Citrix SD-WAN

Firewall Traffic Redirection Support by Using Forcepoint in Citrix SD-WAN

Forcepoint supports the following features, although SD-WAN supports only the firewall redirect feature:

  • IPSec with PKI
  • IPsec with PSK
  • Proxy chaining using PAC file configuration
  • Proxy chaining with standard headers
  • Proxy chaining with proprietary headers removing the need to configure the client¹s IP range - partnership/development
  • Firewall redirect (transparent proxy by Destination NAT)

The Destination NAT policy enables enterprises to route internet traffic through cloud-hosted security service using ForcePoint.

Review the following use case to understand how to configure Destination NAT in SD-WAN appliances and redirect internet traffic through a secure cloud-based firewall service.


  1. Log in to the Forcepoint portal site. Create a policy by providing the Enterprise Public IP address through which internet traffic needs to be redirected to Forcepoint. Obtain the Primary and Secondary IP addresses to which the internet traffic should be redirected.

  2. In the SD-WAN GUI, on an SD-WAN appliance at the DC site, configure Internet service associated with WAN links.

  3. Destination NAT is performed using Destination IP address of the internet traffic. This destination address is changed to the Forcepoint public IP address.

  4. Configure Destination NAT policy by providing the source IP address and the primary IP address. The source IP is the internet IP address of the SD-WAN appliance inside ports 80 (http) and 443 (https) which is redirected/translated to the primary destination IP address of the cloud-based firewall gateway with outside ports 8081 (http) and 8443 (https) respectively.

  5. After configuring DNAT policy, ensure that the Routes configured on the DC have the Internet service type selected for the SD-WAN network IP address.

For additional information about NAT support in Citrix SD-WAN, see the following topic, Configure NAT

localized image

Configuring Destination NAT (DNAT)

Use the Citrix SD-WAN GUI to configure Destination NAT (DNAT). In the configuration, add one or more DNAT policies that redirect traffic matching a specific destination IP address and port.

To configure Destination NAT:

In the SD-WAN SE/VPX GUI, go to Configuration -> Virtual WAN -> Configuration Editor. Click Open to open an existing package. Select a saved configuration package. You can also create DNAT rules while building the network configuration.

  1. At the DC (MCN), configure Internet Service. Go to Connections -> Firewall.

  2. Click + Add to add a DNAT policy.

  3. In the Add Destination NAT Policy dialog box, provide the following information:

    • Priority
    • Direction
    • Service Type
    • Service Name
    • Inside IP Address
    • Inside Port
    • Outside IP Address
    • Outside Port

    localized image

    localized image

  4. Provision Destination NAT rules for Firewall traffic redirect, similar to static NAT.

  5. Enter the matching criteria and the Destination IP/port to be NATed.

  6. Perform connection matching of the DNAT rule with statistics.

  7. Remove or Update DNAT rules during configuration update.

Monitoring a Destination NAT Policy (Firewall)

You can also use the Citrix SD-WAN GUI to monitor the current DNAT policy configuration.

To monitor the current Destination NAT policy configuration:

  1. In the Citrix SD-WAN GUI, navigate to Monitoring > Firewall > NAT Policies.

  2. Select the tab that includes the statistics you want to monitor.

    localized image

    localized image

Firewall Traffic Redirection Support by Using Forcepoint in Citrix SD-WAN