Cloud Security Services

Cloud Security Service (CSS) is a cloud-hosted security that protects an Enterprise branch and/or data center. The security services include firewalls, URL filtering, and other such services.

In CSS, you can define and configure a cloud security service instance and establish a secure tunnel directly from the Edge to the CSS.

You can also configure the branch Edge to establish a tunnel directly to the cloud service pop. This option has the following advantages:
  • Simplified configuration.
  • Saves link bandwidth costs by offloading non-enterprise traffic to the internet.
  • The branch sites are protected from malicious traffic by redirecting the Internet traffic to a cloud security service.
Related Links:

Configure a Cloud Security Service

The Cloud Security Service (CSS) establishes a secure tunnel from an Edge to the cloud security service sites. This ensures secured traffic flow to the cloud security services.

To configure a Cloud Security Service, perform the following steps:

  1. In the SD-WAN service of the Enterprise portal, select Configure > Network Services .
  2. In the Network Services page, navigate to Non SD-WAN Destinations via Edge > Cloud Security Service , select New.
    Figure 1. New Cloud Security Service
  3. In the New Cloud Security Provider window, select a service type from the drop-down menu. VeloCloud SD-WAN supports the following CSS types:
    • Generic Cloud Security Service
    • Symantec / Palo Alto Cloud Security Service
      Note: Starting from 5.0.0 release, Palo Alto CSS are configured under the new service type template "Symantec / Palo Alto Cloud Security Service". All customers who have an existing Palo Alto CSS configured under "Generic Cloud Security Service" must move to the new template "Symantec / Palo Alto Cloud Security Service".
    • Zscaler Cloud Security Service
    1. If you have selected either Generic or Symantec / Palo Alto Cloud Security Service as the Service Type, then configure the following required details and select Add.
      Table 1. New Cloud Security Provider Option Descriptions
      Option Description
      Service Name Enter a descriptive name for the cloud security service.
      Primary Point-of-Presence/Server Enter the IP address or hostname for the Primary server.
      Secondary Point-of-Presence/Server Enter the IP address or hostname for the Secondary server. This is optional.
    2. If you have selected Zscaler Cloud Security Service as the Service Type, then you can choose between manual deployment and automated deployment by selecting the Automate Cloud Service Deployment checkbox. Also, you can configure additional settings such as Zscaler Cloud and Layer 7 (L7) Health Check details to determine and monitor the health of the Zscaler Server.

Configure Automatic Tunnels from SD-WAN Edge to Zscaler

This section discusses how to automatically create a GRE or IPsec tunnel from SD-WAN Edge to Zscaler service provider.
Figure 2. New Cloud Security Service
  1. In the New Cloud Security Provider window, enter a service name.
  2. Select the New Cloud Security Provider check box.
  3. Select GRE or IPsec protocol for tunnel establishment.
    Note: The total number of CSS Zscaler GRE tunnels that can be configured per customer depends on the customer's subscription on Zscaler. The default value is 100.
  4. Configure additional details such as Domestic Preference, Zscaler Cloud, Partner Admin Username, Password, Partner Key, and Domain, as described in the following table.
    Table 2. New Cloud Security Provider option Descriptions
    Option Description
    Domestic Preference Enable this option to prioritize Zscaler data centers from the country of origin of the IP address even if they are farther away from the other Zscaler data centers.
    Note: Previously, the Domestic Preference option was only available for GRE tunnels. Starting with the 6.0.0 release, this option is configurable for establishing IPsec tunnels as well.
    Zscaler Cloud You can choose to use the existing Zscaler clouds or use a new Zscaler Cloud. If you choose to use the existing cloud then select a Zscaler cloud service from the drop-down menu. For new Zscaler cloud, you must enter the Zscaler cloud service name in the textbox.
    Partner Admin Username Enter the provisioned username of the partner admin.
    Partner Admin Password Enter the provisioned password of the partner admin.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
    Partner Key Enter the provisioned partner key.
    Domain Enter the domain name on which the cloud service would be deployed.
    Sub Cloud This is an optional parameter that Zscaler Internet Access (ZIA) customers use to have a custom pool of data centers for Geo-location purposes.
    Note: This option is available on CSS Zscaler automated deployment mode, if IPsec is selected for establishing tunnels.
  5. Select Validate Credentials. If the validation is successful, the Save Changes button will be activated.
    Note: You must validate the credentials to add a new CSS Provider.
  6. Optional: Configure the following L7 Health Check details to monitor the health of the Zscaler Server.
    Note: The L7 Health Check feature tests HTTP reachability to the Zscaler backend server. Upon enabling L7 Health Check, the Edge sends HTTP L7 probes to a Zscaler destination (Example: http://<zscaler cloud>/vpntest) which is Zscaler's backend server for the HTTP health check. This method is an improvement over using network level keep-alive (GRE or IPsec) as that method only tests for network reachability to the frontend of a Zscaler server.

