Citrix SD-WAN Orchestrator

What’s New

Citrix SD-WAN Orchestrator service introduces the following new features and enhancements:

July 15, 2021

Role settings

Users with the Provider-Master-Admin-All role can create and assign custom roles at the customer level. The customer administrators can assign these custom roles created by the provider administrator to its users.

[ SDW-18146 ]


While allocating licenses from the License View tab, under the All Unlicensed category,selecting multiple sites is disabled. You can select only one site at a time.

[ SDW-20325 ]

Route summarization

SD-WAN Orchestrator introduces an enhancement to the route summarization functionality. With this enhancement, you have an option to add summary routes without specifying the gateway IP address.

[ SDW-19404 ]

Site Reports: IPsec

The IPsec reports provide the real-time report of the IPsec tunnel configurations on your network.

[ SDW-12076 ]

Site Reports: Routing Protocols

The Routing Protocols report provides the details of the parameters associated with the routing protocols. You can choose the protocol from View drop-down list a routing domain from Routing Domain drop-down list as needed. To view the current data, click Retrieve Latest Data.

[ SDW-12075 ]

Site selection component

Usability of the site selection component in the following configurations is improved for its usability:

  1. Partial site upgrade
  2. Network location service
  3. Routing policies
  4. QoS Policies
  5. Import route profile
  6. Export route profile
  7. Proxy Auto Config
  8. Intrusion prevention
  9. Firewall policies
  10. Application settings
  11. Zscaler service

[ SDW-16895 ]

July 01, 2021

ICMP probing

Citrix SD-WAN Orchestrator service now supports ICMP probing. It enables administrators to determine Internet reachability to/from the SD-WAN appliance and the destination host. The following ICMP services are introduced in the UI:

  • Determine Internet reachability from link using ICMP probes
  • IPv4 ICMP endpoint Address
  • Probe Interval (in seconds)
  • Retries

[ SDW-19292 ]

Override global transit node settings

You can now override the global transit node settings and choose to enable or disable spoke-to-spoke forwarding and route export only on selected control transit nodes.

[ SDW-19276 ]

June 17, 2021

Citrix SD-WAN 11.4.0a Release

Citrix SD-WAN 11.4.0a release is supported in Citrix SD-WAN Orchestrator service.

[ SDW-19785 ]

Citrix SD-WAN 11.3.2 Release

Citrix SD-WAN 11.3.2 release is supported in Citrix SD-WAN Orchestrator service.

[ SDW-19038 ]

Audit logs

The provider level and network level audit log pages have been enhanced with the following capabilities:

  • Search: Ability to search for an audit activity based on a keyword.
  • Filtering: Run an audit log search by filtering based on user, feature, and time range. For network level logs, you can also filter by the site.
  • Audit Info: Select the info icon on the Action column to navigate to the Audit info section. This section provides the following information:
    • Method: HTTP request method of the invoked API.
    • Status: Result of the API request. You see an error message when the API request fails.
    • Payload message: Body of the request message sent through API.
    • URL: HTTP URL of the revoked API.
  • Log payloads: By default, this option is disabled. When enabled, the request body of the API message is displayed in the Audit Info section.

[ SDW-18937 ]

Member path statistics API (Preview)

Member path statistics API is modified to allow the API client to specify the fields of interest. The specified fields are returned in the response payload.

[ SDW-18903 ]

May 13, 2021

ECMP load balancing

Equal Cost Multi-Path (ECMP) groups allow you to group multiple routes, with the same cost, destination, and service type. ECMP load balancing ensures:

  • Distribution of traffic over multiple equal-cost connections.
  • Optimal usage of available bandwidth.
  • Dynamic transfer of traffic to other ECMP member route, if a route becomes unreachable.
  • ECMP groups can be formed over Virtual Paths and Intranet services.

Appliance settings - IPv6 address support

The following configurations support IPv6 addresses:

Notification settings

You can now define a notification profile by enabling and configuring email alerts and HTTPS messages. The notification profiles are further used in configuring alerts. Alerts for different events are configured by defining the frequency, severity type, and trigger rules for the alerts.

Site Reports: PPPoE

The PPPoE report provides status information of the configured virtual interface with the PPPoE static or dynamic client mode. It allows you to manually start or stop the sessions for troubleshooting purposes.

April 29, 2021

Intelligent Path selection

Citrix SD-WAN Orchestrator allows you to choose the best WAN link based on the latency count, to manage Office 365 application traffic. As part of this enhancement, Citrix SD-WAN Orchestrator service introduces the Enable O365 Intelligent Path Selection option.

