Assign Tags to Objects in Prisma SD-WAN
Table of Contents
Expand all | Collapse all
Assign Tags to Objects in Prisma SD-WAN
Lets see how to Assign Tags to Objects in the Prisma SD-WAN web interface.
After the CloudBlade is configured, the next
task is to tag Prisma SD-WAN sites and circuit categories to denote
which sites and circuit types are candidates for auto Standard VPN
tunnel and GRE tunnel creation to Zscaler.
- From the Prisma SD-WAN web interface, click.ManageSetupSites
- Click on the site to bring up the site details (search for a site to connect to Zscaler).
- Click theEditicon (on the top right of the site details screen).
- On theEdit Sitescreen, in theTAGSfield, typeAUTO-zscaler(IPSec) andAUTO-zscaler-GRE(GRE) for tunnel creation (case sensitive).If you remove any one of the tags, this will delete the respective tunnel (all configurations are deleted) while the other continues to operate.
- Select the gear icon to configure the gateway options as required by your security team.
- If configuring gateway options only at the parent location level, specify the options as needed. This implies that all traffic from this location will be subject to the options configured here.The gateway options,Enforce Zscaler App SSL SettingandEnable SSL Inspectionshown in the image below are currently deprecated by Zscaler.
- If you need to configure different gateway option settings for different sources of traffic from this site, then specify the appropriate sub-location definition and settings from theSub Locationstab.In theSub Locationstab, optionsEnforce Zscaler App SSL SettingandEnable SSL Inspectionare currently deprecated and the optionUse XFF from Client Requestis disabled.
- If you create a sub location, make sure to specify the gateway options for theotherlocation.
- Specify the endpoint under theAdvancedtab if there's a requirement to use a custom Standard VPN endpoint instead of the one, which the CloudBlade manages and maintains.The Standard VPN endpoint name is case sensitive and must be previously configured underStacked Policies > Service & DC Groups > Endpoints > Standard VPN
- To configure the GRE tunnel options under theAdvancedtab, select the preconfigured Security Zone from the drop-down and select theCustom Endpointfor both primary and secondary tunnels (version 2.0.0 onwards).The GRE endpoint for both primary and secondary tunnels is case-sensitive and must be configured under.ResourcesService & DC GroupsEndpointsStandard VPNWhile using the custom endpoints for GRE tunnels, ensure that the IP addresses are available in the list of the closest data centers, and the IP addresses belong to data centers of different locations.AUTO-zscaler and AUTO-zscaler-GRE tag values must be the same for bothGateway OptionsandSub Locations.
- ClickDone.
Tag the Circuit Categories
Now that the site has been tagged as enabled for Zscaler, we need to tag the circuit categories
that can be used to establish a Standard VPN or GRE tunnel to Zscaler.
This
capability is useful if you want only specific types of circuits to
be used for Zscaler integration or explicitly exclude certain circuit
types. For example, a customer may not want to use their metered
LTE circuit for Standard VPN establishment.
- From the Prisma SD-WAN web interface, click.Policies > Stacked Policies
- ClickCircuit Categories.
- Find the circuit categories that are associated with your sites from which you want the system to automatically build the tunnels. Edit the circuit category, and enterAUTO-zscalerandAUTO-zscaler-GRE(case sensitive) in theTagsfield.
- ClickUpdate.Once this configuration is completed, Standard VPN IPsec/GRE tunnels connecting the Prisma SD-WAN ION device and Zscaler will begin the creation or onboarding process in the next integration cycle. It may take several integration cycles for the tunnels to appear and be active on the Prisma SD-WAN portal.
Configure Parent Interface for Tunnels
- Once the circuit is tagged, add the circuit as part of the circuit label on the parent interface (Port 2 in this case).
- Additionally, from version 2.1.0, establishing GRE tunnels requires a usable public IP.
- If the interface is connected directly to the internet and a public IP is available, provide the public IP as part of the DHCP or Static IP address. The Public IP must not be blocked by any firewall.
- If the interface is behind a NAT, provide the public IP address in the External NAT Address section.If you change an IP as part of the static public address or NAT address, the existing tunnels are deleted, and new tunnels established. The polling to identify these changes happens in 10-minute intervals.