    If an L7 response is not received after 3 successive retries, or if there is an HTTP error, the Primary Tunnel will be marked as 'Down' and the Edge will attempt to failover Zscaler traffic to the Standby Tunnel (if one is available). If the Edge successfully fails over Zscaler traffic to the Standby Tunnel, the Standby becomes the new Primary Tunnel.

    In the unlikely event that the L7 Health Check marks both the Primary and Standby tunnels as 'Down', the Edge would route Zscaler traffic using a Conditional Backhaul policy (if such a policy has been configured).

    The Edge only sends L7 probes over the Primary Tunnel towards the Primary Server, never over the Standby Tunnel.

    Table 3. L7 Health Check Option Descriptions
    Option Description
    L7 Health Check Select the checkbox to enable L7 Health Check for the Zscaler Cloud Security Service provider, with default probe details (HTTP Probe interval = 5 seconds, Number of Retries = 3, RTT Threshold = 3000 milliseconds). By default, L7 Health Check is not enabled.
    Note: Configuration of health check probe details is not supported.
    Note: For a given Edge/Profile, a user cannot override the L7 health check parameters configured in the Network Service.
    HTTP Probe Interval The duration of the interval between individual HTTP probes. The default probe interval is 5 seconds.
    Number of Retries Specifies the number of probes retries allowed before marking the cloud service as DOWN. The default value is 3.
    RTT Threshold The round trip time (RTT) threshold, expressed in milliseconds, used to calculate the cloud service status. The cloud service is marked as DOWN if the measured RTT is above the configured threshold. The default value is 3000 milliseconds.
    Zscaler Login URL Enter the login URL and then select Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.
    Note: The Login to Zscaler button will be enabled if you have entered the Zscaler login URL.
  7. If you want to login to the Zscaler Admin portal from the Orchestrator, enter the Zscaler login URL and then select Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.
    Note:

Configure Manual Tunnels from SD-WAN Edge to Zscaler

This section discusses how to manually create a GRE or IPsec tunnel from an SD-WAN Edge to a Zscaler service provider. Unlike automatic tunnels, configuring manual tunnels requires you to specify a tunnel destination to bring up the tunnels.
Figure 3. New Cloud Security Service
  1. In the New Cloud Security Provider window, enter a service name.
  2. Enter the IP address or hostname for the Primary server.
  3. Optionally, you can enter the IP address or hostname for the Secondary server.
  4. Select a Zscaler cloud service from the drop-down menu or enter the Zscaler cloud service name in the text box.
  5. Configure other parameters as desired, and then select Save Changes.
    Note: If you have selected Zscaler Cloud Security Service as the Service Type and planning to assign a GRE tunnel, it is recommended to enter only IP address in the Primary and Secondary server, and not the hostname, as GRE does not support hostnames.
    The configured cloud security services are displayed under the Cloud Security Service area in the Network Services window.
    Figure 4. Cloud Security Service
Associate the cloud security service with a Profile or an Edge:

Configure Cloud Security Services for Profiles

Before you begin:
  • Ensure that you have access permission to configure network services.
  • Ensure that your Orchestrator has version 3.3.x or above.
  • You should have Cloud security service gateway endpoint IPs and FQDN credentials configured in the third party Cloud security service.

Enable Cloud Security Service (CSS) to establish a secured tunnel from an Edge to cloud security service sites. This enables the secured traffic being redirected to third-party cloud security sites. At the Profile level, VeloCloud SD-WAN and Zscaler integration supports automation of IPsec and GRE tunnels.

