Link Search Menu Expand Document

Zscaler Internet Access

Configuration > Cloud Services > Zscaler Internet Access

Zscaler Internet Access (ZIA) is a cloud security service. EdgeConnect traffic can be service chained to Zscaler for additional security inspection. Orchestrator supports IPSec and GRE tunnel modes for Zscaler.

NOTE: GRE tunnels are not formed across an EdgeHA link.

NOTE: Zscaler’s term for ZEN is now Service Edge.

The following table describes the fields on the Zscaler Internet Access tab.

Field Description
Appliance Name of the appliance to connect to Zscaler.
Interface Label Interface label for the interfaces you want to connect to Zscaler.
Mode Tunnel mode (IPSec or GRE) for Zscaler. The default mode is IPSec.
Gateway Options A feature that enables you to configure sub-locations and various rules for your sub-locations. Gateway Options is an optional add-on.
Bandwidth Upload and download bandwidth speeds (in Mbps) to and from Zscaler.
Zscaler Deployment Status Status of the Zscaler deployment (Creating, Pending, or Deployed). Deployed indicates successful deployment.
Zscaler Service Edges These are the Zscaler endpoints to which the tunnels connect. This field is populated with discovered Public Service Edges based on the appliance’s geographical location.
Connection Status Status of the Zscaler connection based on tunnel and IP SLA statuses.

Configure Zscaler

Before you configure Zscaler, you must create a Zscaler account and ensure that you have an established connection with Zscaler.

NOTE: This section represents the automated configuration of IPSec, IKE, and GRE tunnels from EdgeConnect to the Zscaler cloud. To manually configure the tunnels with the Zscaler cloud, refer to the EdgeConnect and Zscaler IPSec Integration Guide and the EdgeConnect and Zscaler GRE Integration Guide.


  1. Go to and follow the steps to configure your Zscaler account.

  2. After configuring your Zscaler account, navigate to the Zscaler Internet Access tab in Orchestrator (Configuration > Cloud Services > Zscaler Internet Access).

  3. Click the Subscription button.

    The Subscription dialog box opens.

  4. Enter the appropriate information to reflect your Zscaler account.

    The following table describes the fields.

    Field Description
    Zscaler Indicates whether you are connected to your Zscaler account.
    Zscaler Cloud Zscaler cloud URL. For example,
    Partner Username Partner administrator username you created when configuring Zscaler.
    Partner Password Partner administrator password you created when configuring Zscaler.
    Partner Key Partner key you created when configuring your Zscaler account. Select Silver Peak from the list of partners.
    Domain Domain provisioned in Zscaler for your enterprise.
    Subscription Cloud ID (Optional) A subcloud can be a subset of ZIA Public Service Edges, a subset of Private Service Edges, a subset of PZENs, or a subset of both ZIA Public Service Edges and Private Service Edges or PZENs. If you subscribe to any of these services, you must specify in this field the name of your subcloud (for example, Americas) to obtain a full list of Service Edges for your organization.

    WARNING: Because this is service affecting, configure this ID during a maintenance window only. This will cause previously built tunnels to be deleted and rebuilt.
    Configuration Polling Interval Indicates how often Orchestrator should check for configuration changes in Zscaler. The default polling interval is ten minutes.
  5. Click Save. The Zscaler field should indicate Connected.

Interface Labels

Select Primary labels you want your traffic to go to. Backup labels will be used as the second option if the primary is unreachable.

  1. Click the Interface Labels button on the Zscaler Internet Access tab.

    The Build Tunnels Using These Interfaces dialog box opens.

  2. Drag the Interface labels you want to use into the Primary and Backup areas in the dialog box.

  3. Click Save.

WARNING: This is service affecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.

Tunnel Settings

The Tunnel Settings button opens the Zscaler Tunnel Setting dialog box, enabling you to define the tunnels associated with Zscaler and EdgeConnect. The Mode field on the General tab allows you to select IPSec or GRE as the tunnel protocol for the specified WAN interface label. Use Zscaler defaults for tunnel settings defined by the system.

NOTE: For IPSec mode, you can configure General, IKE, and IPSec tunnel settings. For GRE mode, you can configure General tunnel settings. Settings are automatically generated, but you can change them if you want to.

Service Edge Override

You can override the automatically selected Service Edge pair for specific sites. You have the option to add this exception to one or more sites within your network.

NOTE: Orchestrator does not support Service Edge Override for GRE tunnels.

  1. Click the Service Edge Override button on the Zscaler Internet Access tab.

    The Service Edge Override dialog box opens.

  2. Enter the appliance name, the interface label, and the primary and secondary IP addresses. Orchestrator will build tunnels to those Service Edges.

    Field Description
    Appliance Appliance for which to override Zscaler Service Edges.
    Interface Label Interface label from which tunnels are built.
    Primary IP IP address of the primary Zscaler Service Edge.
    Secondary IP IP address of the secondary Zscaler Service Edge.


Configure IP SLA for Zscaler tunnels. This configuration ensures tunnel connectivity and internet availability between Zscaler and Orchestrator. If the tunnel cannot reach Zscaler, the tunnel is considered DOWN.

  1. Click the IP SLA button on the Zscaler Internet Access tab.

    The Zscaler IP SLA Configuration dialog box opens.

