Application and DNS settings

This section enables users to custom define applications, group applications for use in policies, QoS Profiles, and also DNS settings.

You can define an Application Group for both predefined and custom applications. An Application Group contains applications that need similar treatment when defining a security policy.

You can reuse the Application Groups frequently when defining policies such as application steering or firewall rules. It eliminates the need to create multiple entries for each individual application. Similarly, while using any application services, Application Groups supports common applications with a unique name for simplified and consistent reuse.

To view Apps and DNS settings, navigate to Configuration > Application & DNS Settings.

Application settings

The Citrix SD-WAN appliances perform Deep Packet Inspection (DPI) to identify and classify applications. The DPI library recognizes thousands of commercial applications. It enables real-time discovery and classification of applications. Using the DPI technology, the SD-WAN appliance analyses the incoming packets and classifies the traffic as belonging to a particular application or application family.

DPI is enabled globally, by default, for all the sites in your network. Disabling DPI stops DPI classification capability on the appliance. You can no longer use DPI classified application / application categories to configure firewall, QoS, and routing policies. You will also not be able to view the top applications and application categories report.

To disable global DPI, at the Network level, navigate to Configuration > App & DNS Settings > Application Settings and uncheck Enable Global DPI option.

Application settings

You can also choose to disable DPI for certain sites only by overriding the global DPI settings. To disable DPI for selected sites, add the sites to the Site Overrides list.

Custom application

The Custom Applications are used to create internal applications or IP-port combinations which are not available in the list of published applications. The administrator needs to define a custom application that can be used in multiple policies as needed, without referring the IP address and port number details each time.

The administrator can define a custom application based on the IP protocol or Domain name.

To create a custom application using an IP protocol, click + Custom Application and provide a name for the custom app. Specify the match criteria such as IP protocol, network IP address, port number, and, DSCP tag. The data flow matching this criteria is grouped as the custom application.

Application DNS

Once saved, the custom applications show up in a list and can be edited or deleted, as required.

You can also group several domain names as an application. To create custom applications based on domain name, select Domain Name Based. Enter the application name and the required domain names or patterns. You can either enter the full domain name or use wild cards at the beginning. For example - *


All the domain name based custom applications are visible in Application Routing, Application Rule, and Firewall Profiles.


To use a custom name based application, the match criteria must be listed as Application while creating the Application Route and firewall policy.

Once you have created the custom application, to perform the application routing, navigate to Routing > Routing Policies > + Application Route, select the custom application under the Application drop-down list.

Application routing custom application

You can also select the DNS based custom application under the match criteria of an IP Protocol custom application.

IP protocol custom application

Similarly, to view the custom application under the Firewall Profiles, navigate to Security > Firewall Profiles. The application can be used for any type of profile (Global override/Site Specific/Global Profiles). Click Create New Rule under Firewall Rules > Match Criteria > select the custom application from the Application drop-down list.

Firewall profile custom application

You can view the DNS based custom applications both under Global or Site/Group Specific Rule. To view the custom application under the Application Rule, navigate to QoS > QoS Policies > Global Rules > Application Rule > under Application Match Criteria, select the custom application from the Application drop-down list.

Application rule custom application

Click Verify Config to validate any audit error.

Application groups

An Application Group helps administrators group similar applications together for use in common policies, without necessarily having to create a policy for each individual application.

Apps Group

You can create an Application Group by using the Add Application Groups option. You can refer the same Application Group while creating a policy as per the application role. The policy that is defined for the particular group is applied to each application that matches to the specific category.

For example, you can create an Application Group as Social Networking and add social networks such as Facebook, LinkedIn, and Twitter to the group to define certain policies for social networking applications.

To create an Application Group, specify a group name, search, and add apps from the Applications list. You can always go back and edit your settings or delete Application Group as needed.

Application Group

Click Verify Config to validate any audit error.

Application quality profiles

This section enables you to view and create application quality profiles.

App quality profile

Application QoE is a measure of Quality of Experience of applications in the SD-WAN network. It measures the quality of applications that flow through the virtual paths between two SD-WAN appliances.

The Application QoE score is a value between 0 and 10. The score range that it falls in determines the quality of an application.

Quality Range
Good 8–10
Fair 4–8
Poor 0–4

Application QoE score can be used to measure quality of applications and identify problematic trends.

Profile configuration

Click + QoE Profile to create a QoE profile, specify a profile name, and select a traffic type from the drop-down list.

QoE profile

Real-time configuration

You can define the quality thresholds for real-time and interactive appliances using QoE profiles, and map these profiles to applications or applications objects.

The Application QoE calculation for real-time applications uses a Citrix innovative technique, which is derived from the MOS score.

The default threshold values are:

  • Latency threshold (ms): 160
  • Jitter Threshold (ms): 30
  • Packet loss threshold (%): 2

A flow of a real-time application that meets the thresholds for latency, loss, and jitter is considered to be of good quality.