Note: Only one CSS with GRE is allowed per Profile.
  1. In the SD-WAN service of the Enterprise portal, select Configure > Profiles .
  2. Select the Device Icon next to a profile, or select the link to the profile, and then select the Device tab.
  3. In the Cloud Security area, switch the dial from the Off position to the On position.
  4. Configure the following settings:
    Figure 5. Configuring Cloud Security Settings
    Table 4. Security Settings Option Descriptions
    Option Description
    Cloud Security Service Select a cloud security service from the drop-down menu to associate with the profile. You can also select New Cloud Security Service from the drop-down to create a new service type. For additional information about how to create a new CSS, see Configure a Cloud Security Service.
    Note: For cloud security services with Zscaler login URL configured, Login to Zscaler button appears in the Cloud Security Service area. Selecting the Login to Zscaler button will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.
    Tunneling Protocol This option is available only for Zscaler cloud security service provider. If you select a manual Zscaler service provider then choose either IPsec or GRE as the tunneling protocol. By default, IPsec is selected.
    Note: If you select an automated Zscaler service provider then the Tunneling Protocol field is not configurable but displays the protocol name used by the service provider.
    Hash Select the Hash function as SHA 1 or SHA 256 from the drop-down. By default, SHA 1 is selected.
    Encryption Select the Encryption algorithm as AES 128 or AES 256 from the drop-down. By default, None is selected.
    Key Exchange Protocol Select the key exchange method as IKEv1 or IKEv2. By default, IKEv2 is selected.

    This option is not available for Symantec cloud security service.
    Login to Zscaler Select Login to Zscaler to login to the Zscaler Admin portal of the selected Zscaler cloud.
  5. Click Save Changes.

When you enable Cloud Security Service and configure the settings in a Profile, the setting is automatically applied to the Edges that are associated with the profile. If required, you can override the configuration for a specific Edge. See Configure Cloud Security Services for Edges.

For the profiles created with cloud security service enabled and configured prior to 3.3.1 release, you can choose to redirect the traffic as follows:
  • Redirect only web traffic to Cloud Security Service
  • Redirect all Internet bound traffic to Cloud Security Service
  • Redirect traffic based on Business Policy Settings – This option is available only from release 3.3.1. If you choose this option, then the other two options are no longer available.
Note: For the new profiles that you create for release 3.3.1 or later, by default, the traffic is redirected as per the Business Policy settings. See Configure Business Policies with Cloud Security Services.

Configure Cloud Security Services for Edges

When you have assigned a Profile to an Edge, the Edge automatically inherits the Cloud Security Service (CSS) and attributes configured in the Profile. You can override the settings to select a different cloud security provider or modify the attributes for each Edge.

To override the CSS configuration for a specific Edge, perform the following steps:

  1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
    The Edges page displays the existing Profiles.
  2. Select the link to an Edge or select the View link in the Device column of the Edge.
    The configuration options for the selected Edge are displayed in the Device tab.
  3. Under the VPN Services category, in the Cloud Security Service area, the CSS parameters of the associated profile are displayed.
  4. In the Cloud Security Service area, select the Override check box to select a different CSS or to modify the attributes inherited from the profile associated with the Edge. For additional information on the attributes, see Configure Cloud Security Services for Profiles.
  5. Select Save Changes in the Edges window to save the modified settings.
    Note: For CSS of type Zscaler and Generic, you must create VPN credentials. For Symantec CSS type, the VPN credentials are not needed.

Manual Zscaler CSS Provider Configuration for Edges

At the Edge level, for a selected manual Zscaler CSS provider, you can override the settings inherited from the profile and can configure additional parameters manually based on the tunneling protocol selected for tunnel establishment.

If you choose to configure an IPsec tunnel manually, apart from the inherited attributes, you must configure a Fully Qualified Domain Name (FQDN) and Pre-Shared Key (PSK) for the IPsec session.

Note: As a prerequisite, you should have Cloud Security Service gateway endpoint IPs and FQDN credentials configured in the third-party Cloud Security Service.
Figure 6. Configuring Cloud Security Service
Note: For cloud security services with Zscaler login URL configured, Login to Zscaler button appears in the Cloud Security Service area. Selecting the Login to Zscaler button will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.

If you choose to configure a GRE tunnel manually, then you must configure GRE tunnel parameters manually for the selected WAN interface to be used as source by the GRE tunnel, by following the steps below.