  2. If all fields are dimmed, click Enable IP SLA rule orchestration.

  3. Complete the following fields.

    Field Description
    Monitor Ping or HTTP/HTTPS.
    Address URL to the Zscaler endpoint that the IP SLA subsystem will ping. You can configure up to three addresses.
    Source Interface Select an orchestrated loopback label.
  4. Accept the default values for the remaining fields and click Save.

    Orchestrator builds the tunnels.

Country / Timezone

You can use the Zscaler Country / Timezone dialog box to configure standard ISO Country Codes to Zscaler Country Enums and standard Time Zones to Zscaler Time Zone Enums. Click the Country / Timezone button on the Zscaler Internet Access tab to open the dialog box. Make changes, and then click Save.

Gateway Options

You can configure gateway options and rules for Zscaler sub-locations. Orchestrator uses location and sub-locations to better define a branch site in the Zscaler cloud. Sub-locations are LAN-side segments within each branch. They can be identified by LAN interfaces, zones, or a collection of LAN subnets.

Enable Gateway Options

To enable gateway options:

  1. Click the Gateway Options button on the Zscaler Internet Access tab.

    The Zscaler Gateway Options dialog box opens.

  2. Click Add.

    The Location / Sub-Location Match Criteria dialog box opens.

  3. Enter a name for the new rule in the Rule Name field.

    WARNING: If two rules have the same sub-location name or IP address, Orchestrator picks the first match and considers the order of the rules.

  4. Specify a location by entering an appliance name, region, or group in the Appliances field.

  5. Enter the WAN label in the Location Label field.

  6. If you select the Sub-Location check box:

    1. Enter the sub-location name in the Name field.

    2. Enter the subnet address (LAN label, Firewall Zone, or subnet) in the Internal IPs field.

  7. Click Save.

    NOTE: Sub-locations can be applied to all WAN links selected in the Build Tunnels Using These Interfaces dialog box (accessed by clicking the Interface Label button on the Zscaaler Internet Access tab).

If you select the Show sub-locations check box on the Zscaler Internet Access tab, the sub-locations configured in Gateway Options appear in the Zscaler table.

Configure Bandwidth Control

You can set up bandwidth controls for your Zscaler sub-locations configured in Gateway Options. Select from bandwidth control options that use fixed amounts of bandwidth, inherit bandwidth values from parent locations, or use percentages of deployment bandwidth.

  1. Click the Gateway Options button on the Zscaler Internet Access tab.

    The Zscaler Gateway Options dialog box opens.

  2. In the table, locate the rule name row for which you want to configure bandwidth control, and then click the linked text in the Gateway Options column.

    The Zscaler Gateway Options & Bandwidth Control dialog box opens.

  3. Select one of the following options from the Bandwidth Control drop-down list:

    Bandwidth Control Option Description
    OFF Do not use bandwidth control. This is the default setting.
    Fixed bandwidth Use fixed amounts of bandwidth for the sub-location. Specify amounts for download and upload in Mbps.
    Inherit (parent) location bandwidth Inherit the parent location’s bandwidth values.
    Use deployment WAN label bandwidth Use percentages of the deployment WAN label’s bandwidth. Specify amounts for download and upload as percentages. Each specified percentage cannot exceed 100%. Orchestrator will automatically translate percentages into Mbps and send them to Zscaler. Sub-locations will use these values as percentages of deployment bandwidth.
  4. Click Save.

    The Change Gateway Options dialog box opens.

    WARNING: Changing Gateway Options is service affecting. Make changes during a maintenance window.

  5. Click Change Gateway Options.

    Your changes are applied to Orchestrator and Zscaler. This process takes time to complete.

Zscaler Association

The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances to Zscaler.

  1. In the Orchestrator appliance tree, select one or more appliances to associate with Zscaler.

  2. Click the Zscaler Association button on the Zscaler Internet Access tab.

    The Zscaler Appliance Association dialog box opens.

  3. In the table, select one or more appliances you want to associate with Zscaler, and then select the Add check box.

    Select the Remove check box to remove Zscaler association from selected appliances in the table.

  4. Verify the changes, and then click Save.

Pause Orchestration

When troubleshooting, you can click Pause Orchestration and save to pause orchestration. To restart, click Resume Orchestration.

Using Zscaler for Breakout Traffic

Finally, you need to select the Zscaler service in at least one Business Intent Overlay Breakout Traffic Policy to steer traffic to it.

  1. Navigate to the Business Intent Overlays tab in Orchestrator (Configuration > Overlays & Security > Business Intent Overlays).

  2. Click the overlay that breaks out traffic to Zscaler.

    The Overlay Configuration dialog box opens.

  3. Click the Breakout Traffic to Internet & Cloud Services tab.

  4. Drag Zscaler Cloud from the Available Policies column to the Preferred Policy Order column.

Verify Zscaler Deployment

After Zscaler Internet Access is configured, deployment will begin automatically. Navigate to the Zscaler Internet Access tab to verify successful deployment. The Zscaler Deployment Status column should have a green status of Deployed, and the Connection status column should have a green status of Up. The Connection Status column indicates the status of the Zscaler connection based on tunnel and IP SLA statuses.

NOTE: Zscaler is deployed and orchestrated for an appliance based on the Zscaler Appliance Association dialog box. Business Intent Overlays (BIOs) are used to configure breakout internet policies to Zscaler. This is used for automatic load distribution and failover.

You can also verify that your Zscaler tunnels have been successfully deployed on the Tunnels tab. The Passthrough Tunnel column should list your Zscaler tunnels, and the Status column should have a green status of up – active.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.