The O365 metrics report introduces the following columns:

  • Lowest Latency (ms): The lowest latency count of the WAN link for a selected time period.
  • WAN Link Selected: The number of times the WAN link was chosen for Office 365 optimization.
  • Total Decisions Taken: Total number of times a decision to choose a WAN link is taken, for the selected time interval.

Office 365 Categories

Citrix SD-WAN 11.4.0 provides a more granular classification of the Allow and Optimize Office 365 categories, enabling selective bookending to improve the performance of network-sensitive Office 365 traffic. Directing network-sensitive traffic to SD-WAN in the cloud (Cloud Direct or an SD-WAN VPX on Azure), or from an at-home SD-WAN device to an SD-WAN at a nearby location with more Internet connectivity, enables QoS and superior connection resilience compared to simply steering the traffic to the nearest Office 365 front door, at the cost of an increase in latency. A bookended SD-WAN solution with QoS reduces VoIP dropouts and disconnects, reduces jitter, and improves media-quality mean opinion scores for Microsoft Teams.

The Optimize category is classified into the following sub-categories:

  • Teams Realtime
  • Exchange Online
  • SharePoint Optimize

The Allow category is classified into the following sub-categories:

  • Teams TCP Fallback
  • Exchange Mail
  • SharePoint Allow
  • O365 Common

SIA Connector Internet Breakout

You can now use the Enable SIA Collector Internet Breakout option to avoid double redirection of traffic through the Cloud Connector proxy and SD-WAN tunnels. A custom application is created to filter any traffic destined for the CSIA gateway and reporter nodes, along with other known TCP ports expected to be used by the Cloud Connectors and bypass them from tunnel usage.

Network Admin and Security Admin roles (Preview)

Citrix SD-WAN Orchestrator service supports the following roles:

  • Provide-Network-Admin: An administrator who can only view and edit the network related information.
  • Provider-Security-Admin: An administrator who can only view and edit the security related information.
  • Customer-Network-Admin: A customer administrator who can only view and edit network related information.
  • Customer-Security-Admin: A customer administrator who can only view and edit security related information.

User settings

If a customer has a Citrix Secure Internet Access subscription along with a Citrix SD-WAN subscription, then the Administration > User Setting is common between Citrix Secure Internet Access and Citrix SD-WAN Orchestrator service. Provider-Master-Admin-All or Customer-Master-Admin role defined for Citrix SD-WAN can assign Citrix SD-WAN access level role (pre-defined or custom role) for other admin users. Similarly Customer-Master-Admin role defined for Citrix Secure Internet Access service can assign Citrix SIA level role (pre-defined or custom role) to other admin users.

Route export through Transit Node

You can now enable or disable route exporting on all the paths of a Transit Node. Enabling control transit node settings (green button), enables virtual path-to-virtual path forwarding and route exporting (WAN-to-WAN forwarding) on all the site paths. Disabling the green button enables only virtual path-to-virtual path forwarding and disables route exporting on all the site paths.

CSIA connectivity through GRE tunnel

Citrix Secure Internet Access (CSIA) service is a Citrix owned service. CSIA provides a full cloud-delivered security stack to protect users, applications, and data against all threats without compromising the employee experience. Any Citrix SD-WAN appliances can tunnel the traffic to the CSIA service. You can now choose the tunnel type as GRE or IPsec.

Site Reports: VRRP

The VRRP report provides a real-time report of the configured VRRP groups.

HDX reports

Citrix SD-WAN Orchestrator allows you to view the detailed HDX reports grouped by site, user, and session, and categorized based on Quality of Experience (QoE). The metrics that impact the QoE calculation are also available for monitoring.

Citrix SD-WAN 11.4.0 Release

Citrix SD-WAN 11.4.0 release is now supported in Citrix SD-WAN Orchestrator service.

April 08, 2021

Dynamic Routing

From Citrix SD-WAN 11.3.1 release onwards, you can configure one router ID for the entire protocol and also one router ID per routing domain. With this enhancement, you can enable stable dynamic routing across multiple instances with different router IDs converging in a stable manner.

Custom roles (Preview)

Citrix SD-WAN Orchestrator service allows providers and customers to create custom roles and provide access to specific features. Only the users with Provide-Master-Admin-All or Customer-Master-Admin-All role can create custom roles under Administration > Role Settings.

