The primary way to architecturally accomplish the Prisma SD-WAN and
Zscaler Internet Access integration is through IPsec Standard VPNs and GRE tunnels
from remote ION device endpoints to Zscaler. The Zscaler Integration CloudBlade
automatically creates, manages, and maintains the IPsec and GRE Standard VPN
tunnels.
Starting with release version 2.0.0, the Zscaler CloudBlade supports both IPSec and
GRE tunnels. Zscaler Internet Access (ZIA) has launched APIs that can be used to
build GRE tunnels to Zscaler nodes from branches that require high throughput. Each
GRE tunnel can have up to 1 Gbps bandwidth.
The AUTO-zscaler-GRE tag is added to a site and circuit to
create the GRE tunnels. The site tag is extended for sub-location, custom endpoint,
and other options, while the circuit tag is a static tag. A single interface on the
device supports both the IPSec tunnels (AUTO-zscaler tag) and GRE tunnels
(AUTO-zscaler-GRE tag). If a circuit is tagged with both AUTO-zscaler and
AUTO-zscaler-GRE tags on an interface, then both IPSec and GRE tunnels are
established to the specific ZEN Nodes.
The Prisma SD-WAN interface must be configured and linked to Zscaler
through a partner administrator account, and an SD-WAN partner key to facilitate
this tag-based configuration.
Use the following steps to complete the integration:
Create a partner administrator role, create a partner administrator account and
assign the role, and generate an SD-WAN partner key from the Zscaler
portal.
Configure and install the Zscaler CloudBlade in the Prisma SD-WAN portal.
Configure Prisma SD-WAN sites, and tag the circuit categories to denote which
sites and circuit types are candidates for auto Standard VPN tunnel and GRE
tunnel creation to Zscaler.
Edit application network policy rules to send traffic to the Zscaler.
Prior to configuring the Zscaler CloudBlade in the Prisma SD-WAN portal, make sure that the user account you
are logged in with has IP session lock disabled.