What’s New

Citrix SD-WAN Orchestrator introduces the following new features and enhancements:

October 21, 2020

Citrix SD-WAN 11.2.2 Release: Citrix SD-WAN 11.2.2 release is now supported in SD-WAN Orchestrator.

October 15, 2020

MPLS queues real-time statistics

You can view the MPLS Queues real-time statics on the Citrix SD-WAN Orchestrator. You can also view the direction, no of packets, delta packets, and mismatched DSCP packets for Intranet and Virtual path services.

For MPLS queues, you can view the access interface, IP address, proxy address, interface MAC address, and ARP details associated with the MPLS queue.

October 1, 2020

Domain name based custom applications

Domain name based custom applications are supported in Application Routing, Application Rule, and Firewall Profiles. To use a custom name based application, the match criteria must be listed as Application while creating Application Route and Firewall Policy.

HDX report

Citrix SD-WAN Orchestrator allows you to view the detailed HDX reports grouped by site, user, and session, and categorized based on Quality of Experience (QoE). The metrics that impact the QoE calculation are also available for monitoring.

Zscaler service

You can now add sites for the Zscaler service. When a site is added, an IPsec tunnel is established between the SD-WAN site and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs inspect the traffic bi-directionally and enforce security and compliance policies. While adding a site you can either automatically pick the ZENs based on the geo-location lookup of IP addresses of WAN links or manually select the ZENs. One ZEN is configured as the Primary and the other as the secondary. If the link to the primary ZEN goes down, the secondary ZEN takes over and provides high availability.

DNS settings

SD-WAN Orchestrator supports the following types of DNS services:

  • Static: Intercepts the DNS requests destined to the SD-WAN IP address and forwards it to the specified DNS servers. You can create internal, ISP, google or any other open source DNS service.
  • Dynamic: Intercepts the DNS requests destined to the SD-WAN IP address and redirects it to one of the DNS servers learned from the DHCP based WAN links. If the WAN link goes down, another DHCP based WAN links DNS server is chosen. This feature is useful in the deployment where ISPs allow DNS requests only to DNS servers hosted by them.

You can choose a DNS proxy service for in-band management. InBand Management DNS drop-down list is introduced under Basic Settings > Interfaces. The DNS proxy services added under Advanced Settings > DNS, get listed under the InBand Management DNS drop-down list.

In-band provisioning

Zero-touch deployment along with the in-band management feature enables provisioning and configuration management through designated data ports. Zero-touch deployment is now supported on the designated data ports and there is no need to use a separate management port for zero-touch deployment. Citrix SD-WAN Orchestrator also allows to fail over management traffic seamlessly to the management port when the data port goes down and conversely.

September 16, 2020

Show Tech Support bundle

The Show Tech Support (STS) Bundle contains important real-time system information such as access logs, diagnostics logs, firewall logs. The STS bundle is used to troubleshoot issues in the SD-WAN appliances. You can now create and download the STS bundles from the Citrix SD-WAN Orchestrator.

DSCP tag and Enable Encryption

The unique Differentiated Services Code Point (DSCP) tag field is added along with the Enable Encryption check box. Each WAN link requires a unique Virtual IP Address (VIP) to create the WAN link and a unique DSCP tag corresponding to the provider’s queuing scheme. The Enable Encryption check box helps to enable/disable the encryption for every custom MPLS, private Intranet, and public Internet Inter-Link Communication Group.

September 3, 2020

Role Based Access Control:

Role based access control (RBAC) regulates access to SD-WAN Orchestrator resources based on the roles assigned to individual users. RBAC allows users to access only the data that their role demands and restricts any other data.

Roles can be assigned at Provider and Customer level under Administration > User Settings. Users can be assigned with a role from the following list of predefined roles.

  • Provider-Master-Admin-All
  • Provider-Master-Admin-Tenant
  • Provider-Master-ReadOnly
  • Customer-Master-Admin
  • Customer-Master-ReadOnly-Admin
  • Provider-Support-ReadWrite
  • Provider-Support-ReadOnly
  • Customer-Support-ReadWrite
  • Customer-Support-ReadOnly

Advanced Edge Security support for Citrix SD-WAN 210 SE appliances (Tech Preview):

Citrix SD-WAN 210 SE and 210 SE LTE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. To enable advanced security capabilities on a Citrix SD-WAN 210 appliance, reimage the appliance software to Citrix SD-WAN and install the Advanced Security add-on license. For more details, see USB reimage Utility.