Add-on License for Edge Security

Citrix SD-WAN 1100 SE, SD-WAN 210 SE, 210 SE LTE, and 410 SE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. The Advanced security add-on license is supported on 210 platforms from Citrix SD-WAN release onwards. The Advanced security throughput depends upon your advanced security add-on license. Advanced security throughput request beyond the throughput supported by your security add-on license is dropped.

Partial software upgrade

Citrix SD-WAN 11.3.1 partial software upgrade is supported in Citrix SD-WAN Orchestrator service.

Appliance Settings

You can now configure date and time, at the site level, through Citrix SD-WAN Orchestrator. You can either configure the date and time manually or through an NTP server and also set the time zone.

IPv6 support

Citrix SD-WAN Orchestrator service supports IPv6 addresses for the following configurations with software version 11.3.1 or above:

Management plane features

Data plane features

Notification settings

Alerts for different events are configured by defining the frequency, severity type, and trigger rules for the alerts. You can now define a notification profile by enabling and configuring email alerts. The notification profiles are further used in configuring alerts.

Site Reports: IGMP

The IGMP reports table provides a real-time report of the IGMP statistics and IGMP Proxy groups.

Site Reports: Metered WAN Links

The WAN Link Metering reports provide details about the metered WAN link usage. You can view the reports to get insights into the data consumption of the metered WAN links.

Zero Touch Deployment

SD-WAN Orchestrator supports zero-touch deployment and Inband management-enabled appliances with single stack or dual stack of both IPv4 and IPv6 addresses.

March 18, 2021

Retry staging

Retry staging option is now available to reinitiate staging at the sites where the staging process has failed.

Custom application

The Enable Reporting check box is newly added for the IP Protocol-based custom applications. Now you can also view the IP protocol and domain name-based custom application-defined traffic under the Reports > Usage page. The custom application option is also added as a type under the Application quality configuration page.

Add-on License for Edge Security: The add-on license enables Edge Security capabilities on Standard Edition appliances for existing and new customers. You can now get an add-on Edge Security license along with the base license. The procedure to add and allocate add-on licenses to a device is similar to the existing base license workflow. Ensure that the base license is available before adding an add-on license.The Add-on License for Edge Security feature is supported on the Citrix SD-WAN 1100 appliances.

AWS Gateway Service

AWS Gateway Service is now supported as a Delivery Service. AWS Transit Gateway allows you to create and manage a single gateway to connect your Amazon Virtual Private Cloud (Amazon VPC) deployments and on-premises networks. AWS Transit Gateway Connect integrates Citrix SD-WAN and AWS Transit Gateway and simplifies the ability to build and manage global private networks. With Transit Gateway Connect, user creates a Connect attachment that establishes a Connect peer (GRE tunnel) between the Citrix SD-WAN appliance and AWS Transit Gateway. The Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance, and Border Gateway Protocol (BGP) for dynamic routing.


You can enable or disable a virtual interface using the Enable check box.

Site Reports: DHCP

The DHCP Server/Relay report provides the information on the interfaces that are configured as DHCP Server or Relay and its associated routing domain and status.

Site Reports: DNS

The DNS Statistics report provides the information on application name, DNS service name, DNS service status, and the number of hits to the DNS service.

Site Reports: NDP

The NDP reports provide the real-time report of the NDP configurations.

Fallback configuration

Fallback configuration ensures that the appliance remains connected to the zero-touch deployment service if there is a link failure, configuration mismatch, or software mismatch. Fallback configuration is enabled by default on the appliances that have a default configuration profile. If the fallback configuration is disabled at a site, you can enable it through the Citrix SD-WAN Orchestrator service.


You can now use the Appliance settings Flows section to perform the following action :

  • Enable/disable Citrix Virtual WAN service
  • Restart dynamic routing
  • Enable/disable virtual paths
  • Enable/disable WAN links

March 04, 2021

Partial Site Upgrade Setting

The Partial Site Upgrade option is newly added to upgrade or downgrade the selected sites with a different software version. Partial Site Upgrade provides the ability to test a new version before deploying to the entire network. With the Partial Site Upgrade feature, upgrades can be staggered and thereby reducing the impact of software upgrades during business hours.

Alert when site loses Orchestrator cloud connectivity: Currently, there is no record in Alerts when the site loses cloud connectivity with Citrix SD-WAN Orchestrator service. With this feature, event entries are available in Alerts whenever the site loses or regains cloud connectivity with Citrix SD-WAN Orchestrator service.

