive
(for example, if you specify traffic in one subnet to use one tunnel
and traffic in another subnet to use another tunnel). | Yes | |
Securing branch and HQ sites with SD-WAN edge devices in
HA mode | Yes | |
Securing SD-WAN deployments with Regional Hub/POP
architecture (Type 2) | Yes |
Cloud Management
Cloud Management
To configure the Citrix SD-WAN remote network tunnel in Prisma Access and in Citrix,
use the following workflow.
- Follow the steps to Connect a remote network to Prisma Access.
- Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- When creating the IPSec tunnel, use aBranch Device TypeofCitrix.
- Specify anIKE Peer IdentificationofIP Addressand enter the Citrix SD-WAN Public IP address.
- AddaProxy IDfor the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For theLocalentry, use theDestination IP/Prefixthat you configure on the Citrix side in a later task (in this case, 0.0.0.0). For theRemoteentry, use theSource IP/Prefixthat you configure on the Citrix side in a later task.TheLocalroute of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.
- SelectIPSec Advanced Optionsand select an IPSec Crypto profile ofCitrix-IPSec-Crypto-Default.
- SelectIKE Advanced Optionsand select an IKEv1 crypto profile ofCitrix-IKE-Crypto-Default.
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.AddaBranch IP Subnet.Choose Static Routing andAdda subnet you have reserved for this remote network connection.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPof the Prisma Access side of the tunnel. To find this address inPrisma Access (Cloud Management), select, click theManageService SetupRemote NetworksRemote Networks. Look for theService IPfield corresponding to the remote network configuration you created.
- Log in to the Citrix SD-WAN web interface, select.ConnectionSiteIPsec Tunnels
- Choose aService Type(LAN or Intranet).
- Enter aNamefor the service type.
- Select the availableLocal IPaddress.If you specified a service type ofIntranet, the configured Intranet server determines which Local IP addresses are available.
- In thePeer IPfield, specify theService IPthat you noted when you configured the remote network in Prisma Access.
- Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.Note theSource IP/PrefixandDestination IP/Prefixvalues; those values should match theRemoteandLocalvalues, respectively, that you configured for theProxy IDin Prisma Access.
- ClickApply.
Troubleshoot the Citrix SD-WAN Remote Network
To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open
the Citrix SD-WAN web interface and select and .
Monitoring
Statistics
Monitoring
IKE/IPSec
In addition, Prisma Access provides logs and widgets that provide you with the
status of remote tunnels and the status of each tunnel.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter tosub_type.value = vpn.The messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.
Panorama
Panorama
To configure the Citrix SD-WAN remote network tunnel, use the following workflow.
Before you start this workflow, perform the following tasks:
- Configure Prisma Access for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. Match these profiles when you configure the IPSec tunnel in the Citrix SD-WAN.
- When you configure theIKE gateway, use the following configuration parameters:
- Specify the Citrix SD-WAN Public IP address as thePeer Address.
- EnableNAT Traversalin theAdvanced Optionstab.
- When you configure theIPSec Gateway, specify the following configuration parameters:
- Specify theIKE GatewayandIPSec Crypto Profilethat you created in Panorama for this remote network tunnel. These profiles include all the required IKE and IPSec crypto settings. LeaveEnable Replay Protectionselected to detect and neutralize against replay attacks.
- Add aProxy IDfor the Citrix peer to allow traffic from the Citrix SD-WAN through the tunnel. For theLocalentry, use theDestination IP/Prefixthat you configure on the Citrix side in a later task (in this case, 0.0.0.0). For theRemoteentry, use theSource IP/Prefixthat you configure on the Citrix side in a later task.TheLocalroute of 0.0.0.0/0 means that all traffic (including internet traffic) from the Citrix SD-WAN that matches the remote subnet address (172.16.4.0/24 in this example) is protected by Prisma Access.For more information, refer to the Citrix document Palo Alto Integration by Using IPsec Tunnels.
- Make a note of the Service IP address of the Prisma Access side of the tunnel after you create the remote network tunnel. To find this address in Panorama, select, click thePanoramaCloud ServicesStatusNetwork DetailsRemote Networksradio button, and find the address in theService IP Addressfield.
After you configure the remote network tunnel in Panorama, configure the IPSec tunnel
in the Citrix SD-WAN by completing the following task.
- Log in to the Citrix SD-WAN web interface, select.ConnectionSiteIPsec Tunnels
- Choose aService Type(LAN or Intranet).
- Enter aNamefor the service type.
- Select the availableLocal IPaddress.If you specified a service type ofIntranet, the configured Intranet server determines which Local IP addresses are available.
- In thePeer IPfield, specify theService IP Addressthat you noted when you configured the remote network in Prisma Access.
- Specify the IKE and IPSec parameters, matching the parameters you specified in Prisma Access.Note theSource IP/PrefixandDestination IP/Prefixvalues; those values should match theRemoteandLocalvalues, respectively, that you configured for theProxy IDin Prisma Access.
- ClickApply.
Troubleshoot the Citrix SD-WAN Remote Network
To monitor and troubleshoot IPSec tunnels on the Citrix side of the tunnel, open
the Citrix SD-WAN UI and select and .
Monitoring
Statistics
Monitoring
IKE/IPSec
For more troubleshooting information, see the following Citrix documents:
In addition, Prisma Access provides logs that provide you with the status of
remote tunnels and the status of each tunnel. To view these logs in Panorama,
select .
Monitor
Logs
System
To debug tunnel issues, you can filter for tunnel-specific logs by using the
object identifier corresponding to that tunnel. The following figures show
errors related to tunnel misconfiguration and negotiation issues.