Configure IPSec and GRE in Prisma SD-WAN

Configure IPSec and GRE in Prisma SD-WAN

1. In Strata Cloud Manager, go to MonitorPrisma SD-WANBranch Sites.
2. Switch to List View, search for the required branch site, and open the site details page.

   
3. Go to the Configurations tab and click Configure to initiate the Zscaler integration process.

   

   The Configure button remains disabled if no circuits are attached or the CloudBlade is not enabled.
4. On the Connect to Zscaler screen, select the tunnel type (IPSec or GRE) for configuration.

   To configure the GRE Tunnel, ensure that a Security Zone is associated with a Security Policy, and the Security Policy is bound to the site. Associating a Security Zone is mandatory for GRE tunnels. Go here to configure GRE endpoints for both primary and secondary tunnels.
5. Select the preconfigured Security Zone and specify the Custom Endpoint for both primary and secondary tunnels (version 2.0.0 onwards).

   

   When using custom endpoints for GRE tunnels, ensure the IP addresses are listed among the closest data centers and belong to data centers in different locations.
6. To configure the IPSec tunnel, set up a custom Standard VPN Endpoint if needed instead of the one managed by CloudBlade.
7. Configure the Gateway, Sub-Locations, and Endpoints options.

   • To configure the Gateway options at the parent location level, select the required settings to ensure all traffic from this location follows the configured options.

     

   • To configure different gateway option settings for different sources of traffic from this site, define sub-locations by entering the sub-location name and IP address under the Sub-Locations tab.

     

     You can enter multiple IP addresses for the sub-location. Each sub-location entry can be a single IP address, CIDR, or range.
     Adding the first sub-location automatically creates a new sub-location called Other. All existing policy rules that reference the parent location will now apply to the other location. You must manually configure rules for traffic from this sub-location.
     You can enable the following options in Gateways or Sub-Locations to customize configurations.

     

     Gateway Option	Description
     Enable XFF from Client Request	Use this option if the location employs proxy chaining to forward traffic to the service and you want Zscaler to utilize X-Forwarded-For (XFF) headers inserted by your on-premise proxy. When forwarding traffic to its destination, Zscaler removes the original XFF header and replaces it with the IP address of the client gateway (public IP) to prevent exposure of internal IP addresses.
     Enforce Firewall Control	Activates the firewall at the specified location.
     Enforce IPS Control	Enables user-to-device mapping when an internal IP can be differentiated from a public IP. This ensures user policies apply to cookie-incompatible traffic.
     Enforce Authentication	Requires identification of individual user traffic using the configured authentication mechanism.
     Enforce Caution	Enforces a caution policy action by displaying an end-user notification for unauthenticated traffic. If disabled, the action is treated as Allow.
     Enforce AUP(Acceptable Use Policy)	Displays an Acceptable Use Policy (AUP) for unauthenticated traffic and requires users to accept it.
     Enforce IP Surrogate	Enables user-to-device mapping for enforcing user policies when an internal IP can be distinguished from a public IP. This is essential for cookie-incompatible traffic.
     Idle Time to Disassociation	If IP Surrogate is enabled, specifies the duration after a completed transaction before the service removes the IP-to-user mapping.
     Enforce Surrogate IP for Known Browsers	If enabled, surrogate user identity is used for traffic from known browsers if an IP-user mapping exists. If disabled, traffic from known browsers will always be authenticated using the configured authentication mechanism.
     Surrogate Identity Refresh Interval	Defines how long a surrogate user identity can be used before requiring revalidation via authentication. The refresh interval must be shorter than the DHCP lease time to prevent incorrect user policies from being applied.
     Custom AUP Frequency	Specifies, in days, how often the Acceptable Use Policy is displayed to users.
     Block Internet Access	Disables all internet access, including non-HTTP traffic, until the user accepts the Acceptable Use Policy.

     By default, any changes to the IPSec and GRE configurations apply automatically to both the gateway and sub-locations.
   • Specify the Endpoints from the drop-down if you need to use Custom VPN Endpoints for IPSec tunnels and GRE tunnels (primary and secondary) instead of those managed by the CloudBlade.
     If using a custom endpoint, enter the preconfigured Standard VPN Endpoint name (case-sensitive) to be referenced when the CloudBlade configures the Standard VPN interfaces at this site. If no endpoint is specified, the CloudBlade will default to using the ZScaler Standard VPN endpoint, which includes a list of all ZEN node hostnames.

     

     If required, enable Interface level override for further customization.
8. Tag the circuit categories.

   

   Once the site is enabled for Zscaler, all Internet Circuits associated with this Branch Site can be used to form IPSec and/or GRE Tunnels. The IPSec and GRE configurations will be associated with the circuit categories to allow automatic tunnel formation.

   You can validate the tunnel configuration by navigating to the Branch Site and confirming if the tags are configured correctly.

   

   • Select Delete Configuration (if required), and select the tunnel type (IPSec or GRE) to remove the Zscaler configuration from the branch site.
   • Select Manage to edit any of the existing IPSec and GRE configurations.