Citrix SD-WAN 11.3.1 Release: Citrix SD-WAN 11.3.1 release is now supported in Citrix SD-WAN Orchestrator service.

February 18, 2021

IP rules

You can enable internet traffic policy and configure internet traffic settings under Internet Traffic Policy section. The Internet Traffic Settings enables you to transmit and receive packets for flows that match the rule over the internet.

Deployment Tracker

  • When the newly introduced Ignore Incomplete check box is enabled, the Activate check box is enabled only after all the online control nodes (MCN, RCN, Geo MCN, Geo RCN) get staged. You can choose to activate even if some of the online branch appliances are not staged. The online branch appliances that fail to get staged are ignored.

  • During deployment, in the case of a configuration-only update, only the sites that have configuration changes are staged and activated. For the remaining sites, the timestamp is updated and processed. The Not Needed column lists the number of sites that do not have any configuration change.

    If the software version is being changed, both configuration and software package are staged and activated on all the sites in the network.

Citrix SD-WAN VPX instance on Azure through SD-WAN Orchestrator service

Citrix SD-WAN Orchestrator service allows easy and quick deployment of a Citrix SD-WAN instance in Azure. It automates the process of provisioning an SD-WAN VPX instance in Azure while defining a cloud site. You can define the resource group, VNets/subnets, and other parameters for the template used for provisioning the SD-WAN VPX instance in Azure. The interfaces and WAN link configurations are auto populated for the Orchestrator configuration based on the resources created in Azure. You can then stage and activate the configuration on the VPX instance through Citrix SD-WAN Orchestrator service.

Site Details

The Site Details tab is added under the Deployment Tracker UI. The deployment site shows the site-specific details like SD-WAN Orchestrator Connectivity, High Availability (HA), and Software Version it is running on.

Support time range for API queries: From Citrix SD-WAN 11.3.1 release onwards, you can obtain the time range support for API queries (for Events).

January 28, 2021

Orchestrator traffic classification and Internet breakout

Citrix SD-WAN Orchestrator traffic optimization is introduced from Citrix SD-WAN software version 11.2.3 or higher. The goal is to provide a more granular classification, and thus, separately identify Citrix SD-WAN Orchestrator service traffic and other dependent services’ traffic from Citrix Cloud, and provide an Internet breakout option. As a result, customers can now choose to optimize only the Citrix SD-WAN Orchestrator service traffic.

Firewall policies

Firewall Profiles is renamed to Firewall Policies and the Verify Config option is removed from the UI. The following accordions which were under Firewall Profiles are now displayed as tabs and the labels are changed as follows:

  • Global Override Profile is renamed to Global Override
  • Site Specific Profile is renamed to Site Specific
  • Global Profile is renamed to Global Default

January 13, 2021

Network Location Service

Network Location Service (NLS) is a Citrix Cloud service that determines if the user connecting to Citrix Virtual Apps and Desktops is from the internal network. You can configure NLS for all sites within the network or specific sites through Citrix SD-WAN Orchestrator service. Using NLS, you can avoid manually configuring IP addresses of Citrix SD-WAN deployed locations.

You can enable NLS at the network level under Configuration > Delivery Services > Network Location Service.

Citrix SD-WAN Orchestrator service UI update

The look and feel of the Citrix SD-WAN Orchestrator service UI is changed to reflect the new color and font as per Citrix rebranding.


The screenshots in the Citrix SD-WAN Orchestrator service documentation might still reflect an earlier UI and will be updated in the upcoming releases.

December 17, 2020

Support for Hosted Firewall

Citrix SD-WAN Orchestrator service supports the Palo Alto Networks and Check Point hosted firewall integration on SD-WAN 1100 platform.

Site Configuration menu restructure

At site level configuration, the following UI changes are made:

  • Basic Settings is renamed to Site Configuration.

  • The Gateway ARP Timer (ms) and Host ARP Timer (ms) fields under Basic Settings > Site Details are now grouped under Advanced Settings > ARP.

  • The tabs under Advanced Settings are now listed as submenu options. The accordions under individual Advanced Settings tabs are now displayed as tabs under the respective submenu options. All the submenu options now display secondary breadcrumbs.

  • The Virtual Paths tab under Advanced Settings is renamed to Delivery Services and moved as a submenu option under Advanced Settings.

  • The Routing tab under Advanced Settings is renamed to Dynamic Routing.

Rename basic settings

Citrix SD-WAN 11.3 Release: Citrix SD-WAN 11.3 release is now supported in Citrix SD-WAN Orchestrator service.

