You must enable cloud security to establish a secured tunnel from an Edge to cloud security service sites. This enables the secured traffic being redirected to third party cloud security sites.

Before you begin:
  • Ensure that you have access permission to configure network services.
  • Ensure that your SD-WAN Orchestrator has version 3.3.x or above.
  • You should have Cloud security service gateway endpoint IPs and FQDN credentials configured in the third party CSS.
  1. In the Enterprise portal, click Configure > Profiles.
  2. Click the Device Icon next to a profile, or click the link to the profile, and then click the Device tab.
  3. In the Cloud Security section, switch the dial from the Off position to the On position.
  4. Configure the following settings:

    Option Description
    Cloud Security Service Select a cloud security service from the drop-down menu. You can also click New Cloud Security Service from the drop-down to create a new service type.
    Tunneling Protocol This option is available only for Zscaler cloud security service. Choose either IPsec or GRE. By default, IPsec is selected.
    Hash Select the Hash function as SHA 1 or SHA 256 from the drop-down. By default, SHA 1 is selected.
    Note: VMware does not support MD5 and it is recommended not to choose MD5 as the Hash function.
    Encryption Select the Encryption algorithm as AES 128 or AES 256 from the drop-down. By default, None is selected.
    Key Exchange Protocol

    This option is not available for Symantec cloud security service.

    Select the key exchange method as IKEv1 or IKEv2. By default, IKEv2 is selected.
  5. Click Save Changes.

When you enable Cloud Security Service and configure the settings in a profile, the setting is automatically applied to the Edges that are associated with the profile. If required, you can override the configuration for a specific Edge. See Configure Cloud Security Services for Edges.

For the profiles created with cloud security service enabled and configured prior to 3.3.1 release, you can choose to redirect the traffic as follows:

  • Redirect only web traffic to Cloud Security Service
  • Redirect all internet bound traffic to Cloud Security Service
  • Redirect traffic based on Business Policy Settings – This option is available only from release 3.3.1. If you choose this option, then the other two options are no longer available.
Note: For the new profiles that you create for release 3.3.1 or later, by default, the traffic is redirected as per the Business Policy settings.

You can create a rule in the business policy to redirect the traffic to cloud security service.

  1. In the Business Policy tab of the profile, create a new rule by clicking New Rule or, from the Actions drop-down menu, choose New.

    The Configure Rule dialog box appears.

  2. Enter a unique name for the Rule Name.
  3. In the Action area, click the Internet Backhaul button and choose Cloud Security Service.

  4. Click OK.

    The new rule appears in the Business Policy screen.