Activating the advanced security add-on license on the Citrix SD-WAN 210 appliance, for the first time, might take up to 20 minutes approximately.

Gateway Service optimization:

You can now enable the first packet detection, classification, and selective routing (direct internet breakout or over the virtual path) of the traffic destined for the Citrix Cloud and Citrix Gateway Service (control and data). This feature is only available via Orchestrator starting from SD-WAN version 11.2.1.

Real-time Reports:

Citrix SD-WAN Orchestrator allows you to view the real-time reports for the following security features:

  • Web Filtering: Provides the real-time report of the last 1000 web (HTTP, HTTPS) events from the total number of web requests.
  • Anti-Malware: Provides the real-time report of the last 1000 Anti-Malware events from the total number of the files scanned.
  • Intrusion Prevention: Provides the real-time report of the last 1000 logged and blocked intrusion prevention system events from the total number of intrusion events.

Application settings:

The Application Settings page provides an option to disable Global Deep Packet Inspection (DPI). DPI is enabled globally, by default, for all the sites in your network. Disabling DPI stops DPI classification capability on the appliance. You can also choose to disable DPI for certain sites only by overriding the global DPI settings.

WAN link services:

Under WAN link services, on the selection of Link Specific from the Service Bandwidth Settings drop-down list, you can see the following options are newly added:

  • LAN to WAN Tag
  • WAN to LAN Tag
  • WAN to LAN Match
  • LAN to WAN Delay
  • Tunnel Header Size
  • WAN to LAN Grooming

Virtual interface enhancement:

You can forward the directed broadcasts to Virtual IP subnets on the Virtual Interface with the Directed Broadcast check box.

August 12, 2020

Dynamic Virtual Path enhancements:

  • Dynamic virtual paths can now be enabled/disabled at the site level using the Enable Dynamic Virtual Paths check box. The ability to enable dynamic virtual paths across the network globally is retained.
  • You can configure IPsec tunnel settings for dynamic virtual paths at the network level.
  • The dynamic virtual path thresholds for LAN-to-WAN and WAN-to-LAN in terms of bytes per second and packets per second are introduced per WAN link.

Static Virtual Path enhancements: The Tunnel Header Sizes in Bytes and Active MTU Detect configuration options are introduced in the Virtual Path WAN link properties.

Auto-correction: In the SD-WAN Orchestrator, the auto-correction feature is implemented in the change management workflow. The auto-correction feature is applicable for staging failure on a branch node and activation failure on any node. The maintenance mode check box is added under the Change Management Settings to perform manual troubleshooting on an appliance. Once the maintenance mode check box is unchecked, the auto-correction mechanism brings the appliance in sync with the network software and configuration version.

July 15, 2020

Application Quality: Application QoE is a measure of Quality of Experience of applications in the SD-WAN network. The Application QoE score is a value between 0 and 10. The score range that it falls in determines the quality of an application. The Application QoE dashboard provides the overall Application QoE score of all the applications in your network. You can also view individual Application QoE reports.

Region configuration enhancements: You can now change the default region, provide a description for the region, and add new subnets. You can also allow non-private Virtual IP addresses within a region or from other regions to match the configured subnets.

Citrix SD-WAN releases: The following Citrix SD-WAN releases are now supported in the Citrix SD-WAN Orchestrator:

  • Citrix SD-WAN 10.2.7
  • Citrix SD-WAN 11.0.3d
  • Citrix SD-WAN 11.1.1a

July 6, 2020

Appliance settings: Citrix SD-WAN Orchestrator allows you to configure the appliance settings, at the site level, and push it to the remote appliances. You can configure user, network adapters, NetFlow, AppFlow, and SNMP settings.

Link Aggregation Groups: The Link Aggregation Groups (LAG) functionality allows you to group two or more ports on your SD-WAN appliance to work together as a single port. This ensures increased availability, link redundancy, and enhanced performance. Citrix SD-WAN Orchestrator supports simple Link Aggregation Group (ACTIVE-BACKUP).

Transit Nodes: Transit nodes reduce the cost of routing by configure sites to route data via a virtual overlay transit node. You can configure Internet or Intranet transit nodes to allow sites without internet or intranet service to route to the internet or intranet through the configured transit sites.

Firewall profile: Firewall profiles provide security by ensuring that network traffic is restricted only to a specific firewall rule depending on the match criteria and by applying specific actions. The Firewall Profile contains three sections.

