Plan the Deployment
Focus
Focus

Plan the Deployment

Table of Contents

Plan the Deployment

Learn how to Plan the Deployment in Zscaler Prisma SD-WAN CloudBlade.
The primary way to architecturally accomplish the Prisma SD-WAN and Zscaler Internet Access integration is through IPsec Standard VPNs and GRE tunnels from remote ION device endpoints to Zscaler. The Zscaler Integration CloudBlade automatically creates, manages, and maintains the IPsec and GRE Standard VPN tunnels by simply entering tags on the appropriate Prisma SD-WAN objects.
Starting with release version 2.0.0, the Zscaler CloudBlade supports both IPSec and GRE tunnels. Zscaler Internet Access (ZIA) has launched APIs that can be used to build GRE tunnels to Zscaler nodes from branches that require high throughput. Each GRE tunnel can have up to 1 Gbps bandwidth.
The AUTO-zscaler-GRE tag is added to a site and circuit to create the GRE tunnels. The site tag is extended for sub-location, custom endpoint, and other options, while the circuit tag is a static tag. A single interface on the device supports both the IPSec tunnels (AUTO-zscaler tag) and GRE tunnels (AUTO-zscaler-GRE tag). If a circuit is tagged with both AUTO-zscaler and AUTO-zscaler-GRE tags on an interface, then both IPSec and GRE tunnels are established to the specific ZEN Nodes.
The Prisma SD-WAN interface must be configured and linked to Zscaler through a partner administrator account, and an SD-WAN partner key to facilitate this tag-based configuration.
Use the following steps to complete the integration:
  1. Create a partner administrator role, create a partner administrator account and assign the role, and generate an SD-WAN partner key from the Zscaler portal.
  2. Configure and install the Zscaler CloudBlade in the Prisma SD-WAN Portal.
  3. Assign tags to objects in the Prisma SD-WAN Portal to automatically integrate those objects to Zscaler.
  4. Edit application network policy rules to send traffic to the Zscaler.
    Prior to configuring the Zscaler CloudBlade in the Prisma SD-WAN portal, make sure that the user account you are logged in with has IP session lock disabled. For more information, refer to Improper Settings for Prisma SD-WAN User Doing Initial Installation.