QoE for Real-time applications is determined from the percentage of flows that meet the threshold divided by the total number of flow samples.

QoE for Real-time = (No of flow samples that meet the threshold / Total no of flow samples) * 100

It is represented as QoE score ranging from 0 to 10.

Interactive configuration

The Application QoE for interactive applications uses a Citrix innovative technique based on packet loss and burst rate thresholds.

Interactive applications are sensitive to packet loss and throughput. Therefore, we measure the packet loss percentage, and the burst rate of ingress and egress traffic in a flow.

The configurable thresholds are:

  • Packet loss percentage.
  • Percentage of expected egress burst rate in comparison to the ingress burst rate.

The default threshold values are:

  • Packet loss threshold: 1%
  • Burst rate: 60%

A flow is of good quality if the following conditions are met:

  • The percentage loss for a flow is less that the configured threshold.

  • The egress burst rate is at least the configured percentage of ingress burst rate.

Application quality configuration

Map application or application objects to default or custom QoE profiles. You can create custom QoE profiles for real-time and interactive traffic.

Click +QoE Configuration to create custom QoE profiles:

  • Type: Select the DPI application or an application object (Application, Application Apps, and Application Groups).
  • Application: Search and select an application or application object based on the selected Type.
  • QoE Profile: Select a QoE profile to map to the application or application object.

App quality config

Click Done.

Click Verify Config to validate any audit error.

DNS servers

You can configure specific DNS servers to which the DNS requests are routed.

Enter a name for the DNS server and specify the Primary and Secondary DNS server IP addresses. You can create internal, ISP, google or any other open source DNS service.

DNS server

Click Verify Config to validate any audit error.

Proxy Auto Config

With the increase in enterprise adoption of mission-critical SaaS applications and distributed workforce, it becomes highly critical to reduce latency and congestion. Latency and congestion are inherent in traditional methods of backhauling traffic through the Data Center. Citrix SD-WAN allows direct internet break out of SaaS applications such as Office 365. For more information, see Office 365 Optimization.

If there are explicit web proxies configured on the enterprise deployment all traffic are steered to the web proxy making it difficult for classification and direct internet breakout. The solution is to exclude SaaS application traffic from getting proxied by customizing the enterprise PAC (Proxy Auto-Config) file.

Citrix SD-WAN 11.0 allows proxy bypass and local Internet breakout for Office 365 application traffic by dynamically generating and serving a custom PAC file. PAC file is a JavaScript function that defines whether web browser requests go directly to the destination or to a web proxy server.

How PAC file customization works

Ideally, the enterprise network host PAC file on the internal web server, these proxy settings are distributed via group policy. The Client browser requests for PAC files from the enterprise web server. The Citrix SD-WAN appliance serves the customized PAC files for sites where Office 365 breakout is enabled.

PAC file customization

  1. Citrix SD-WAN periodically requests and retrieves the latest copy of the enterprise PAC file from the enterprise web server. The Citrix SD-WAN appliance patches office 365 URLs to the enterprise PAC file. The enterprise PAC file is expected to have a placeholder (SD-WAN specific tag) where the Office 365 URLs are seamlessly patched.

  2. The Client browser raises a DNS request for the enterprise PAC file host. Citrix SD-WAN intercepts the request for the proxy configuration file FQDN and responds with the Citrix SD-WAN VIP.

  3. The Client browser requests for the PAC file. Citrix SD-WAN appliance serves the patched PAC file locally. The PAC file includes enterprise proxy configuration and Office 365 URL exclusion policies.

  4. On receiving a request for the Office 365 application, the Citrix SD-WAN appliance performs a direct internet breakout.


  1. The enterprises must have a PAC file hosted.

  2. The PAC file must have a placeholder SDWAN_TAG or one occurrence of findproxyforurl function for patching Office 365 URLs.

  3. The PAC file URL must be domain based and not IP based.

  4. The PAC file is served only over the trusted identity VIPs.

  5. Citrix SD-WAN appliance must be able to download the enterprise PAC file over its management interface.

Configure Proxy Auto Config

In the SD-WAN Orchestartor UI, at the network level, navigate to Configuration > App and DNS Settings > Proxy Auto Config and click + PAC file profile.

Proxy auto configuration

Enter a name for the PAC file profile, provide the URL of the enterprise PAC file server. The Office 365 breakout rules are dynamically patched to the enterprise PAC file.

Select the sites to which the PAC file profile is applied. If there are different URLs for each site, create a different profile per site.


  • HTTPS PAC file server requests are not supported.

  • Multiple PAC files in a network are not supported, including PAC files for routing domains or security zones.

  • Generating a PAC file on Citrix SD-WAN from scratch is not supported.

  • WPAD through DHCP is not supported.

Application and DNS settings