Palo Alto Integration by Using IPsec Tunnels
Citrix SD-WAN appliances can connect to the Palo Alto cloud service (GlobalProtect Cloud Service) network through IPsec tunnels at the customer’s site. The key benefits include:
Next-generation security delivered globally.
Add and manage locations - users and policy deployment centrally.
Forward IPsec tunnel traffic to the Palo Alto network.
Have SD-WAN appliance configured in high availability mode - If an appliance fails, the IPsec tunnel is established through another appliance.
Virtual routing and forwarding deployments.
One WAN link as part of internet services.
Configure the following in Citrix SD-WAN GUI:
- Configure IPsec Tunnel.
- Configure IPsec Protected network with local LAN networks as Source subnet and Destination subnet as 0.0.0.0/0 (to send all internet traffic through tunnel).
Configure the following in Palo Alto:
- Configure all necessary IP tunnel details.
- Configure IPsec Peer with SD-WAN IPsec Tunnel Public source IP address.
Verify end-to-end traffic connection:
- From LAN subnet of branch, access internet resources.
- Verify that traffic goes through Citrix SD-WAN IPsec tunnel to Palo Alto global protect cloud service.
- Verify that Palo Alto security policy is applied on traffic.
- Verify response from internet to host in a branch comes through.
Use case 1: Branch-to-Internet
Establish ipsec tunnel from each branch to the Palo Alto GlobalProtect Cloud Service GPCS.
For branch-to-internet communication, configure protected networks with networks belonging to both the branches.
For direct Internet breakout through the GPCS, configure ipsec protected networks on SD-WAN with destination subnet as 0.0.0.0/0.
Use case 2: SD-WAN edge device in high availability mode:
Configure SD-WAN appliance in high availability mode.
Establish ipsec tunnel from each branch to GPCS.
Traffic redirection from SD-WAN to GPCS always occurs through the active appliance.
Upon a high availability event, secondary SD-WAN appliance takes over and starts sending traffic towards GPCS.
To configure IPsec Tunnel:
- Navigate to Connection > Site > IPsec Tunnels.
Configure IKE and IPsec parameters.
For more information about configuring IPsec tunnels, see configure ipsec tunnels between SD-WAN and third party cloud services/devices.
You can specify which traffic to be protected by IPsec using Protected Networks. You can configure maximum of eight protected networks per tunnel.
Monitor IPsec Tunnels:
In the Citrix SD-WAN appliance GUI, go to Monitoring > Statistics. Select IPsec Tunnel from the Show dropdown list. Traffic that is sent over tunnel can be monitored in the sent and received columns.
- Monitoring > IKE/IPsec - You can monitor all IKE and corresponding ipsec SAs.
Configure IPsec in Palo Alto Global Protect Cloud Service (GPCS):
- Log in to Palo Alto Panorama.
- Navigate to Network Profile -> IKE Crypto and configure the IKE crypto suite.
Configure IKE gateway:
- Add IKE Gateway.
- Configure IKE Version.
- Choose the Peer IP Address Type as IP.
- Enter the IKE Peer IP address. This is the Citrix SD-WAN Public IP.
- Configure Authentication type, Pre-Shared Key, Certificate.
Configure Pre-shared Key that you are going to use.
Click Enable NAT Traversal in the Advanced Options tab page.
Create IPsec Tunnel:
Add an IPsec Tunnel with already created IKE Gateway and IPsec Crypto Profile. Provide the protected network to allow traffic from SD-WAN through the tunnel.
You can block certain applications by configuring firewall rule as follows. This rule is bound to the tunnel created.
Verify end-to-end traffic:
From the branch host access internet and check for internet traffic to appear under the IPsec tunnel statistics in the SD-WAN GUI monitoring page. Check for any blocked sites in Palo Alto GPCS and ensure that the blocked sites are inaccessible from the branch network.