: Assign Tags to Objects in Prisma SD-WAN

Assign Tags to Objects in Prisma SD-WAN

Table of Contents

Assign Tags to Objects in Prisma SD-WAN

Lets see how to Assign Tags to Objects in the Prisma SD-WAN web interface.
After the CloudBlade is configured, the next task is to tag Prisma SD-WAN sites and circuit categories to denote which sites and circuit types are candidates for auto Standard VPN tunnel and GRE tunnel creation to Zscaler.
  1. From the Prisma SD-WAN web interface, click
  2. Click on the site to bring up the site details (search for a site to connect to Zscaler).
  3. Click the
    icon (on the top right of the site details screen).
  4. On the
    Edit Site
    screen, in the
    field, type
    (IPSec) and
    (GRE) for tunnel creation (case sensitive).
    If you remove any one of the tags, this will delete the respective tunnel (all configurations are deleted) while the other continues to operate.
  5. Select the gear icon to configure the gateway options as required by your security team.
    1. If configuring gateway options only at the parent location level, specify the options as needed. This implies that all traffic from this location will be subject to the options configured here.
      The gateway options,
      Enforce Zscaler App SSL Setting
      Enable SSL Inspection
      shown in the image below are currently deprecated by Zscaler.
    2. If you need to configure different gateway option settings for different sources of traffic from this site, then specify the appropriate sub-location definition and settings from the
      Sub Locations
      In the
      Sub Locations
      tab, options
      Enforce Zscaler App SSL Setting
      Enable SSL Inspection
      are currently deprecated and the option
      Use XFF from Client Request
      is disabled.
    3. If you create a sub location, make sure to specify the gateway options for the
    4. Specify the endpoint under the
      tab if there's a requirement to use a custom Standard VPN endpoint instead of the one, which the CloudBlade manages and maintains.
      The Standard VPN endpoint name is case sensitive and must be previously configured under
      Stacked Policies > Service & DC Groups > Endpoints > Standard VPN
    5. To configure the GRE tunnel options under the
      tab, select the preconfigured Security Zone from the drop-down and select the
      Custom Endpoint
      for both primary and secondary tunnels (version 2.0.0 onwards).
      The GRE endpoint for both primary and secondary tunnels is case-sensitive and must be configured under
      Service & DC Groups
      Standard VPN
      While using the custom endpoints for GRE tunnels, ensure that the IP addresses are available in the list of the closest data centers, and the IP addresses belong to data centers of different locations.
      AUTO-zscaler and AUTO-zscaler-GRE tag values must be the same for both
      Gateway Options
      Sub Locations
  6. Click

Tag the Circuit Categories

Now that the site has been tagged as enabled for Zscaler, we need to tag the circuit categories that can be used to establish a Standard VPN or GRE tunnel to Zscaler.
This capability is useful if you want only specific types of circuits to be used for Zscaler integration or explicitly exclude certain circuit types. For example, a customer may not want to use their metered LTE circuit for Standard VPN establishment.
  1. From the Prisma SD-WAN web interface, click
    Policies > Stacked Policies
  2. Click
    Circuit Categories
  3. Find the circuit categories that are associated with your sites from which you want the system to automatically build the tunnels. Edit the circuit category, and enter
    (case sensitive) in the
  4. Click
    Once this configuration is completed, Standard VPN IPsec/GRE tunnels connecting the Prisma SD-WAN ION device and Zscaler will begin the creation or onboarding process in the next integration cycle. It may take several integration cycles for the tunnels to appear and be active on the Prisma SD-WAN portal.

Configure Parent Interface for Tunnels

  1. Once the circuit is tagged, add the circuit as part of the circuit label on the parent interface (Port 2 in this case).
  2. Additionally, from version 2.1.0, establishing GRE tunnels requires a usable public IP.
    1. If the interface is connected directly to the internet and a public IP is available, provide the public IP as part of the DHCP or Static IP address. The Public IP must not be blocked by any firewall.
    2. If the interface is behind a NAT, provide the public IP address in the External NAT Address section.
      If you change an IP as part of the static public address or NAT address, the existing tunnels are deleted, and new tunnels established. The polling to identify these changes happens in 10-minute intervals.

Recommended For You