Zscaler Internet Access CloudBlade Integration Guide
    : Assign Tags to Objects in Prisma SD-WAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. CloudBlades Integration and Deployment
    5. Zscaler Internet Access CloudBlade Integration Guide
    6. Configure and Install the Zscaler Integration CloudBlade
    7. Assign Tags to Objects in Prisma SD-WAN
    Download PDF

    Zscaler Internet Access CloudBlade Integration Guide

    Assign Tags to Objects in Prisma SD-WAN

    Table of Contents

    Assign Tags to Objects in Prisma SD-WAN

    Lets see how to Assign Tags to Objects in the Prisma SD-WAN web interface.
    After the CloudBlade is configured, the next task is to tag Prisma SD-WAN sites and circuit categories to denote which sites and circuit types are candidates for auto Standard VPN tunnel and GRE tunnel creation to Zscaler.
    1. From the Prisma SD-WAN web interface, click
      Manage
      Setup
      Sites
      .
    2. Click on the site to bring up the site details (search for a site to connect to Zscaler).
    3. Click the
      Edit
       icon (on the top right of the site details screen).
    4. On the
      Edit Site
       screen, in the
      TAGS
       field, type
      AUTO-zscaler
       (IPSec) and
      AUTO-zscaler-GRE
       (GRE) for tunnel creation (case sensitive).
      If you remove any one of the tags, this will delete the respective tunnel (all configurations are deleted) while the other continues to operate.
    5. Select the gear icon to configure the gateway options as required by your security team.
      1. If configuring gateway options only at the parent location level, specify the options as needed. This implies that all traffic from this location will be subject to the options configured here.
        The gateway options,
        Enforce Zscaler App SSL Setting
         and
        Enable SSL Inspection
         shown in the image below are currently deprecated by Zscaler.
      2. If you need to configure different gateway option settings for different sources of traffic from this site, then specify the appropriate sub-location definition and settings from the
        Sub Locations
         tab.
        In the
        Sub Locations
         tab, options
        Enforce Zscaler App SSL Setting
         and
        Enable SSL Inspection
        are currently deprecated and the option
        Use XFF from Client Request
         is disabled.
      3. If you create a sub location, make sure to specify the gateway options for the
        other
         location.
      4. Specify the endpoint under the
        Advanced
         tab if there's a requirement to use a custom Standard VPN endpoint instead of the one, which the CloudBlade manages and maintains.
        The Standard VPN endpoint name is case sensitive and must be previously configured under
        Stacked Policies > Service & DC Groups > Endpoints > Standard VPN
      5. To configure the GRE tunnel options under the
        Advanced
         tab, select the preconfigured Security Zone from the drop-down and select the
        Custom Endpoint
        for both primary and secondary tunnels (version 2.0.0 onwards).
        The GRE endpoint for both primary and secondary tunnels is case-sensitive and must be configured under
        Resources
        Service & DC Groups
        Endpoints
        Standard VPN
        .
        While using the custom endpoints for GRE tunnels, ensure that the IP addresses are available in the list of the closest data centers, and the IP addresses belong to data centers of different locations.
        AUTO-zscaler and AUTO-zscaler-GRE tag values must be the same for both
        Gateway Options
         and
        Sub Locations
        .
    6. Click
      Done
      .

    Tag the Circuit Categories

    Now that the site has been tagged as enabled for Zscaler, we need to tag the circuit categories that can be used to establish a Standard VPN or GRE tunnel to Zscaler.
    This capability is useful if you want only specific types of circuits to be used for Zscaler integration or explicitly exclude certain circuit types. For example, a customer may not want to use their metered LTE circuit for Standard VPN establishment.
    1. From the Prisma SD-WAN web interface, click
      Policies > Stacked Policies
      .
    2. Click
      Circuit Categories
      .
    3. Find the circuit categories that are associated with your sites from which you want the system to automatically build the tunnels. Edit the circuit category, and enter
      AUTO-zscaler
       and
      AUTO-zscaler-GRE
       (case sensitive) in the
      Tags
       field.
    4. Click
      Update
      .
      Once this configuration is completed, Standard VPN IPsec/GRE tunnels connecting the Prisma SD-WAN ION device and Zscaler will begin the creation or onboarding process in the next integration cycle. It may take several integration cycles for the tunnels to appear and be active on the Prisma SD-WAN portal.

    Configure Parent Interface for Tunnels

    1. Once the circuit is tagged, add the circuit as part of the circuit label on the parent interface (Port 2 in this case).
    2. Additionally, from version 2.1.0, establishing GRE tunnels requires a usable public IP.
      1. If the interface is connected directly to the internet and a public IP is available, provide the public IP as part of the DHCP or Static IP address. The Public IP must not be blocked by any firewall.
      2. If the interface is behind a NAT, provide the public IP address in the External NAT Address section.
        If you change an IP as part of the static public address or NAT address, the existing tunnels are deleted, and new tunnels established. The polling to identify these changes happens in 10-minute intervals.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.