  • Global Profiles – Global profile is an aggregation of a couple of firewall rules. The profile that you create under the Global Profiles section is applied across all the sites in the network.
  • Site Specific Profiles – You can apply the defined firewall rules on certain specific sites.
  • Global Override Profile – You can override both global and site-specific profiles using the Global Override Profiles.

June 11, 2020

Edge Security: The Citrix SD-WAN Edge Security capability enables advanced security on Citrix SD-WAN branch appliances. It simplifies information security management by providing a single management and reporting pane for Network Edge Security. It eliminates the need for multiple branch solutions by consolidating routing, SD-WAN, and security capabilities on a single appliance. This reduces network complexity, operational cost, and provides a more secure network edge. The Edge Security stack includes the following security functionality:

  • Web filtering
  • Anti-Malware
  • Intrusion Prevention


  • The Edge Security is only supported for Citrix SD-WAN deployments managed through the Citrix SD-WAN orchestrator.
  • External syslog server support is not available through Orchestrator for Citrix SD-WAN Edge Security.

Subnet support: From release 11.2 onwards, Citrix SD-WAN UI allows /31 subnets for configuring the network address.

Metered link enhancements: The following options are introduced under Advanced WAN link settings:

  • Approximate Data Already Used: The approximate data already used in MB for the metered link. This is applicable only for the first cycle. To track the proper metered link usage, specify the approximate metered link usage, if the link has already been used for few days in the current billing cycle.

  • Disable link if Data Cap Reached: If the data usage reaches the specified data cap, the metered link and all its related paths are disabled until the next billing cycle. If this option is not selected, the metered link remains in the current state, after the data cap is reached, until the next billing cycle.

Auto-learning of Public IP address on Intranet WAN link: You can now enable Auto learning of Public IP address on Intranet WAN links, under Basic settings > WAN Link Attributes, to support DHCP on Fail-to-Wire port.


Rollout of this release is in progress, the feature is available in respective POPs as the rollout completes.

June 1, 2020

LTE firmware upgrade: You can now upgrade the LTE firmware via the SD-WAN Orchestrator along with configuring and managing all the LTE sites in your network. While creating the site, you need to select LTE as a submodel for the SD-WAN 210 appliance/model. Currently, the LTE support is only applicable on 210 appliances. You need to set the scheduling window information to upgrade the LTE firmware corresponding to the latest selected software version.

Static inter-routing domain service: Citrix SD-WAN Orchestrator now supports Static Inter-routing Domain service, enabling routing between Routing Domains within a site or between different sites. This eliminates the need for an external edge router to handle routing between two routing domains. The inter-routing service can further be used to set up routes, firewall policies, and NAT rules.

Citrix SD-WAN 11.1.1 Release: Citrix SD-WAN 11.1.1 release is now supported in SD-WAN Orchestrator.

May 13, 2020

Y-cable: You can now enable Y-cable support for Citrix SD-WAN 1100 SE/PE appliances through the SD-WAN Orchestrator. The Small Form-factor Pluggable (SFP) ports can be used with a fiber optic Y-Cable to enable the high availability feature for Edge Mode deployment.

Wrap Alerts description: The alert message contents under the Reports > Alerts > Message column are now wrapped. Earlier, the alert messages were hidden when the length of the message was greater than the width of the allocated cell size.

DHCP Client: The Dynamic Host Configuration Protocol (DHCP) Client option is now available under the Site Profile template. Hence, the sites that are created through the Site Profile, also inherits the DHCP Client option.

Citrix SD-WAN 110 appliance support: The Citrix SD-WAN 110 hardware model appliance is now supported in the SD-WAN Orchestrator.

April 28, 2020

HA near-hitless software upgrade: The HA near-hitless software upgrade feature ensures that the network downtime, during the software upgrade (11.1.x and above) process for an HA pair, is not more than the HA switch over time.

Appliance reports (Tech Preview): Appliance report delivers Network traffic and System usage reports. Under Appliance Reports you can view Interfaces, Network, CPU Usage, Disk Usage, and Memory Usage reports in different tabs.

Change password: Citrix SD-WAN Orchestrator allows you to centrally change the password of all the SD-WAN appliances in your network from the Network Configuration > Home page.

Microsoft Office 365 beacon service: Citrix SD-WAN supports Microsoft Office 365 beacon probing capability to help determine the best link to be used for Office 365. The probes determine the latency (round-trip-time) involved in reaching Office 365 endpoints through each WAN link, enabling network administrators to identify the best link to be used for Office 365 traffic. The Office 365 beacon probing capability is available only via the Citrix SD-WAN Orchestrator.

What’s New