Prisma SD-WAN
Zscaler Internet Access CloudBlade Integration
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 5.6
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Zscaler Internet Access CloudBlade Integration
Learn about the Zscaler Internet Access CloudBlade integration release notes
updates.
Prisma SD-WAN recommends upgrading to the latest release to take advantage of new
features, software enhancements, and bug fixes.
Zscaler Internet Access CloudBlade Version 2.1.0
This section includes new and updated features in CloudBlade version
2.1.0.
New/Updated Features
- When establishing GRE tunnels with a usable public IP and the interface is connected directly to the internet, provide the public IP as part of DHCP or Static IP address. The Public IP must not be blocked by any firewall. If you change an IP as part of the static public address or NAT address, the existing tunnels are deleted, and new tunnels established. The polling to identify these changes happens in 10-minute intervals.
- When selecting the Zscaler cloud to which your subscription is attached, the CloudBlade now supports govcloud which supports only IPsec tunnels.
Zscaler Internet Access CloudBlade Version 2.0.0
This section includes new features, caveats/limitations, and downgrade
considerations.
New/Updated Features
Starting with release version 2.0.0, the Zscaler CloudBlade
supports both IPSec and GRE tunnels. Zscaler Internet Access
(ZIA) has launched APIs that can be used to build GRE
tunnels to Zscaler nodes from branches that require high
throughput. Each GRE tunnel can have up to 1 Gbps bandwidth.
The AUTO-zscaler-GRE tag is added to a
site and circuit to create the GRE tunnels. The site tag is
extended for sub-location, custom endpoint, and other
options, while the circuit tag is a static tag. A single
interface on the device supports both the IPSec tunnels
(AUTO-zscaler tag) and GRE tunnels (AUTO-zscaler-GRE tag).
If a circuit is tagged with both AUTO-zscaler and
AUTO-zscaler-GRE tags on an interface, then both IPSec and
GRE tunnels are established to the specific ZEN Nodes.
Changes to Default Behavior
When you roll back the Zscaler Internet Access CloudBlade from
2.0.0 version to 1.4.1 or 1.3.1, remove the GRE tag at the
site and circuit levels. Ensure the GRE ServiceLinks are
deleted as GRE is not supported in lower versions of the
CloudBlade.
Caveats/Limitations
The following caveats are observed with the Zscaler Internet
Access CloudBlade:
- If one or more IPs used in Custom Endpoints is not part of the ranked list (closest data centers), the tunnels will not be established.
- The Zscaler-requery-GRE-IPs tag must be used on the site in order to update the GRE tunnels to the latest available closest data centers.
Zscaler Internet Access CloudBlade Version 1.4.1
This is a maintenance release with fixes.
Zscaler Internet Access CloudBlade Version 1.3.1
Zscaler Internet Access requires ION devices to run software version
5.1.9-b10 or later. Versions prior to
5.1.9-b10 are not supported. This section includes new features,
caveats/limitations, and migration considerations.
New/Updated Features
Zscaler Internet Access requires ION devices to run software
version 5.1.9-b10 or later. Versions
prior to 5.1.9-b10 are not supported. This section includes
new features, caveats/limitations, and migration
considerations.
- Automation of Zscaler sub-location gateway option settings per site.
- Optional custom Standard VPN endpoint specification per site for cases where the ZIA Service Edge hostname list needs to be manually managed.
- IPSec Profile interface level override.
Caveats/Limitations
The following are the caveats or limitations in this release:
- IPSec Profile Names specified in the CloudBlade configuration are case-sensitive.
- There is a known bug on the Zscaler API side which will be resolved by the end of July 2020, whereby, if the specific gateway option surrogate IP Enforced For Known Browsers is specified, it does not show as configured on the Zscaler location or sublocation object. The workaround is to specify an additional gateway option or sublocation gateway option, whichever is applicable. This will cause an update to the location (or sub-location) object and will make the surrogate IP Enforced For Known Browsers effective. You can then remove the additional configuration if it’s not required.
Migration Considerations
Migration for a site previously tagged with AUTO-zscaler that had
gateway configuration changes done directly on the Zscaler
UI, will not have any of its gateway options modified.
However, if the AUTO-zscaler tag is updated to specify gateway
options, sub-locations, or a custom standard VPN endpoint,
either through the UI workflow or through the API, then the
CloudBlade will become the source of truth for all gateway
options and sub-location configuration for this particular
location.
When a site has the AUTO-zscaler tag removed all objects
maintained by the CloudBlade will be removed. This includes
standard VPN tunnel interfaces on the IONs, the location and
sublocation object(s) on Zscaler, and the VPN credentials
associated with the tunnels from that site.
Zscaler Location Gateway Options
The following are the gateway options supported in Zscaler
CloudBlade Version 1.3.1:
| Options | Corresponding Prisma Access for Networks Tag |
|---|---|
| Use XFF from Client Request | <True | False> |
| Enforce Zscaler App SSL Setting | <True | False> |
| Enable SSL Inspection | <True | False> |
| Enforce Firewall Control | <True | False> |
| Enforce Authentication | <True | False> |
| Enable IP Surrogate | <True | False>Idle time: <val>Idle time metric: <minutes | hours | days> |
| Enable Surrogate IP for Known Browsers | <True | False>Refresh time: <val>Refresh time metric: <minutes | hours | days> |
| Enable Caution | <True | False> |
| Enable AUP | <True | False>Frequency (days): <val>Block Internet Access: <True | False>Force SSL Inspection: <True False> |