Citrix SD-WAN

Stateful Firewall and NAT Support

This feature provides a firewall built into the SD-WAN application. The firewall allows policies between services and zones, and supports Static NAT, Dynamic NAT (PAT), and Dynamic NAT with Port Forwarding. More firewall capabilities include:

  • Provide security for user traffic within SD-WAN network (Enterprise and Service Providers)
  • (Potential) Reduction of External Equipment (Enterprise and Service Providers)
  • Using the same IP address space for Multiple customers: NAT Capability (Service Providers)
  • Apply multiple firewalls from a global perspective (Service Providers)
  • Filtering traffic flows between Zones
  • Filtering traffic between services within a Zone
  • Filtering traffic between services that reside in different Zones
  • Filtering traffic between services at a site
  • Defining Filter Policies to Allow, Deny, or Reject flows
  • Tracking flow state for selected flows
  • Applying Global Policy Templates
  • Support for Port Address Translation for traffic to the Internet on an untrusted port, as well as port forwarding inbound and outbound
  • Provide Static Network Address Translation (Static NAT)
  • Provide Dynamic Network Address Translation (Dynamic NAT)
  • Port Address Translation (PAT)
  • Port-Forwarding

To simplify the configuration process, firewall Policies are created at the Global Configuration level. This Global configuration consists of Pre-Appliance and Post-Appliance site Policy Templates that can be applied to all sites within the SD-WAN network.

Note

It is not recommended to use firewall in Fail-to-Wire inline mode due to security reasons.

Global-policy templates

localized image

Pre-policy template

localized image

Post-policy template

localized image

Stateful Firewall and NAT Support