Defining the Web Security Gateway

Refer to "Use Case 9" diagram where the Zscaler web security gateway information is displayed in green.

Also see how to define an External VTI Gateway ("Use Case 10").

Identifying the web security gateway

1 In the General panel of the Configuration window, select 'Web Security Gateway' as type of gateway.
2 Enter the Name (Zscaler-gateway) of the Web Security gateway.
3 Enter the gateway Primary Public IP Address (155.201.3.1).
4 Enter the gateway Secondary Public IP Address (43.68.122.12). Traffic will be routed through the secondary tunnel as soon as the primary tunnel goes down.

Routing

Since Zscaler does not support static nor dynamic routing (the IPsec tunnel is policy-based only), the Routing panel of the Configuration window is useless.

IPsec tunnel parameters

5 Use IKE policy (default values for Zscaler are automatically displayed) and IPsec policy values as you defined them in Zscaler. Also enter the MTU value.
6 Use the IPsec Pre-Shared key field as follows:
If on the Zscaler Portal, the Web Security gateway is configured with only one default Pre-Shared Key for all the tunnels connected to this gateway, enter this key in the SD-WAN Orchestrator. Specifying a Pre-Shared key is mandatory with a Zscaler Web Security gateway.
You can override this default Pre-Shared Key with a new key when configuring the connection between the ip|engine and the gateway.
7 Click Create.

For a detailed description of all the fields, refer to "Advanced Configuration".

8 Then connect the gateway to the Branch Office ip|engine. Refer to the following section.