Wi-Fi Access point

You can configure a Citrix SD-WAN appliance that supports Wi-Fi as a Wi-Fi Access Point, eliminating the need to maintain an extra access point appliance to create a WLAN. The devices on your LAN can connect to Citrix SD-WAN appliance through Wi-Fi.

The following two variants of Citrix SD-WAN 110 platform support Wi-Fi and can be configured as an access point:

  • Citrix SD-WAN 110-WiFi-SE
  • Citrix SD-WAN 110-LTE-WiFi

You can configure and manage Citrix SD-WAN appliances that are configured as Access Points through the Citrix SD-WAN Orchestrator service service. Citrix SD-WAN Orchestrator service service also allows you to view Wi-Fi related reports such as connected devices, data utilized, usage, and authentication failure logs at both network level and individual site level.

There are 2 geography SKUs to support 110 Wi-Fi SE and 110 LTE Wi-Fi SE, one for US or Canada and the other for Rest of World (ROW).

Advanced Edge security support for Citrix SD-WAN 410 SE appliance

Citrix SD-WAN 410 SE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses.

Firewall defaults

The Action When Security Profiles Cannot be Inspected drop-down list is introduced to define an action for the packets that match a firewall rule and engage a security profile but temporarily cannot be inspected by the Edge Security subsystem. If you select Ignore, then the relevant firewall rule is treated as not matched and the next firewall rule in order is evaluated. If you select Drop, the packets matching the relevant firewall rule, are dropped.

IPS Profiles

IPS profiles allow you to enable a combination of IPS rules for a specific set of sites within the network. When an IPS profile is enabled, it inspects the network traffic only for the sites with which the IPS profile is associated and the IPS rules enabled within that profile. You can create IPS profiles on Citrix SD-WAN Orchestrator service services at the network level under Configuration > Security > Intrusion Prevention.


You can add new File Types and MIME Types for Anti-Malware scanning. If Anti-Malware denies access to a website, you can set an external server location to redirect users. The users can be redirected to the default redirect page provided by Citrix SD-WAN Orchestrator service or you can create a custom redirect page.

Web filter option for advanced edition

For the Web filtering security functionality, the following safe browsing options are added under the Advanced Options:

  • Enforce safe search on popular search engines
  • Enforce restrict mode on YouTube
  • Force searches through kid-friendly search engine

SSL inspection

You can now configure Secure Sockets Layer (SSL) inspection for the traffic flowing to and from your organization. SSL inspection intercepts, decrypts, and scans the HTTPS and secure SMTP traffic for malicious content. You can create SSL rules as part of security profiles and define conditions for the traffic to undergo SSL inspection.

SSL inspection can be configured through Citrix SD-WAN Orchestrator. The SSL Inspection option is newly added under Configuration > Security and Configuration > Security Profile > New Security Profile.

December 03, 2020

Citrix SD-WAN Premium Edition (PE) Support

You can now configure and deploy Citrix SD-WAN PE appliances through Citrix SD-WAN Orchestrator service. As part of PE Phase-1 development, you can now configure WAN Optimization Configurations like Features, Tuning, Applications, and Rules through Citrix SD-WAN Orchestrator service. Deployment of SD-WAN PE appliances is also now possible through Citrix SD-WAN Orchestrator service.


  • The Citrix SD-WAN PE appliances are only supported on 1100, 2100, 5100, and 6100 platforms.
  • Citrix SD-WAN PE Support through Citrix SD-WAN Orchestrator service is currently only available for SD-WAN software version of

November 12, 2020

Site default routing domain and auto-bandwidth provisioning

Citrix SD-WAN Orchestrator service provides the ability to select the default routing domain for the site. Routing domain settings can either be global or site-specific. Also, you can enable/disable the virtual paths auto-bandwidth provisioning for all WAN links.

October 29, 2020

Site Routing Policies

Routing policies help to enable traffic steering. You can now configure Application Routes and IP Routes at the site level to steer traffic.

Hybrid billing model

For prepaid customers, the hybrid billing model is introduced. With the hybrid billing model, a customer’s network can support both perpetual and annual subscription licenses.

October 21, 2020

Citrix SD-WAN 11.2.2 Release: Citrix SD-WAN 11.2.2 release is now supported in Citrix SD-WAN Orchestrator service.

