Palo Alto Integration by Using IPsec Tunnels

Citrix SD-WAN appliances can connect to the Palo Alto cloud service (GlobalProtect Cloud Service) network through IPsec tunnels at the customer’s site. The key benefits include:

  • Next-generation security delivered globally.

  • Add and manage locations - users and policy deployment centrally.

  • Forward IPsec tunnel traffic to the Palo Alto network.

  • Have SD-WAN appliance configured in high availability mode - If an appliance fails, the IPsec tunnel is established through another appliance.

  • Virtual routing and forwarding deployments.

  • One WAN link as part of internet services.

localized image

Configure the following in Citrix SD-WAN GUI:

  • Configure IPsec Tunnel.
  • Configure IPsec Protected network with local LAN networks as Source subnet and Destination subnet as (to send all internet traffic through tunnel).

Configure the following in Palo Alto:

  • Configure all necessary IP tunnel details.
  • Configure IPsec Peer with SD-WAN IPsec Tunnel Public source IP address.

Verify end-to-end traffic connection:

  • From LAN subnet of branch, access internet resources.
  • Verify that traffic goes through Citrix SD-WAN IPsec tunnel to Palo Alto global protect cloud service.
  • Verify that Palo Alto security policy is applied on traffic.
  • Verify response from internet to host in a branch comes through.

localized image

Use case 1: Branch-to-Internet

  • Establish ipsec tunnel from each branch to the Palo Alto GlobalProtect Cloud Service GPCS.

  • For branch-to-internet communication, configure protected networks with networks belonging to both the branches.

  • For direct Internet breakout through the GPCS, configure ipsec protected networks on SD-WAN with destination subnet as

localized image

Use case 2: SD-WAN edge device in high availability mode:

  • Configure SD-WAN appliance in high availability mode.

  • Establish ipsec tunnel from each branch to GPCS.

  • Traffic redirection from SD-WAN to GPCS always occurs through the active appliance.

  • Upon a high availability event, secondary SD-WAN appliance takes over and starts sending traffic towards GPCS.

localized image

To configure IPsec Tunnel:

  1. Navigate to Connection > Site > IPsec Tunnels.
  2. Configure IKE and IPsec parameters.

    For more information about configuring IPsec tunnels, see configure ipsec tunnels between SD-WAN and third party cloud services/devices.

    You can specify which traffic to be protected by IPsec using Protected Networks. You can configure maximum of eight protected networks per tunnel.

localized image

Monitor IPsec Tunnels:

In the Citrix SD-WAN appliance GUI, go to Monitoring > Statistics. Select IPsec Tunnel from the Show dropdown list. Traffic that is sent over tunnel can be monitored in the sent and received columns.

  • Monitoring > IKE/IPsec - You can monitor all IKE and corresponding ipsec SAs.

localized image

Configure IPsec in Palo Alto Global Protect Cloud Service (GPCS):

  1. Log in to Palo Alto Panorama.
  2. Navigate to Network Profile -> IKE Crypto and configure the IKE crypto suite.

localized image

Configure IKE gateway:

  1. Add IKE Gateway.
  2. Configure IKE Version.
  3. Choose the Peer IP Address Type as IP.
  4. Enter the IKE Peer IP address. This is the Citrix SD-WAN Public IP.
  5. Configure Authentication type, Pre-Shared Key, Certificate.
  6. Configure Pre-shared Key that you are going to use.

    localized image

  7. Click Enable NAT Traversal in the Advanced Options tab page.

    localized image

Create IPsec Tunnel:

Add an IPsec Tunnel with already created IKE Gateway and IPsec Crypto Profile. Provide the protected network to allow traffic from SD-WAN through the tunnel.

localized image

Block applications:

You can block certain applications by configuring firewall rule as follows. This rule is bound to the tunnel created.

localized image

Verify end-to-end traffic:

From the branch host access internet and check for internet traffic to appear under the IPsec tunnel statistics in the SD-WAN GUI monitoring page. Check for any blocked sites in Palo Alto GPCS and ensure that the blocked sites are inaccessible from the branch network.

Palo Alto Integration by Using IPsec Tunnels