Prisma SD-WAN CloudBlade Integrations
  • Prisma SD-WAN CloudBlade Integrations
  • Prisma SD-WAN Documentation
  • All Documentation
>
Create Security Zone and Security Policy for GRE Tunnels Creation
Focus
Download PDF
Focus
  1. Home
  2. Prisma SD-WAN
  3. Zscaler Internet Access CloudBlade Integration
  4. Create Security Zone and Security Policy for GRE Tunnels Creation
Download PDF
Prisma SD-WAN

Create Security Zone and Security Policy for GRE Tunnels Creation

Table of Contents

Create Security Zone and Security Policy for GRE Tunnels Creation

Learn to configure and install the Zscaler Integration CloudBlade and perform the steps required for the integration.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma SD-WAN license
  • Zscaler Enforcement Nodes (ZEN) Integration CloudBlade
GRE tunnels created by the Zscaler Cloudblade must require a security policy (v1) or security policy set(v2) to be applied to the site for tunnel creation. The security policy and zone must be created and mapped to the site. The Cloudblade automatically places the servicelink GRE tunnel into the security zone. The CloudBlade typically creates two GRE tunnels, a Primary tunnel to Data center one and a Secondary GRE tunnel to Data center two.
If a policy or zone is removed later, the CloudBlade ignores all GRE operations performed on that site. This includes creating, updating or re-querying.
  1. Add a security zone.
    1. In Strata Cloud Manager, go to ManagePoliciesSecurity.
    2. Select Security Zones and add a Security Zone.
    3. On the next screen, enter a name for the security zone and an optional description.
    4. Click Create.
  2. Add a security policy stack.
    1. Select PoliciesSecurity and add a Stack.
    2. Enter a name for the Security stack, select the security policy zone created previously and Save the changes.
  3. Bind the security policy to the site.
    1. Select the Security Stack.
    2. From the ellipsis menu for a security policy, select Attach to Sites.
    3. Select the site and click Edit Selected.
    4. Review or edit your security policies and select Save.

Configure and Install the Zscaler Integration

Configure the Prisma SD-WAN CloudBlade to prepare the Prisma SD-WAN controller for integration.
  1. In Strata Cloud Manager, go to ManagePrisma SD-WANCloudBlades.
  2. Locate the Zscaler Enforcement Nodes (ZEN) Integration CloudBlade tile in the CloudBlades page and click Configure. If this CloudBlade does not appear, contact Palo Alto support team.
  3. Enter the following information in the CloudBlade installation page.
    1. From the Version list, select the required version.
    2. For Admin State, retain Enabled, which is the default value.
    3. For API Key, provide the SD-WAN key generated in the previous section.
    4. For Partner Admin Username and Partner Admin Password, provide the partner administrator account details created in the previous section.
    5. For Zscaler cloud, select the Zscaler cloud to which your subscription is attached (zscalerthree in the example below).
      From version 2.1.0 onwards, the CloudBlade supports govcloud which supports only IPsec tunnels.
    6. Specify the IPsec Profile name (case sensitive). The default is ZSCALER_IKEV2, which should be pre-provisioned along with the CloudBlade allocation. The tunnels to be created will be identified based on the tags created (AUTO-zscaler for IPSec and AUTO-zscaler-GRE for GRE; version 2.0.0 onwards).
    7. If you select Allow Interface Level Override for the IPsec profile, it will allow administrators to change the IPsec profile referenced at the Standard VPN tunnel level without the CloudBlade overriding this change. This is typically useful in case of troubleshooting scenarios.
    8. Optional Provide the base URL. If left blank, the base URL will be derived from the admin username domain.
  4. After you configure the settings, click Install (or Save, if the CloudBlade was previously installed).

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.