October 15, 2020

MPLS queues real-time statistics

You can view the MPLS Queues real-time statics on the Citrix SD-WAN Orchestrator service. You can also view the direction, no of packets, delta packets, and mismatched DSCP packets for Intranet and Virtual path services.

For MPLS queues, you can view the access interface, IP address, proxy address, interface MAC address, and ARP details associated with the MPLS queue.

October 1, 2020

Domain name based custom applications

Domain name based custom applications are supported in Application Routing, Application Rule, and Firewall Profiles. To use a custom name based application, the match criteria must be listed as Application while creating Application Route and Firewall Policy.

HDX report

Citrix SD-WAN Orchestrator service allows you to view the detailed HDX reports grouped by site, user, and session, and categorized based on Quality of Experience (QoE). The metrics that impact the QoE calculation are also available for monitoring.

Zscaler service

You can now add sites for the Zscaler service. When a site is added, an IPsec tunnel is established between the SD-WAN site and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs inspect the traffic bi-directionally and enforce security and compliance policies. While adding a site you can either automatically pick the ZENs based on the geo-location lookup of IP addresses of WAN links or manually select the ZENs. One ZEN is configured as the Primary and the other as the secondary. If the link to the primary ZEN goes down, the secondary ZEN takes over and provides high availability.

DNS settings

Citrix SD-WAN Orchestrator service supports the following types of DNS services:

  • Static: Intercepts the DNS requests destined to the SD-WAN IP address and forwards it to the specified DNS servers. You can create internal, ISP, google or any other open source DNS service.
  • Dynamic: Intercepts the DNS requests destined to the SD-WAN IP address and redirects it to one of the DNS servers learned from the DHCP based WAN links. If the WAN link goes down, another DHCP based WAN links DNS server is chosen. This feature is useful in the deployment where ISPs allow DNS requests only to DNS servers hosted by them.

You can choose a DNS proxy service for in-band management. InBand Management DNS drop-down list is introduced under Basic Settings > Interfaces. The DNS proxy services added under Advanced Settings > DNS, get listed under the InBand Management DNS drop-down list.

In-band provisioning

Zero-touch deployment along with the in-band management feature enables provisioning and configuration management through designated data ports. Zero-touch deployment is now supported on the designated data ports and there is no need to use a separate management port for zero-touch deployment. Citrix SD-WAN Orchestrator service also allows to fail over management traffic seamlessly to the management port when the data port goes down and conversely.

September 16, 2020

Show Tech Support bundle

The Show Tech Support (STS) Bundle contains important real-time system information such as access logs, diagnostics logs, firewall logs. The STS bundle is used to troubleshoot issues in the SD-WAN appliances. You can now create and download the STS bundles from the Citrix SD-WAN Orchestrator service.

DSCP tag and Enable Encryption

The unique Differentiated Services Code Point (DSCP) tag field is added along with the Enable Encryption check box. Each WAN link requires a unique Virtual IP Address (VIP) to create the WAN link and a unique DSCP tag corresponding to the provider’s queuing scheme. The Enable Encryption check box helps to enable/disable the encryption for every custom MPLS, private Intranet, and public Internet Inter-Link Communication Group.

September 3, 2020

Role Based Access Control:

Role based access control (RBAC) regulates access to Citrix SD-WAN Orchestrator service resources based on the roles assigned to individual users. RBAC allows users to access only the data that their role demands and restricts any other data.

Roles can be assigned at Provider and Customer level under Administration > User Settings. Users can be assigned with a role from the following list of predefined roles.

  • Provider-Master-Admin-All
  • Provider-Master-Admin-Tenant
  • Provider-Master-ReadOnly
  • Customer-Master-Admin
  • Customer-Master-ReadOnly-Admin
  • Provider-Support-ReadWrite
  • Provider-Support-ReadOnly
  • Customer-Support-ReadWrite
  • Customer-Support-ReadOnly

Advanced Edge Security support for Citrix SD-WAN 210 SE appliances (Preview):

Citrix SD-WAN 210 SE and 210 SE LTE appliances now support Advanced Edge Security capabilities with Advanced Security add-on licenses. To enable advanced security capabilities on a Citrix SD-WAN 210 appliance, reimage the appliance software to Citrix SD-WAN and install the Advanced Security add-on license. For more details, see USB reimage Utility.


Activating the advanced security add-on license on the Citrix SD-WAN 210 appliance, for the first time, might take up to 20 minutes approximately.

