This section covers the configuration of a Partner Gateway to use VMware Cloud Web Security.


Cloud Web Security allows Service Providers to configure their own Partner Gateways to peer with VMware SASE Points of Presence (PoPs). As a result Service Provider customers can utilize Cloud Web Security services while being connected to a Partner Gateway. In addition, Partner Customer sites that are MPLS-only are not required to use a broadband connection to access Cloud Web Security services.


A customer would need the following to configure a Partner Gateway for use with Cloud Web Security:
  1. A Partner portal on a production VMware Cloud Orchestrator with Cloud Web Security activated.
  2. The Partner must deploy at least one VMware SD-WAN Gateway as a Partner Gateway. To learn more about configuring a Gateway as a Partner Gateway see, Manage Gateways with New Orchestrator UI.
  3. The Partner Gateway(s) must have the following:
    1. The Partner Gateways must run Gateway software release or later.
    2. The Partner Gateway must be configured for a Cloud Web Security role (in other words, configured to be a SASE Point of Presence (PoP)).
      Note: For more information about configuring a Gateway for a Cloud Web Security role, see Configuring a SD-WAN Gateway for a Cloud Web Security Role.
  4. The Partner Gateway must be configured as a hand off for at least one customer enterprise that the Partner wants associated with Cloud Web Security. To learn more see, Configure Hand Off.

Configure a Partner Gateway for Cloud Web Security

To configure a Partner Gateway for use with Cloud Web Security, perform the following steps:
  1. Navigate to Cloud Web Security > Configure > Partner Gateway Handoff.
  2. Select the Gateway(s) and Segment to be used.
  3. Associate the selected Gateway(s) and Segment with a Security Policy.
    Note: For more information on Creating a Security Policy, see Create a Security Policy.
  4. Configure the General & Hand Off Tag. This needs to match the configuration you have for the respective Partner Gateway Handoff.
  5. Under either/or or both IPv4 and IPv6 configure the additional parameters as they were configured for the Partner Gateway and its handoff: the Hand Off Interface, BFD Parameters, and BGP Parameters including inbound and outbound filters.
  6. Click Save Changes to complete the Partner Gateway Handoff configuration.

Monitoring Partner Gateway Handoff

This section covers the monitoring available for Partner Gateway that is specific to Cloud Web Security. Cloud Web Security monitors the quantity of packets both received and transmitted through a Partner Gateway which is destined for the Cloud Web Security service.
Note: Monitoring for packets that traverse a Partner Gateway using Cloud Web Security is a feature available in VMware SASE Orchestrators using Release 5.2.0 and later. Orchestrators using an earlier release will not have this feature available.
To view the Monitoring for Partner Gateways using Cloud Web Security, do the following:
  1. Navigate to Cloud Web Security > Monitor > Partner Gateway Handoff.
  2. Select the Gateway(s) to be monitored.

  3. A user can view how many packets are being received and sent through the Partner Gateway to the Cloud Web Security service. Like all monitoring graphs, a user can select from a menu of time blocks (for example, 12 hours, 24 hours, last seven days) or use a calender and time selector to find specific particular time periods.