  1. Under GRE Tunnels, select +Add.
    Figure 7. Adding GRE Tunnel
  2. In the Configure Tunnel window appears, configure the following GRE tunnel parameters, and select Update.
    Figure 8. Configuring GRE Tunnel
    Table 5. Configure Tunnel Option Descriptions
    Option Description
    WAN Links Select the WAN interface to be used as source by the GRE tunnel.
    Tunnel Source Public IP Choose the IP address to be used as a public IP address by the Tunnel. You can either choose the WAN Link IP or Custom WAN IP. If you choose Custom WAN IP, enter the IP address to be used as public IP. Source public IPs must be different for each segment when Cloud Security Service (CSS) is configured on multiple segments.
    Primary Point-of-Presence Enter the primary Public IP address of the Zscaler Datacenter.
    Secondary Point-of-Presence Enter the secondary Public IP address of the Zscaler Datacenter.
    Primary Router IP/Mask Enter the primary IP address of Router.
    Secondary Router IP/Mask Enter the secondary IP address of Router.
    Primary Internal ZEN IP/Mask Enter the primary IP address of Internal Zscaler Public Service Edge.
    Secondary Internal ZEN IP/Mask Enter the secondary IP address of Internal Zscaler Public Service Edge.
    Note:
    • The Router IP/Mask and ZEN IP/Mask are provided by Zscaler.
    • Only one Zscaler cloud and domain are supported per Enterprise.
    • Only one CSS with GRE is allowed per Edge. An Edge cannot have more than one segment with Zscaler GRE automation enabled.

    Scale Limitations

    • GRE-WAN: Edge supports maximum of 4 public WAN links for a Non SD-WAN Destination (NSD) and on each link, it can have up to 2 tunnels (primary/secondary) per NSD. So, for each NSD, you can have maximum of 8 tunnels and 8 BGP connections from one Edge.
    • GRE-LAN: Edge supports 1 link to Transit Gateway (TGW), and it can have up to 2 tunnels (primary/secondary) per TGW. So, for each TGW, you can have maximum of 2 tunnels and 4 BGP connections from one Edge (2 BGP sessions per tunnel).

Automated Zscaler CSS Provider Configuration for Edges

At the Edge level, VeloCloud SD-WAN and Zscaler integration supports:
  • IPsec/GRE Tunnel Automation
  • Zscaler Location/Sub-Location Configuration
  1. IPsec/GRE Tunnel Automation: IPsec/GRE tunnel automation can be configured for each Edge segment. Perform the following steps to establish automatic tunnels from an Edge.
    1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
    2. Select an Edge you want to establish automatic tunnels.
    3. Select the link to an Edge or select the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
    4. Under the VPN Services category, in the Cloud Security Service area, the CSS parameters of the associated profile are displayed.
    5. In the Cloud Security Service area, select the Override check box to select a different CSS or to modify the attributes inherited from the profile associated with the Edge. For additional information on the attributes, see Configure Cloud Security Services for Profiles.
    6. From the Cloud Security Service drop-down menu, select an automated CSS provider and select Save Changes.
      Figure 9. Configuring IPsec/GRE Tunnel Automation

      The automation will create a tunnel in the segment for each Edge's public WAN link with a valid IPv4 address. In a multi-WAN link deployment, only one of the WAN Links will be utilized for sending user data packets. The Edge chooses the WAN link with the best Quality of Service (QoS) score using bandwidth, jitter, loss, and latency as criteria. Location is automatically created after a tunnel is established. You can view the details of tunnel establishment and WAN links in the Cloud Security Service section

      Note: After automatic tunnel establishment, changing to another CSS provider from an Automated Zscaler service provider is not allowed on a Segment. For the selected Edge on a segment, you must explicitly deactivate Cloud Security service and then reactivate CSS if you want to change to a new CSS provider from an Automated Zscaler service provider.
  2. Zscaler Location/Sub-Location Configuration: After you have established automatic IPsec/GRE tunnel for an Edge segment, Location is automatically created and appears under the Zscaler section of the Edge Device page.
    Note: Prior 4.5.0 release, the Sub-location configuration is located in the Cloud Security Service section for each segment. Currently, the Orchestrator allows you to configure the Zscaler configurations for Location and Sub-location for the entire Edge from the Zscaler section of the Device Settings page. For existing user of CSS Sub-location automation, the data will be migrated as part of Orchestrator upgrade.
    In the Zscaler section, if you want to update the Location or create Sub-locations for the selected Edge, make sure:
    • You check that the tunnel is established from the selected Edge and Location is automatically created. You will not be allowed to create a Sub-location if the VPN credentials or GRE options are not set up for the Edge. Before configuring Sub-locations, ensure you understand about Sub location and their limitations. See https://help.zscaler.com/zia/understanding-sublocations.
    • You select the same Cloud Subscription that you used to create the Automatic CSS.