Gateway Service optimization:

You can now enable the first packet detection, classification, and selective routing (direct internet breakout or over the virtual path) of the traffic destined for the Citrix Cloud and Citrix Gateway Service (control and data). This feature is only available via Citrix SD-WAN Orchestrator service starting from SD-WAN version 11.2.1.

Real-time Reports:

Citrix SD-WAN Orchestrator service allows you to view the real-time reports for the following security features:

  • Web Filtering: Provides the real-time report of the last 1000 web (HTTP, HTTPS) events from the total number of web requests.
  • Anti-Malware: Provides the real-time report of the last 1000 Anti-Malware events from the total number of the files scanned.
  • Intrusion Prevention: Provides the real-time report of the last 1000 logged and blocked intrusion prevention system events from the total number of intrusion events.

Application settings:

The Application Settings page provides an option to disable Global Deep Packet Inspection (DPI). DPI is enabled globally, by default, for all the sites in your network. Disabling DPI stops DPI classification capability on the appliance. You can also choose to disable DPI for certain sites only by overriding the global DPI settings.

WAN link services:

Under WAN link services, on the selection of Link Specific from the Service Bandwidth Settings drop-down list, you can see that the following options are newly added:

  • LAN to WAN Tag
  • WAN to LAN Tag
  • WAN to LAN Match
  • LAN to WAN Delay
  • Tunnel Header Size
  • WAN to LAN Grooming

Virtual interface enhancement:

You can forward the directed broadcasts to Virtual IP subnets on the Virtual Interface with the Directed Broadcast check box.

August 12, 2020

Dynamic Virtual Path enhancements:

  • Dynamic virtual paths can now be enabled/disabled at the site level using the Enable Dynamic Virtual Paths check box. The ability to enable dynamic virtual paths across the network globally is retained.
  • You can configure IPsec tunnel settings for dynamic virtual paths at the network level.
  • The dynamic virtual path thresholds for LAN-to-WAN and WAN-to-LAN in terms of bytes per second and packets per second are introduced per WAN link.

Static Virtual Path enhancements: The Tunnel Header Sizes in Bytes and Active MTU Detect configuration options are introduced in the Virtual Path WAN link properties.

Auto-correction: In the Citrix SD-WAN Orchestrator service, the auto-correction feature is implemented in the change management workflow. The auto-correction feature is applicable for staging failure on a branch node and activation failure on any node. The maintenance mode check box is added under the Change Management Settings to perform manual troubleshooting on an appliance. Once the maintenance mode check box is cleared, the auto-correction mechanism brings the appliance in sync with the network software and configuration version.

July 15, 2020

Application Quality: Application QoE is a measure of Quality of Experience of applications in the SD-WAN network. The Application QoE score is a value between 0 and 10. The score range that it falls in determines the quality of an application. The Application QoE dashboard provides the overall Application QoE score of all the applications in your network. You can also view individual Application QoE reports.

Region configuration enhancements: You can now change the default region, provide a description for the region, and add new subnets. You can also allow non-private Virtual IP addresses within a region or from other regions to match the configured subnets.

Citrix SD-WAN releases: The following Citrix SD-WAN releases are now supported in the Citrix SD-WAN Orchestrator service:

  • Citrix SD-WAN 10.2.7
  • Citrix SD-WAN 11.0.3d
  • Citrix SD-WAN 11.1.1a

July 6, 2020

Appliance settings: Citrix SD-WAN Orchestrator service allows you to configure the appliance settings, at the site level, and push it to the remote appliances. You can configure user, network adapters, NetFlow, AppFlow, and SNMP settings.

Link Aggregation Groups: The Link Aggregation Groups (LAG) functionality allows you to group two or more ports on your SD-WAN appliance to work together as a single port. This ensures increased availability, link redundancy, and enhanced performance. Citrix SD-WAN Orchestrator service supports simple Link Aggregation Group (ACTIVE-BACKUP).

Transit Nodes: Transit nodes reduce the cost of routing by configure sites to route data via a virtual overlay transit node. You can configure Internet or Intranet transit nodes to allow sites without internet or intranet service to route to the internet or intranet through the configured transit sites.

Firewall profile: Firewall profiles provide security by ensuring that network traffic is restricted only to a specific firewall rule depending on the match criteria and by applying specific actions. The Firewall Profile contains three sections.

  • Global Profiles – Global profile is an aggregation of a couple of firewall rules. The profile that you create under the Global Profiles section is applied across all the sites in the network.
  • Site Specific Profiles – You can apply the defined firewall rules on certain specific sites.
  • Global Override Profile – You can override both global and site-specific profiles using the Global Override Profiles.

