Link Search Menu Expand Document

Zscaler Internet Access

Configuration > Cloud Services > Zscaler Internet Access

Zscaler Internet Access is a cloud security service. EdgeConnect traffic can be service chained to Zscaler for additional security inspection.

ApplianceName of the appliance you want to connect with Zscaler.
Interface LabelInterface label for the interfaces you want to connect with Zscaler.
Gateway OptionsOptional add-on that enables you to configure sub-locations and various rules for your sub-locations.
Bandwidth (Mbps)Upload and download bandwidth speeds (in Mbps) to and from Zscaler.
VPN Credentials and Location StatusVPN credentials and location status of your subscription with Zscaler.
Zscaler ZENsZscaler Enforcement Nodes: The Zscaler endpoints where the tunnels connect. The discovered ZENs in this column are populated based on the appliance’s geographical location.

Before you begin configuring Zscaler, you must create a Zscaler account and ensure you have an established connection with Zscaler.

NOTE: This section represents automated configuration of IPSec, IKE, and GRE tunnels from EdgeConnect to the Zscaler cloud. To manually configure the tunnels with the Zscaler cloud, refer to the Zscaler-Silver Peak IPSec Integration Guide: Manual Mode and the Zscaler-Silver Peak GRE Integration Guide: Manual Mode.


  1. Go to

  2. After you configure your Zscaler account by completing the steps in the above URL, navigate to the Zscaler Internet Access tab in Orchestrator (Configuration > Cloud Services > Zscaler Internet Access).

  3. Select the Subscription button to get started with Zscaler.

    The Subscription dialog box opens.

  4. Enter the appropriate information in the fields to reflect your Zscaler account.

  5. Click Save after you have finished entering the information in the table below. The Zscaler field should reflect Connected.

Descriptions of the fields in the Subscription dialog box follow.

ZscalerIndicates whether you are connected to your Zscaler account.
Zscaler CloudZscaler cloud URL. For example,
Silver Peak Partner UsernamePartner administrator user name you created when configuring Zscaler.
Silver Peak Partner PasswordPartner administrator password you created when configuring Zscaler.
Silver Peak Partner KeyPartner key you created when configuring your Zscaler account. Select Silver Peak from the list of partners.
DomainDomain provisioned in Zscaler for your enterprise.
Subscription Cloud ID(Optional) A subcloud can be a subset of ZIA Public Service Edges, a subset of Private Service Edges, a subset of PZENs, or a subset of both ZIA Public Service Edges and Private Service Edges or PZENs. If you subscribe to any of these services, you must specify in this field the name of your subcloud (for example, Americas) to obtain a full list of ZENs for your organization.

WARNING: Because this is service affecting, submit this ID during a maintenance window only. This will cause previously built tunnels to be deleted and rebuilt.
Configuration Polling IntervalIndicates how often Orchestrator should check for configuration changes in Zscaler. The default polling interval is ten minutes.

Tunnel Settings

The Tunnel Settings button opens the Tunnel Setting dialog box, which enables you to define the tunnels associated with Zscaler and EdgeConnect. Use the Zscaler defaults for tunnel settings defined by the system.

NOTE: You can configure General, IKE, and IPSec tunnel settings. The settings are automatically generated; however, you can edit them if you desire.

Interface Labels

Select Primary labels you want your traffic to go to. Backup labels will be used as the second option if the primary is unreachable.

  1. Click the Interface Labels button in the Zscaler Internet Access dialog box.

    The Build Tunnels Using These Interfaces dialog box opens.

  2. Drag the Interface labels you want to use into the Primary and Backup areas in the dialog box.

  3. Click Save.

WARNING: This is service affecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.

ZEN Override

You can use ZEN Override to override the automatically selected ZEN pair for specific sites. You have the option to add this exception to one or more sites within your network.

  1. Click the ZEN Override button in the Zscaler Internet Access dialog box.

  2. Enter the appliance name, the interface label, and the Primary and Secondary IP addresses. Orchestrator will build tunnels to those ZENs.

ApplianceAppliance for which we override Zscaler ZENs.
Interface LabelInterface label from where tunnels are built.
Primary IPIP address of the primary Zscaler ZEN.
Secondary IPIP address of the secondary Zscaler ZEN.

Gateway Options

You can configure gateway options and rules for Zscaler sublocations. Orchestrator uses location and sub-locations to better define a branch site in the Zscaler cloud. Sub-locations are LAN-side segments within each branch. They can be identified by LAN interfaces, zones, or a collection of LAN subnets.

To enable this option:

  1. Click the Gateway Options button in the Zscaler Internet Access dialog box.

    The Zscaler Gateway Options dialog box opens.

  2. Click Add.

    The Location / Sub-Location Match Criteria dialog box opens.

  3. Enter a name for the new rule in the Rule Name field.

    WARNING: If two rules have the same sub-location name or IP address, Orchestrator picks the first match and considers the order of the rules.

  4. Specify a location by entering an appliance name, region, or group in the Appliances field.

  5. Enter the WAN label in the Location Label field.

If you select the Sub-Location check box:

  1. Enter the sub-location name in the Name field.

  2. Enter the subnet address (LAN label, Firewall Zone, or subnet) in the Internal IPs field.

  3. Click Save.

    NOTE: Sub-locations can be applied to all WAN links chosen under Zscaler Internet Access > Interface setting.

If you select the Show Sub-Locations check box, the sub-locations configured in Gateway Options appear in the Zscaler table.


Click the IP SLA button in the Zscaler Internet Access dialog box to configure IP SLA for Zscaler tunnels. This configuration ensures tunnel connectivity and internet availability between Zscaler and Orchestrator. The Zscaler IP SLA Configuration dialog box opens. If the tunnel cannot reach Zscaler, the tunnel is considered as DOWN.

Enable Zscaler

Lastly, you need to enable the Zscaler service.

  1. Navigate to the Business Intent Overlays tab in Orchestrator (Configuration > Overlays & Security > Business Intent Overlays).

  2. Click the overlay that breaks out traffic to Zscaler.

    The Overlay Configuration dialog box opens.

  3. Click the Breakout Traffic to Internet & Cloud Services tab.

  4. Drag Zscaler Cloud from the Available Policies column to the Preferred Policy Order column.


You can first verify Zscaler has been deployed in the Business Intent Overlays tab. After the Zscaler Internet Access is configured and the Zscaler policy is applied successfully in the Business Intent Overlays, deployment will begin automatically. Navigate to the Zscaler Internet Access tab to verify successful deployment.


You can also verify on the Tunnels tab that your Zscaler tunnels have been successfully deployed. Zscaler tunnels should be listed in the Passthrough Tunnel column with a green status of up - active.


Note the following:

  • Zscaler is applied to all your EdgeConnect appliance’s associated overlays that have the Zscaler policy enabled.

  • Only IPSec mode is supported for Zscaler.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.