    To update the Location or create Sub-locations for the selected Edge, perform the following steps:

    1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
    2. Select an Edge and select the icon under the Device column.
      The Device Settings page for the selected Edge appears.
    3. Go to the Zscaler section and turn on the toggle button.
      Figure 10. Displaying Associated Zscaler Location for the Selected Edge
    4. From the Cloud Subscription drop-down menu, select the same Cloud Subscription that you used to create the Automatic CSS. The Cloud Name associated to the selected Cloud Subscription automatically appears.
      Note:
      • Cloud Subscription must have same Cloud name and Domain name as CSS.
      • If you want to change provider for "Cloud Subscription", you must first remove the "Location" by deactivating CSS and Zscaler, and then perform the creation steps with the new provider.

      In the Location table, selecting View under the Action Details column displays the actual values for the configuration fetched from Zscaler, if present. If you want to configure the Gateway options and Bandwidth controls for the Location, select the Edit button under Gateway Options. For additional information, see the section "Configure Zscaler Gateway Options and Bandwidth Control".

    5. To create a Sub-location, in the Sub-Locations table, select the +' icon under the Action column.
      1. In the Sub-Location Name text box, enter a unique name for the Sub-location. The Sub location name should be unique across all segments for the Edge. The name can contain alphanumeric with a maximum word length of 32 characters.
      2. From the LAN Networks drop-down menu, select a VLAN configured for the Edge. The Subnet for the selected LAN network will be populated automatically.
        Note: For a selected Edge, Sub-locations should not have overlapping Subnet IPs.
      3. Select Save Changes.
        Figure 11. Configuring Zscaler Sub-location for the Selected Edge
        Note: After you create at least one Sub-location in the Orchestrator, an “Other” Sub location is automatically created in the Zscaler side, and it appears in the Orchestrator UI. You can also configure the “Other” Sub-location’s Gateway options by selecting the Edit button under Gateway Options in the Sub-Locations table. For additional information, see the section Configure Zscaler Gateway Options and Bandwidth Control below.
      4. After creating a Sub-location, you can update the Sub-location configurations from the same Orchestrator page. Once you select Save Changes, the Sub-location configurations on the Zscaler side will be updated automatically.
      5. To delete a Sub-location, select the - icon under the Action column.
        Note: When the last Sub-location is deleted from the table, the "other" Sub-location also gets deleted automatically.

Configure Zscaler Gateway Options and Bandwidth Control

To configure Gateway options and Bandwidth controls for the Location and Sub-location, select the Edit button under Gateway Options, in the respective table.

The Zscaler Gateway Options and Bandwidth Control window appears.
Figure 12. Editing Location Gateway Options

Configure the Gateway options and Bandwidth controls for the Location and Sub-location, as needed, and select Save Changes.

Note: The Zscaler Gateway Options and Bandwidth Control parameters that can be configured for the Locations and Sub-locations are slightly different, however; the Gateway Options and Bandwidth Control parameters for the Locations and Sub-locations are the same ones that one can configure on the Zscaler portal. For additional information about Zscaler Gateway Options and Bandwidth Control parameters, see https://help.zscaler.com/zia/configuring-locations.
Table 6. Zscaler Gateway Options and Bandwidth Control Option Descriptions
Option Description
Gateway Options for Location/Sub-Location
Use XFF from Client Request Enable this option if the location uses proxy chaining to forward traffic to the Zscaler service, and you want the service to discover the client IP address from the X-Forwarded-For (XFF) headers that your on premises proxy server inserts in outbound HTTP requests. The XFF header identifies the client IP address, which can be leveraged by the service to identify the client’s sub location. Using the XFF headers, the service can apply the appropriate sub location policy to the transaction, and if Enable IP Surrogate is turned on for the location or sub-location, the appropriate user policy is applied to the transaction. When the service forwards the traffic to its destination, it will remove the original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to externally.
Note: This Gateway option is only configurable for Parent location.
Enable Caution If you have not enabled Authentication, you can enable this feature to display a caution notification to unauthenticated users.
Enable AUP If you have not enabled Authentication, you can enable this feature to display an Acceptable Use Policy (AUP) for unauthenticated traffic and require users to accept it. If you enable this feature:
  • In Custom AUP Frequency (Days) specify, in days, how frequently the AUP is displayed to users.
  • A First Time AUP Behavior section appears, with the following settings:
    • Block Internet Access- Enable this feature to deactivate all access to the Internet, including non-HTTP traffic, until the user accepts the AUP that is displayed to them.
    • Force SSL Inspection- Enable this feature to make SSL Inspection enforce an AUP for HTTPS traffic.
Enforce Firewall Control Select to enable the service's firewall control.
Note: Before enabling this option, user must ensure if its Zscaler account has subscription for "Firewall Basic".
Enable IPS Control If you have enabled Enforce Firewall Control, select this to enable the service's IPS controls.
Note: Before enabling this option, user must ensure if its Zscaler account has subscription for "Firewall Basic" and "Firewall Cloud IPS".
Authentication Enable to require users from the Location or Sub-location to authenticate to the service.
IP Surrogate If you enabled Authentication, select this option if you want to map users to device IP addresses.
Idle Time for Dissociation If you enabled IP Surrogate, specify how long after a completed transaction, the service retains the IP address-to-user mapping. You can specify the Idle Time for Dissociation in Mins (default), or Hours, or Days.
  • If the user selects the unit as Mins, the allowable range is from 1 through 43200.
  • If the user selects the unit as Hours, the allowable range is from 1 through 720.
  • If the user selects the unit as Days, the allowable range is from 1 through 30.
Surrogate IP for Known Browsers Enable to use the existing IP address-to-user mapping (acquired from the surrogate IP) to authenticate users sending traffic from known browsers.
Refresh Time for re-validation of Surrogacy If you enabled Surrogate IP for Known Browsers, specify the length of time that the Zscaler service can use IP address-to-user mapping for authenticating users sending traffic from known browsers. After the defined period of time elapses, the service will refresh and revalidate the existing IP-to-user mapping so that it can continue to use the mapping for authenticating users on browsers. You can specify the Refresh Time for re validation of Surrogacy in minutes (default), or hours, or days.
  • If the user selects the unit as Mins, the allowable range is from 1 through 43200.
  • If the user selects the unit as Hours, the allowable range is from 1 through 720.
  • If the user selects the unit as Days, the allowable range is from 1 through 30.
Bandwidth Control Options for Location
Bandwidth Control Enable to enforce bandwidth controls for the location. If enabled, specify the maximum bandwidth limits for Download (Mbps) and Upload (Mbps). All sub locations will share the bandwidth limits assigned to this location.
Download If you enabled Bandwidth Control, specify the maximum bandwidth limits for Download in Mbps. The allowable range is from 0.1 through 99999.
Upload If you enabled Bandwidth Control, specify the maximum bandwidth limits for Upload in Mbps. The allowable range is from 0.1 through 99999.
Bandwidth Control Options for Sub-Location (if Bandwidth Control is enabled on Parent Location)
Figure 13. Bandwidth Control Options for Sub-Location
Note: The following bandwidth control options are configurable for sub-location only if you have bandwidth control enabled on the parent location. If the bandwidth control is not enabled on the parent location, then the bandwidth control options for sub-location are the same as location (Bandwidth Control, Download, Upload).
Use Location Bandwidth If you have bandwidth control enabled on the parent location, select this option to enable bandwidth control on the sub-location and use the download and upload maximum bandwidth limits as specified for the parent location.
Override Select this option to enable bandwidth control on the sub-location and then specify the maximum bandwidth limits for Download (Mbps) and Upload (Mbps). This bandwidth is dedicated to the sub-location and not shared with others.
Disabled Select this option to exempt the traffic from any Bandwidth Management policies. Sub-location with this option can only use up to a maximum of available shared bandwidth at any given time.
Limitations
  • In 4.5.0 release, when a Sub-location is created, Orchestrator automatically saves the "Other" Sub location. In earlier version of Orchestrator, the Zscaler "Other" Sub-location was not saved in Orchestrator. After upgrading Orchestrator to 4.5.0 release, the "Other" Sub-location will be imported automatically only after a new normal (non-Other) Sub-location is created using automation.
  • Zscaler Sub-locations cannot have overlapping IP addresses (subnet IP ranges). Attempting to edit (add, update, or delete) multiple Sub-locations with conflicting IP addresses may cause the automation to fail.
  • Users cannot update the bandwidth of Location and Sub-location at the same time.
  • Sub-locations support Use Location Bandwidth option for bandwidth control when its Parent Location bandwidth control is enabled. When user turns off the Location bandwidth control on a Parent Location, the Orchestrator does not check or update the Sub-location bandwidth control option proactively.

Configure Business Policies with Cloud Security Services

You can create business policies to redirect the traffic to a Cloud Security Service.

For additional information on business policies, see Create Business Policy Rule.

  1. In the SD-WAN service of the Enterprise portal, select Configure > Profiles .
  2. Select a profile from the list and select the Business Policy tab.
  3. Under Configure Business Policy > Business Policy Rules , select +ADD. The Add Rule dialog box appears.
  4. Enter a name for the business rule and select the IP version.
  5. Select the Match tab, choose the Match options to match the traffic.
  6. Select the Action tab and from the Network Service drop-down menu select Internet Backhaul and choose a Cloud Security Service from the drop-down menu. You must have already associated the cloud security service to the profile.
    Figure 14. Add Rule
  7. Choose the other actions as required and select OK.

The business policies that you create for a Profile are automatically applied to all the Edges associated with the profile. If required, you can create additional business policies specific to the Edges.

  1. Navigate to Configure > Edges , select an Edge, and select the Business Policy tab.
  2. Under Configure Business Policy > Business Policy Rules , select +ADD. The Add Rule dialog box appears.
  3. Define the rule with Cloud Security Service associated with the Edge.

The Business Policy tab of the Edge displays the policies from the associated Profile along with the policies specific to the Edge.

Monitor Cloud Security Services

You can view the details of Cloud Security Services (CSS) configured for the Enterprise from the MonitorNetwork Services page.

To monitor the Cloud Security Service sites:

  1. In the SD-WAN service of the Enterprise portal, select Monitor > Network Services . The Network Services page appears.
  2. Select the Cloud Security Service Sites tab to view all the CSS configured for the Enterprise along with the following configuration details.
    Figure 15. Network Services
    Table 7. Network Services Field Descriptions
    Field Description
    Name The name of the CSS provider.
    Type The type of the CSS provider.
    Public IP The Public IP address of the CSS provider.
    Status The overall status of the CSS provider:
    • White- Specifies two possible states:
      • ALL_STANDBY- The CSS provider is in this state if all the tunnels associated with the CSS provider are in STANDBY mode.
      • UNKNOWN- The CSS provider is in this state if the overall status of the CSS provider is undetermined.
    • Green- The CSS provider is in ALL_UP state if all the tunnels associated with the CSS provider are UP.
    • Red- The CSS provider is in ALL_DOWN state if all the tunnels associated with the CSS provider are DOWN.
    • Amber- The CSS provider is in PARTIAL state if the tunnels associated with the CSS provider are partially UP, DOWN, or in STANDBY mode.
    Tunnel Status The status of tunnels created from the CSS provider from different Edges:
    • White- Specifies two possible states:
      • UNKNOWN- The tunnel is in this state if the tunnel is unestablished.
      • NOT ENABLED- The tunnel is in this state if the tunnel is not enabled.
    • Gray- The tunnel associated with the CSS provider is in STANDBY mode.
    • Green- Specifies two possible states:
      • ALL_UP- All the tunnels associated with the CSS provider are UP.
      • UP- A specific tunnel associated with the CSS provider is UP.
    • Red- Specifies two possible states:
      • ALL_DOWN- All the tunnels associated with the CSS provider are DOWN.
      • DOWN- A specific tunnel associated with the CSS provider is DOWN.
      Note: The numbers that appear on the Tunnel Status and Service Status icons signify the number of Edges associated with that state for the respective CSS provider.
    Service Status The status of the external service as recorded by each Edge:
    • Green- The Layer 7 (L7) Health status of external service is UP.
    • Red- The L7 Health status of external service is DOWN.
    • Red- The L7 Health status of external service is DOWN due to one of the following reasons:
      • The Zen service does not respond to 'N' (Default = 3) consecutive HTTP probe messages.
      • The HTTP response (200 OK) time exceeds the set time (Default = 300 milliseconds).
      • The Zen server responds with 4xx HTTP error code.
    • Amber- The L7 Health status of external service is DEGRADED if the HTTP load time exceeds 'N' seconds (Default = 3 seconds).
    • Gray- The L7 Health status of external service is UNKNOWN.
    State Changed Time The date and time by when the state change occurred.
    Deployment Status Allows to view the deployment status of the CSS provider.
  3. Select the Radio button before the CSS provider Name to view the related state change events.
    Figure 16. CSS provider Name Selection
  4. Select the View link in the Deployment Status column to view the deployment status of the CSS provider.
    Figure 17. Cloud Security Service Automated Deployment Status for CSS IPSec
    The following are the seven different states for an Edge action:
    • Pending Location- The Edge action is in this state until a Zscaler location is created. This state is only for applicable for Sub-location Edge actions.
    • Pending- The Edge action is in this state as it waits for a backend worker process to pick it up and start working on it.
    • In-Progress- The Edge action is in this state after a backend worker process picks up the Edge action and starts working on it.
    • Completed- The Edge action is in this state if the Edge action task is successfully completed.
    • Failed- The Edge action is in this state if an error has occurred.
    • Timed Out- The Edge action is in this state if it takes more than the expected amount of time to complete the Edge action task.
    • Pending Delete- The Edge action is in this state if it is pending deletion.
      Note: Currently, the Pending Location and Pending Delete states are not used and these states will be removed from the UI in the future release.
  5. Select Details to view the Event details.

