Our in house SME Simon has been getting hands on with the new Citrix SD-WAN Advanced Edition which combines all of the Standard Edition features with a range of next generation security features, ideal for those looking for an integrated SD-WAN & edge security solution. Here’s how he got on but first a couple of relevant points before we start…

  • Citrix SD-WAN Advanced Edition combines all the capabilities of Citrix SD-WAN with a fully integrated edge security stack that enhances the built-in app firewall with intrusion prevention, web filtering, and virus protection capabilities.
  • Advanced Edition is currently only available with the Citrix SD-WAN 1100 device (The SD-WAN 210 is due Q4 2020)
  • Advanced Edition features can only be configured using Citrix SD-WAN Orchestrator.

The new Advanced Edition features (also referred to as “Edge Security”) are specifically listed as:

  • Web filtering
  • Anti-Malware
  • Intrusion Prevention

Configured using the new “Security Profiles” menu option in the Configuration menu in Orchestrator, Security Profiles are created and then bound to Firewall Policies. Firewall policies can then be bound globally or site specific giving you very granular control.

To access this, log into Orchestrator select configuration and “All Sites”, which is effectively “global settings” and you will see under the Security option in the left menu pane the new “Security Profile” option. Select this and you can then create a Security Profile with any combination of Web Filtering, Anti Malware and IPS settings.

Next we will take a quick look at each of these new features in turn.

Web Filtering

When Web Based filtering is enabled, the URL of the web site you are visiting is sent to the cloud database for categorisation. The URL can be “Flagged”, “Blocked” or “Allowed”, based on the acceptable policies defined, with any site access that is Flagged and/or  Blocked recorded as a violation in the Security Logs – viewed through the Reports menu.

Point of note: You have to configure valid DNS and enable HTTPS internet access through the SD-WAN Management Interface to allow access to the cloud-based database. The cloud based database has over 32 billion URL’s and 750 million domains with more being added every day. Categories include Social Media, Shareware and Freeware, Banking, Drugs, Dating etc. with 79 categories in total, plus you have the ability add your own web URL’s to block and flag access as required.

You can also allow specific URL’s from blocked groups, block specific URL’s from allowed groups or add rules that bypass web filtering totally for specific IP’s. (Allow IT special privileges 😊)

The Web Filter feature also enables HTTPS traffic to be processed by Server Name Indication (SNI) – this option is enabled by default and blocking options include, block UDP 443 (the web UX optimising QUIC protocol), close connection without redirection (a common trick to try and fool web filters) and redirect to a custom URL for blocked sites.


The Anti-Malware feature uses BitDefender’s engine to scan the downloaded files using a combination of signature database, heuristics for suspicious patterns and dynamic emulator analysis. It’s a simple way to  eradicate Viruses, Trojans and other malware with further options available to scan HTTP, FTP and SMTP traffic. In total, BitDefender provides support for up to 41 file types in HTTP traffic and 10 Mime Types.

Point of Note: With this feature there is a trade off between anti-malware scanning and wider system performance (including the SD-WAN overlay performance) and as such this needs to be reviewed on a regular basis and definitely at initial install, in order to strike the right balance between the two. You ultimately have a finite amount of computational resource, so use it wisely.

The Anti-Malware checks for updates every 15 minutes and the process of downloading and applying any new updates that are required is done automatically and in background. No special settings on management interface, as with Web Filtering or user interaction.

Intrusion Prevention System

Intrusion Prevention (IPS) includes a database of over 34,000 signatures, providing detecting and preventing malicious activity on the network, allowing you to monitor and block most suspicious requests. Checks for updates of this database are automatic and made daily with any updates installed in background

Points of note:

  • IPS is bound to the SD-WAN appliance via a Firewall Policy and as such will only detect malicious traffic that is captured by that specific firewall policy. With that in mind, you need to think about the possibility of creating multiple firewall policies to capture all traffic.
  • There is a trade-off between what you scan for and system performance (the more you look for, the heavier the load on the appliance) so just as with the Anti-Malware feature, it’s worth keeping an eye on what you set and how the appliance is performing.

The Intrusion Prevention System is configured from its own menu option in Orchestrator and is global to the SD-WAN configuration (all or nothing). There are four pre-set rules with the option to define your own in addition to those. Each rule can be enabled or disabled but remember, these are global and as such no options for variation across policies.

Finally, after configuring all this monitoring and processing we need to be able to see what is happening and report on it.


Reporting within Orchestrator now has a “Security” option in which you can view the logs of all three features – Web Filtering, Intrusion Prevention and Anti-Malware. Screen shots below show dashboards for these. Withthe ability to filter events from the last 5minutes to the last month.

  • Web Filtering shows number of web requests and the percentages allowed, flagged or blocked.
  • Anti-Malware shows total files scanned with Clean and Infected percentages highlighted.
  • Intrusion Protection shows number of events with percentage flagged and blocked.

All show the sites affected and the policies hit.

I said earlier some of these features consume lots of resources and so these reports would give you an idea of what is happening and help in understanding how an appliance might be performing and remember – “You can’t manage what you can’t see” so this is quite cool …

Web Filtering Distribution report – High level view, key facts presented with the ability to click to drill down for more detail.

Anti-Malware Reporting – A drill down view showing the top-10 visited websites / FTP sites / email from, clients & virus.

Intrusion Protection Reporting – The last 1000 logged events for a given timeline.


To find out more about Citrix SD-WAN and how it can help to address user and enterprise requirements call 0330 010 3443 or email hello@clouddnagroup.com