Prisma SD-WAN
Assign Tags to Objects in Prisma SD-WAN
Table of Contents
Assign Tags to Objects in Prisma SD-WAN
Lets see how to Assign Tags to Objects in the Prisma SD-WAN web
interface.
| Where Can I Use This? | What Do I Need? |
|---|---|
After the CloudBlade is configured, the next task is to tag Prisma SD-WAN sites and circuit categories to denote which sites and
circuit types are candidates for auto Standard VPN tunnel and GRE tunnel creation to
Zscaler.
- In Strata Cloud Manager, go to .Select the site to bring up the site details (search for a site to connect to Zscaler).Click the Edit icon (on the top right of the site details screen).
![]()
On the Edit Site screen, in the TAGS field, type AUTO-zscaler (IPSec) and AUTO-zscaler-GRE (GRE) for tunnel creation (case sensitive).![]()
If you remove any one of the tags, this will delete the respective tunnel (all configurations are deleted) while the other continues to operate.Select the gear icon to configure the gateway options as required by your security team.- If configuring gateway options only at the parent location level, specify the options as needed. This implies that all traffic from this location will be subject to the options configured here.The gateway options, Enforce Zscaler App SSL Setting and Enable SSL Inspection shown in the image below are currently deprecated by Zscaler.If you need to configure different gateway option settings for different sources of traffic from this site, then specify the appropriate sub-location definition and settings from the Sub Locations tab.
![]()
In the Sub Locations tab, options Enforce Zscaler App SSL Setting and Enable SSL Inspection are currently deprecated and the option Use XFF from Client Request is disabled.If you create a sub location, make sure to specify the gateway options for the other location.Specify the endpoint under the Advanced tab if there's a requirement to use a custom Standard VPN endpoint instead of the one, which the CloudBlade manages and maintains.![]()
The Standard VPN endpoint name is case sensitive and must be previously configured under .To configure the GRE tunnel options under the Advanced tab, select the preconfigured Security Zone from the drop-down and select the Custom Endpoint for both primary and secondary tunnels (version 2.0.0 onwards).The GRE endpoint for both primary and secondary tunnels is case-sensitive and must be configured under .While using the custom endpoints for GRE tunnels, ensure that the IP addresses are available in the list of the closest data centers, and the IP addresses belong to data centers of different locations.AUTO-zscaler and AUTO-zscaler-GRE tag values must be the same for both Gateway Options and Sub Locations.![]()
Click Done.Tag the Circuit Categories
Now that the site has been tagged as enabled for Zscaler, we need to tag the circuit categories that can be used to establish a Standard VPN or GRE tunnel to Zscaler.This capability is useful if you want only specific types of circuits to be used for Zscaler integration or explicitly exclude certain circuit types. For example, a customer may not want to use their metered LTE circuit for Standard VPN establishment.- In Strata Cloud Manager, go to .Find the circuit categories that are associated with your sites from which you want the system to automatically build the tunnels. Edit the circuit category, and enter AUTO-zscaler and AUTO-zscaler-GRE (case sensitive) in the Tags field.
![]()
Select Update.Once this configuration is completed, Standard VPN IPsec/GRE tunnels connecting the Prisma SD-WAN ION device and Zscaler will begin the creation or onboarding process in the next integration cycle. It may take several integration cycles for the tunnels to appear and be active on the Prisma SD-WAN portal.
