The Cloud Security Service (CSS) establishes a secure tunnel from an Edge to the cloud security service sites. This ensures secured traffic flow to the cloud security services.

To configure a Cloud Security Service, perform the following steps.

Procedure

  1. In the SD-WAN service of the Enterprise portal, click Configure > Network Services.
  2. In the Network Services page, navigate to Non SD-WAN Destinations via Edge > Cloud Security Service, click New.
  3. In the New Cloud Security Provider window, select a service type from the drop-down menu. VMware SD-WAN supports the following CSS types:
    • Generic Cloud Security Service
    • Symantec / Palo Alto Cloud Security Service
      Note: Starting from 5.0.0 release, Palo Alto CSS are configured under the new service type template "Symantec / Palo Alto Cloud Security Service". All customers who have an existing Palo Alto CSS configured under "Generic Cloud Security Service" must move to the new template "Symantec / Palo Alto Cloud Security Service".
    • Zscaler Cloud Security Service
    1. If you have selected either "Generic" or "Symantec / Palo Alto" Cloud Security Service as the Service Type, then configure the following required details and click Add.
      Option Description
      Service Name Enter a descriptive name for the cloud security service.
      Primary Point-of-Presence/Server Enter the IP address or hostname for the Primary server.
      Secondary Point-of-Presence/Server Enter the IP address or hostname for the Secondary server. This is optional.
    2. If you have selected Zscaler Cloud Security Service as the Service Type, then you can choose between manual deployment and automated deployment by selecting the Automate Cloud Service Deployment checkbox. Also, you can configure additional settings such as Zscaler Cloud and Layer 7 (L7) Health Check details to determine and monitor the health of the Zscaler Server.
    Configure Automatic Tunnels from SD-WAN Edge to Zscaler
    This section describes how to automatically create a GRE or IPsec tunnel from SD-WAN Edge to Zscaler service provider.
    1. In the New Cloud Security Provider window, enter a service name.
    2. Select the Automate Cloud Service Deployment checkbox.
    3. Select GRE or IPsec protocol for tunnel establishment.
      Note: The total number of CSS Zscaler GRE tunnels that can be configured per customer depends on the customer's subscription on Zscaler. The default value is 100.
    4. Configure additional details such as Domestic Preference, Zscaler Cloud, Partner Admin Username, Password, Partner Key, and Domain, as described in the following table.
      Option Description
      Domestic Preference Enable this option to prioritize Zscaler data centers from the country of origin of the IP address even if they are farther away from the other Zscaler data centers.
      Note: Previously, the Domestic Preference option was only available for GRE tunnels. Starting with the 6.0.0 release, this option is configurable for establishing IPsec tunnels as well.
      Zscaler Cloud You can choose to use the existing Zscaler clouds or use a new Zscaler Cloud. If you choose to use the existing cloud then select a Zscaler cloud service from the drop-down menu. For new Zscaler cloud, you must enter the Zscaler cloud service name in the textbox.
      Partner Admin Username Enter the provisioned username of the partner admin.
      Partner Admin Password Enter the provisioned password of the partner admin.
      Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
      Partner Key Enter the provisioned partner key.
      Domain Enter the domain name on which the cloud service would be deployed.
      Sub Cloud This is an optional parameter that Zscaler Internet Access (ZIA) customers use to have a custom pool of data centers for Geo-location purposes.
      Note: This option is available on CSS Zscaler automated deployment mode, if IPsec is selected for establishing tunnels.
    5. Click Validate Credentials. If the validation is successful, the Save Changes button will be activated.
      Note: You must validate the credentials to add a new CSS Provider.
    6. Optional: Configure the following L7 Health Check details to monitor the health of the Zscaler Server.
      Note: The L7 Health Check feature tests HTTP reachability to the Zscaler backend server. Upon enabling L7 Health Check, the Edge sends HTTP L7 probes to a Zscaler destination (Example: http://<zscaler cloud>/vpntest) which is Zscaler's backend server for the HTTP health check. This method is an improvement over using network level keep-alive (GRE or IPsec) as that method only tests for network reachability to the frontend of a Zscaler server.

      If an L7 response is not received after 3 successive retries, or if there is an HTTP error, the Primary Tunnel will be marked as 'Down' and the Edge will attempt to failover Zscaler traffic to the Standby Tunnel (if one is available). If the Edge successfully fails over Zscaler traffic to the Standby Tunnel, the Standby becomes the new Primary Tunnel.

      In the unlikely event that the L7 Health Check marks both the Primary and Standby tunnels as 'Down', the Edge would route Zscaler traffic using a Conditional Backhaul policy (if such a policy has been configured).

      The Edge only sends L7 probes over the Primary Tunnel towards the Primary Server, never over the Standby Tunnel.

      Option Description
      L7 Health Check Select the checkbox to enable L7 Health Check for the Zscaler Cloud Security Service provider, with default probe details (HTTP Probe interval = 5 seconds, Number of Retries = 3, RTT Threshold = 3000 milliseconds). By default, L7 Health Check is not enabled.
      Note: Configuration of health check probe details is not supported.
      Note: For a given Edge/Profile, a user cannot override the L7 health check parameters configured in the Network Service.
      HTTP Probe Interval The duration of the interval between individual HTTP probes. The default probe interval is 5 seconds.
      Number of Retries Specifies the number of probes retries allowed before marking the cloud service as DOWN. The default value is 3.
      RTT Threshold The round trip time (RTT) threshold, expressed in milliseconds, used to calculate the cloud service status. The cloud service is marked as DOWN if the measured RTT is above the configured threshold. The default value is 3000 milliseconds.
      Zscaler Login URL Enter the login URL and then click Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.
      Note: The Login to Zscaler button will be enabled if you have entered the Zscaler login URL.
    7. If you want to login to the Zscaler Admin portal from the Orchestrator, enter the Zscaler login URL and then click Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.
      Note: The Login to Zscaler button will be enabled if you have entered the Zscaler login URL.
    Note: For more information about Zscaler CSS automated deployment, see Zscaler and VMware SD-WAN Deployment Guide.
    Note: For specific details on how Zscaler determines the best data center Virtual IP addresses (VIPs) to use for establishing IPsec VPN tunnels, see SD-WAN API Integration for IPSec VPN Tunnel Provisioning.
    Configure Manual Tunnels from SD-WAN Edge to Zscaler
    This section describes how to manually create a GRE or IPsec tunnel from an SD-WAN Edge to a Zscaler service provider. Unlike automatic tunnels, configuring manual tunnels requires you to specify a tunnel destination to bring up the tunnels.
    1. In the New Cloud Security Provider window, enter a service name.
    2. Enter the IP address or hostname for the Primary server.
    3. Optionally, you can enter the IP address or hostname for the Secondary server.
    4. Select a Zscaler cloud service from the drop-down menu or enter the Zscaler cloud service name in the textbox.
    5. Configure other parameters as desired, and then click Save Changes.
    Note: If you have selected Zscaler Cloud Security Service as the Service Type and planning to assign a GRE tunnel, it is recommended to enter only IP address in the Primary and Secondary server, and not the hostname, as GRE does not support hostnames.

Results

The configured cloud security services are displayed under the Cloud Security Service area in the Network Services window.

What to do next

Associate the cloud security service with a Profile or an Edge: