June 16, 2022
Zscaler ZIA Integration With Cisco SD-WAN
Backhauling Internet-bound traffic from branches to a data center to consume traditional security services is expensive and adds latency. Many organizations are improving their network infrastructure by adopting SD-WAN and enabling Direct Internet Access (DIA). With the Zscaler and the Cisco SD-WAN integration, you can rapidly gain access to cloud-delivered security in minutes. This market-leading API automation makes it very fast and agile to deploy and manage the network and security environment of hundreds or even thousands of remote sides.
Below is a summary of the configuration used in this video demonstration. Always consult the product documentation to ensure your configuration settings are correct for your deployment.
Collect & create Zscaler needed integration parameters
As per the Zscaler/SDWAN configuration guide, there are a few needed parameters that the Cisco SD-WAN solution would need to automatically integrate with Zscaler via API. These parameters would be collected after login into the Zscaler portal.
Locate the Zscaler Organization name for the account
Locate the Zscaler Partner URI
This is the URL to be used by our deployment for API integrations. Administration>Cloud Service API Key Management>Cloud Service API Key
Add an SD-WAN partner key
Add a partner administrator role
By creating an administrator role, we can define the permissions and access we wish to grant a third-party partner, such as Cisco SD-WAN.
Create a partner administrator account
Administration>Administration Control>Administration Management
A second set of authentication credentials are needed for this integration. You must create partner administrator credentials to be used to authenticate against the Zscaler ZIA provisioning API. These credentials will be associated with the Admin SD-WAN role created in the previous step.
At this point, we have all the Zscaler needed parameters to integrate the solution into our SD-WAN fabric.
Create a SIG feature template for API access to Zscaler
In this section, we will enter the parameters collected in the previous steps.
Create a SIG feature template to define tunnel parameters
Define tunnel parameters, in this example, we have an active primary tunnel and the second tunnel in a standby state.
Assign feature templates to the device template for our SSE branch
Adding the two feature templates created in the previous steps to the device template that we would like to implement the SIG tunnels.
Add a Service Route to redirect traffic to the SIG Service
This will direct all internet traffic to the SIG service. Additionally, this could also be achieved via a policy for more granular options.
Backhauling Internet-bound traffic from branches to a datacenter to consume traditional security services is expensive and adds latency. Many organizations are improving their network infrastructure by adopting SD-WAN and enabling Direct Internet Access (DIA). With the Zscaler and SD-WAN integration, you can rapidly gain access to cloud-delivered security in minutes.
Explore more in the Cisco SD-WAN and Zscaler integration self-guided lab.