Citrix SD-WAN 11.3 release is here!

Friday 18th December Citrix released Citrix SD-WAN 11.3 firmware, available initially via Citrix SD-WAN Orchestrator. Our in house Citrix SD-WAN Subject Matter Expert Simon has been putting it through it’s paces and here’s what he found…

The Citrix SD-WAN documentation states “Citrix SD-WAN provides an unparalleled experience for mission- and business-critical applications delivered from any location with comprehensive security that protects users, applications, and data across the branch, network, and cloud”. As with everything, there are always improvements to be made and faults to be corrected.

The list of new features in v11.3 is not long but there are some very interesting enhancements, below is an extract of those I think are of note. (You can read the full list in the release notes, links to that are at the bottom of this document.)

 

NOTE: The first thing I would say is that this v11.3 does take quite a while to install. I initially upgraded my VPX in Azure and VPX in home office and noticed not only did the download appear to be quite large (took a while to download) it took about 5 minutes to activate (no stop watch but it was a long time). To test further I added my 210 to the configuration. The 210 was already running v11.2.2. The download wasn’t as slow as the VPX but it was noticeably slower, so this indicated to me it was big. Then activation must have been about 5minutes. The 210 bleeped so there was a full restart of the system.

So be sure that when you plan the upgrade to v11.3 you do everything you should before an upgrade. Take a backup, make sure you have a recovery process and as this takes a while do it when the effects on the network will be minimal.

 

What’s new in Citrix SD-WAN 11.3 release

Update to Edge Security with the addition of SSL Inspection.

  • The Citrix SD-WAN Edge Security capability has had SSL Inspection added to its feature set.

The ability to configure Secure Sockets Layer (SSL) inspection for the traffic flowing to and from your organisation, allowing you to “Intercept, Decrypt and Scan” HTTPS and Secure SMTP traffic for malicious content.

This is configured through the addition of a Security Profile in the Security option within the global settings.

You’ll need the appropriate certificates (Root and Server depending on the traffic you are inspecting)

Advanced Edition Support on Citrix SD-WAN 410 SE appliances.

  • The release of v11.3 now supports the Advanced Edition (AE) feature set on the SD-WAN 410 SE appliance.

This means that the enhanced security features of AE are now supported on the SD-WAN 1100, 410 and 210 series hardware appliances with appropriate licences determining the throughput for both overlay and security feature throughput. You can read more about Citrix SD-WAN Advanced Edition in our recent blog post https://clouddnagroup.com/2020/09/11/hands-on-with-the-new-citrix-sd-wan-advanced-edition/

Note: Citrix took the 410 off the pricelist in July 2019 but doesn’t actually go end of life until July 2024 so this does give these old appliances some extra functionality, which is cool.

Wi-Fi Access Point

  • With the release of v11.3 firmware the new Citrix SD-WAN 110-SE-LTE device can now support WiFi access points.

Details are available within the online docs but the headline news is it supports up to 4 SSID’s and they can be configured to be totally separate (Client Isolation) allowing you to have a Corporate and Guest WiFi and route accordingly. SSID’s can broadcast if want.

Security options are: Open, WPA2 Personal, WPA2 Enterprise, WPA3 Personal and WPA3 Transitional.

For the WPA2 Enterprise you can configure 2 x Radius profiles to support the user authentication into that specific SSID.

From a configuration perspective, when you select the WiFi “Sub Model” then a new “Wi-Fi Details” tab appears enabling you to configure the Wi-Fi SSID’s.

Within that tab you can configure the Wi-Fi Radio settings which can be country specific. Super simple.

Support for the Hosted Firewall in the Citrix SD-WAN 1100

Citrix SD-WAN Orchestrator now has the new Option within the global settings called “Hosted Firewall”, providing the facility to import the Palo Alto or Checkpoint VM into the 1100 appliance.

Note: as can be seen in the screen shot below this is still Tech Preview.

Menu Restructuring

There have been a lot of changes in the menu structure of the administration and reporting GUI’s. I can’t find a detailed list but what I have noticed is that were there used to be “Tabs” across the right-hand window of the browser are now listed as options in the left-hand menu of the configuration GUI.

example: As you can see in this screen shot below before this release these options, listed on the left, were Tab’s across the window on the right.

A couple of things not listed in the What’s New section of the release notes.

New Management GUI on all appliances

  • I upgraded my home office network this morning and then logged onto my VPX to test something completely different and look what I found. 😊

It would seem that the new management GUI that was introduced with the SD-WAN 110 appliance is now the default for all appliances running v11.3

My lab VPX

My lab 210

For those who find the new GUI a little limiting ☹ and I certainly did when I was trying to monitor hits on my NAT rules within the firewall stats, there is relief. When you select the little chap top right of the GUI one of the options is to “Open Legacy SD-WAN UI”.   Nice 😊

IPv6

  • IPv6 is now all over the reporting windows within Citrix SD-WAN GUI’s (both Citrix SD-WAN Orchestrator and Local GUI)

Below is screen shot from the real time display on my VPX – It would be good to be able to filter the display in within Orchestrator, especially when working in an IPv4 only environment but that is currently not possible (you can filter when reviewing the appliance in the legacy GUI 😊)

Remember for a complete list of features and fixes in v11.3 you can read the release notes, just follow this link: What’s New (citrix.com)

FIND OUT MORE

If you would like to talk to us about any of the points raised above or you would like a demo, please call 0330 010 3443 or email hello@clouddnagroup.com.