June 11, 2020

Edge Security: The Citrix SD-WAN Edge Security capability enables advanced security on Citrix SD-WAN branch appliances. It simplifies information security management by providing a single management and reporting pane for Network Edge Security. It eliminates the need for multiple branch solutions by consolidating routing, SD-WAN, and security capabilities on a single appliance. This reduces network complexity, operational cost, and provides a more secure network edge. The Edge Security stack includes the following security functionality:

  • Web filtering
  • Anti-Malware
  • Intrusion Prevention


  • The Edge Security is only supported for Citrix SD-WAN deployments managed through the Citrix SD-WAN Orchestrator service.
  • External syslog server support is not available through Citrix SD-WAN Orchestrator service for Citrix SD-WAN Edge Security.

Subnet support: From release 11.2 onwards, Citrix SD-WAN UI allows /31 subnets for configuring the network address.

Metered link enhancements: The following options are introduced under Advanced WAN link settings:

  • Approximate Data Already Used: The approximate data already used in MB for the metered link. This is applicable only for the first cycle. To track the proper metered link usage, specify the approximate metered link usage, if the link has already been used for few days in the current billing cycle.

  • Disable link if Data Cap Reached: If the data usage reaches the specified data cap, the metered link and all its related paths are disabled until the next billing cycle. If this option is not selected, the metered link remains in the current state, after the data cap is reached, until the next billing cycle.

Auto-learning of Public IP address on Intranet WAN link: You can now enable Auto learning of Public IP address on Intranet WAN links, under Basic settings > WAN Link Attributes, to support DHCP on Fail-to-Wire port.


Rollout of this release is in progress, the feature is available in respective POPs as the rollout completes.

June 1, 2020

LTE firmware upgrade: You can now upgrade the LTE firmware via the Citrix SD-WAN Orchestrator service along with configuring and managing all the LTE sites in your network. While creating the site, you need to select LTE as a submodel for the SD-WAN 210 appliance/model. Currently, the LTE support is only applicable on 210 appliances. You need to set the scheduling window information to upgrade the LTE firmware corresponding to the latest selected software version.

Static inter-routing domain service: Citrix SD-WAN Orchestrator service now supports Static Inter-routing Domain service, enabling routing between Routing Domains within a site or between different sites. This eliminates the need for an external edge router to handle routing between two routing domains. The inter-routing service can further be used to set up routes, firewall policies, and NAT rules.

Citrix SD-WAN 11.1.1 Release: Citrix SD-WAN 11.1.1 release is now supported in Citrix SD-WAN Orchestrator service.

May 13, 2020

Y-cable: You can now enable Y-cable support for Citrix SD-WAN 1100 SE/PE appliances through the Citrix SD-WAN Orchestrator service. The Small Form-factor Pluggable (SFP) ports can be used with a fiber optic Y-Cable to enable the high availability feature for Edge Mode deployment.

Wrap Alerts description: The alert message contents under the Reports > Alerts > Message column are now wrapped. Earlier, the alert messages were hidden when the length of the message was greater than the width of the allocated cell size.

DHCP Client: The Dynamic Host Configuration Protocol (DHCP) Client option is now available under the Site Profile template. Hence, the sites that are created through the Site Profile, also inherits the DHCP Client option.

Citrix SD-WAN 110 appliance support: The Citrix SD-WAN 110 hardware model appliance is now supported in the Citrix SD-WAN Orchestrator service.

April 28, 2020

HA near-hitless software upgrade: The HA near-hitless software upgrade feature ensures that the network downtime, during the software upgrade (11.1.x and above) process for an HA pair, is not more than the HA switch over time.

Appliance reports (Preview): Appliance report delivers Network traffic and System usage reports. Under Appliance Reports you can view Interfaces, Network, CPU Usage, Disk Usage, and Memory Usage reports in different tabs.

Change password: Citrix SD-WAN Orchestrator service allows you to centrally change the password of all the SD-WAN appliances in your network from the Network Configuration > Home page.

Microsoft Office 365 beacon service: Citrix SD-WAN supports Microsoft Office 365 beacon probing capability to help determine the best link to be used for Office 365. The probes determine the latency (round-trip-time) involved in reaching Office 365 endpoints through each WAN link, enabling network administrators to identify the best link to be used for Office 365 traffic. The Office 365 beacon probing capability is available only via the Citrix SD-WAN Orchestrator service.