Local Internet breakout


(Rajeev Srikant) #1

My scenario is as below.

  1. I have 1 SD-WAN device. Behind SD-WAN, there are 3 different network.
  2. All the 3 different network belongs to 3 different companies & they don’t communicate to each other.
  3. Each company has different Zscaler account.
  4. I am planning to form 3 different GRE tunnel to Zscaler for 3 different networks.


  1. Is is possible to integrate 3 different tunnel to 3 different Zscaler account ?
  2. Can single SD-WAN device be able to connect to 3 different Zscaler account ?

Is this practical design.

(Steffen Probst) #2

Hi Rajeev,

I don’t know the individual capabilities of the SD-WAN vendors.

But in general your setup should work even with an old Cisco or Juniper router by using VRF (Virtual Routing Function) technology. You have to put the physical or logical interface and the tunnel interface into one VRF per customer. You need to check with your SD-WAN vendor if he supports it.


(Kunal) #3

@Andy Logan could you move this post to ZIA infra section?

(Rajeev Srikant) #4

thanks understood.
In addition to this for internet break out using Zscaler I am following as below.

  1. There will be GRE tunnel in the network device which takes the internet traffic to Zscaler.
  2. In my network, there iwll be laptops which also has zAPP software installed.

I wanted to check the below.

  • When the user with the laptop (zAPP) is inside the network , how will the zApp behaves. I want to laptop to take the tunnel to reach Zscaler for Internet access.

  • Will zApp will be the 1st preference or will the tunnel will be the 1st preference.

  • Will zApp works inside the GRE tunnel ?

  • When the user with the laptop (zAPP) moves outside of the network to his home network, the Zapp will send all the traffic to Zscaler.

Can this be achieved /

(Yuu.K) #5

Hi, Rajeev

If you are turn-off Z-APP, the GRE tunnel will be the primary setting.
If you are turn-on Z-APP, the Forwarding Profile of Z - APP will decide the behavior.

Since the behavior changes depending on the network environment recognized by Z - APP,
please refer to the following

By referring to the “Traffic Forwarding” column of the access log,
you can determine whether the traffic is Z-APP or PAC.

I’m glad if this reply will be of your help
Best regards,

(Rajeev Srikant) #6

In my scenario, the Z-App will be on every time. (Since the user may move from trusted to un trusted network any time)

So in this scenario, when the user with Z-App turned ON is connected to the trusted network, the traffic should be sent to the GRE tunnel to Zscaler. (Z-App will not be used in this case)

If the user with Z-APP turned ON is connected moves to the un trusted network, the Z-APP should forward the traffic to Zscaler.

Let me know if the above can be achieved.

Basically the user will have the Z-scaler APP ON, when connecting to trusted network it should use the GRE tunnel.
When the user connects to the un trusted network, it should use Z-APP

(Yuu.K) #7

Hi, Rajeev

I think your scenario is feasible.
Have you already set up Trusted Network Criteria?
I think it is important to apply different “Forwarding Profile Action” to On Trusted Network, VPN Trusted Network, and Off Trusted Network.

(Rajeev Srikant) #8

So my understanding is as below.

if the PC is in the trusted network, the traffic will be through GRE tunnel to Zscaler (no via zAPP)
If the PC is in the untrusted network, it will use zAPP & use the profile of zaAPP

hope my understanding is right.

(Rajeev Srikant) #9

Further to the above, for local internet break out what should be the settings on the PCs in the network to reach Zscaler.

  1. Will the PCs be configured with PAC file ?
  2. Is it required to advertise default route in to the network ?
  3. Is it possible to send traffic to Zscaler without PAC file in to the end users PC ?

What is the best practice for internet breakout ?