You can view the Layer 7 (L7) health check statistics for Cloud Security Service from the Monitor > Edges menu.

Monitor Cloud Security Services Events

You can view the events related to cloud security services from the Monitor > Events page.

In the SD-WAN service of the Enterprise portal, select Monitor > Events .

To view the events related to cloud security service sites, you can use the Search and Filter options. Select the Filter icon and choose to filter either by the Event or by the Message column.

Figure 18. Events Screen

The following table includes the Enterprise events which help track various Edge actions related to CSS deployment, Location and Sub-location automation.

Table 8. Enterprise Events Descriptions
Events Description
Call made to external API An API call to some external service has been made.
CLOUD_SECURITY_PROVIDER_ADDED A new CSS provider has been added.
CLOUD_SECURITY_PROVIDER_UPDATED A new CSS provider has been updated.
CLOUD_SECURITY_PROVIDER_REMOVED A CSS provider has been removed.
Cloud Security Service site creation enqueued A CSS site creation task has been enqueued.
Cloud Security Service site update enqueued A CSS site update task has been enqueued.
Cloud Security Service site deletion enqueued A CSS site deletion task has been enqueued.
Network Service created A CSS site has been created.
Network Service updated A CSS site has been updated.
Network Service deleted A CSS site has been deleted.
CSS tunnels are up The CSS paths are UP. The traffic will be routed through CSS based on the Business policy rules configured.
All CSS tunnels are down The CSS paths are DOWN.
Edge Non SD-WAN Destination tunnel up The tunnel is UP for the Edge.
Edge Non SD-WAN Destination tunnel down The tunnel is DOWN for the Edge.
Zscaler Location creation enqueued An Edge action has been enqueued to create a location.
Zscaler Location update enqueued An Edge action has been enqueued to update a location.
Zscaler Location deletion enqueued An Edge action has been enqueued to delete a location.
Zscaler Location object created A Zscaler location object is created.
Zscaler Location object updated A Zscaler location object is updated.
Zscaler Location object deleted A Zscaler location object is deleted.
Zscaler Sub Location creation enqueued An Edge action has been enqueued to create a sub-location.
Zscaler Sub Location update enqueued An Edge action has been enqueued to update a sub-location.
Zscaler Sub Location deletion enqueued An Edge action has been enqueued to delete a sub-location.
Zscaler Sub Location object created A Zscaler Sub-location object is created.
Zscaler Sub Location object updated A Zscaler Sub-location object is updated.
Zscaler Sub Location object deleted A Zscaler Sub-location object is deleted.