Last week, we covered two different Citrix SD-WAN security solution options. We started with more traditional perimeter security based on the distributed deployment of a Citrix SD-WAN integrated firewall to complement a centralized full-stack firewall at a data center or enterprise headquarters. Check out the first blog here.

We also covered a cloud-centric option for enterprises looking to shift to an OpEx-based consumption model. In this case, Citrix partners with leading security solutions such as Palo Alto Prisma Access (previously known as GlobalProtect Cloud Security) and Zscaler Secure Internet Gateway to provide branch offices with secure web gateway services.

This blog will touch on the third option that is well-suited for mid-to-large healthcare or financial enterprises with in-house IT resources and that operate under stringent compliance requirements such as HIPAA, PCI-DSS, and GDPR. This solution is also ideal for companies wanting to maintain separation between Security Operations (SecOps) and Networking operations (NetOps) teams. Your in-house IT teams will find this solution attractive because of its best-of-breed approach that combines Citrix’s industry-leading SD-WAN with the security solution of your choice.

Introducing the New Citrix SD-WAN 1100

Citrix’s new SD-WAN 1100 is a purpose-built, high-performance appliance rated for 1Gbps of throughput. Under the hood, it’s an SDN/NFV-ready platform powered by eight-core CPUs and designed to host various virtualized network functions (VNFs) from select partners. The first one is Palo Alto’s VM-50 or VM-100, which provides advanced, next-generation firewall capabilities.

Unlike the secure web gateway service, which provides effective, basic protection for small branch offices, the Palo Alto Networks VM-50 and VM-100 are full-featured, next-generation firewalls (NG-FWs). NG-FWs are known for their high-functional consolidation that shares the results of the latest contextual-based remedial actions between its security functions. If your company is looking to consolidate edge devices at the branch, the Citrix SD-WAN 1100 is for you.

Citrix SD-WAN 1100 with Palo Alto Next-Gen Firewall

The combination of SD-WAN 1100 and Palo Alto VM-Series represents an advanced SD-WAN and security solution because it has been optimized to deliver high performance and app-ID enabled firewall in a compact footprint.

Figure 1 – Palo Alto VM-Series inspects LAN-to-LAN, DIA, and LAN-to-WAN traffic for complete protection.

Now, let’s consider several traffic scenarios around how the Citrix-Palo Alto combination can provide complete protection, as shown by the figure above:

1) The Palo Alto NG-FW VM will inspect all LAN-to-LAN traffic before forwarding. When an infected user or device or application is detected, the infected host will be quarantined first until the threat source is neutralized.

2 and 3) Direct internet and LAN-to / from-WAN traffic are also scrubbed clean by the Palo Alto’s NG-FW advanced engine. Because the Palo Alto is locally hosted in the WAN edge, users will benefit from minimal latency, higher security efficacy, and enhanced quality of experience overall.

Management Integration with Palo Alto.

In terms of security management, an enterprise can continue to use Palo Alto Networks Panorama to define consistent policies across a global network of their physical and virtual appliances, including the VM-50/100 hosted on the Citrix SD-WAN 1100. To make it even better, Citrix has developed a solution integration that is one level deeper between our SD-WAN orchestration service and Palo Alto Networks Panorama.

An IT admin can define any Citrix SD-WAN appliance to be directly connected to the nearest Palo Alto Prisma Access (Global Protect) cloud or point of presence (PoP) by simply declaring its location and the desired backhaul capacity. With just a few clicks, the Citrix SD-WAN will configure fast and secure IPsec tunnels between branch sites and the Palo Alto Networks Prisma Access cloud security.

Lastly, it is worth noting that a Citrix SD-WAN 1100 does not have to connect to both Palo Alto Networks Prisma Access to simultaneously run a VM-50/100. And if you like the SD-WAN 1100 and Palo Alto Networks NGFW joint solution, which will be available soon, we invite you to join our upcoming webinar for further details.

If you already have Citrix SD-WAN and are interested in the cloud security solutions from our partners, check out the solutions briefs from Citrix and Palo Alto and Zscaler.

Learn More in Our Webinar

Register now for our webinar on June 18, where we will discuss the various aspects of our security solutions and Citrix SD-WAN.

Date: Tuesday, June 18
Time: 9 a.m. ET (EMEA) and 11 a.m. ET (Americas)
Register now