Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

PDF

Configure a Secure Internet Gateway

Updated: March 10, 2026

Want to summarize with AI?

Log in

Guides you through configuring a Secure Internet Gateway using Umbrella or Zscaler credentials, creating and monitoring tunnels, setting up trackers, and implementing high availability and load balancing to optimize tunnel health and traffic distribution.

Before you begin

Ensure that you enter the Umbrella and Zscaler credentials from Administration > Settings > Cloud Provider Credentials > Cloud Credentials.

Table 1. Cisco Umbrella Credentials

Field

Description

Organization ID

Enter the Cisco Umbrella organization ID (Org ID) for your organization.

For more information, see the Cisco Umbrella SIG User Guide .

SIG Umbrella API Key

Enter the Umbrella Management API Key.

Management API keys are used in SIG is Secure Internet Gateway (SIG) - (Management) .

For more information, see the Cloud Security API documentation on the Cisco DevNet portal.

SIG Umbrella API Secret

Enter the Umbrella Management API Secret.

For more information, see the Cloud Security API documentation on the Cisco DevNet portal.

Table 2. Zscaler Credentials

Field

Description

Organization

Name of the organization in Zscaler cloud.

Partner base URI

This is the base URI that Cisco SD-WAN Manager uses in REST API calls.

To find this information on the Zscaler portal, see the ZIA Help > ZIA API > API Developer & Reference Guide > Getting Started .

Username

Username of the Cisco Catalyst SD-WAN partner account.

Password

Password of the Cisco Catalyst SD-WAN partner account.

Partner API key

Partner API key.

To find the key in Zscaler, see Managing SD-WAN Partner Keys .

Procedure

SUMMARY STEPS

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > Secure Internet Gateway.
  2. Click Add Secure Internet Gateway.
  3. Choose SIG Provider.

    • Umbrella

    • Zscaler

    • Generic

  4. Enter a source IP address for the probe packets.
  5. Create one or more trackers to monitor tunnel health.
  6. Create tunnels.
  7. Configure high availability to designate active and back-up tunnels and distribute traffic among tunnels.

DETAILED STEPS

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > Secure Internet Gateway.

2.

Click Add Secure Internet Gateway.

3.

Choose SIG Provider.

  • Umbrella

  • Zscaler

  • Generic
4.

Enter a source IP address for the probe packets.
5.

Create one or more trackers to monitor tunnel health.

Click Add Tracker. In the Add Tracker dialog box, configure the following:

Table 3. Tracker Parameters
Field Description
Name Name of the tracker. The name can be up to 128 alphanumeric characters.
API url of endpoint Specify the API URL for the SIG endpoint of the tunnel.
Threshold

Enter the wait time for the probe to return a response before declaring that the configured endpoint is down.

Range: 100 to 1000 milliseconds

Default: 300 milliseconds
Probe Interval

Enter the time interval between probes to determine the status of the configured endpoint.

Range: 20 to 600 seconds

Default: 60 seconds
Multiplier

Enter the number of times to resend probes before determining that a tunnel is down.

Range: 1 to 10

Default: 3
6.

Create tunnels.

Click Add Tunnel. In the Add Tunnel dialog box configure the following:

Table 4. Add tunnel
Field Description
Tunnel Type

Umbrella: (Read only) ipsec

Zscaler: Click ipsec or gre .

Generic: Click ipsec or gre .

Interface Name (1..255)

Name of the interface.
Description

Description for the interface.
Tracker

By default, a tracker is attached to monitor the health of tunnels.
Tunnel Source Interface Name of the source interface of the tunnel. This interface should be an egress interface and is typically the internet-facing interface.
Source Public IP

(Automatic GRE tunnels to Zscaler only)

Public IP address of the tunnel source interface that is required to create the GRE tunnel to Zscaler.

Default: Auto

We recommend that you use the default configuration. With the default configuration, the Cisco IOS XE SD-WAN device finds the public IP address assigned to the tunnel source interface using a DNS query. If the DNS query fails, the device notifies Cisco SD-WAN Manager of the failure. Enter the public IP address only if the DNS query fails.

Data-Center For a primary data center, click Primary , or for a secondary data center, click Secondary . Tunnels to the primary data center serve as active tunnels, and tunnels to the secondary data center serve as back-up tunnels.
Tunnel Destination IP Address/FQDN

(Manual tunnels only)

The IP address of the SIG provider endpoint. The configuration of FQDN for Tunnel Destination IP address is not supported.

Preshared Key

(Manual tunnels only)

This field is displayed only if you choose ipsec as the Tunnel Type .

Enter the password to use with the preshared key.

Advanced Options

Shutdown

Click No to enable the interface; click Yes to disable.

Default: No
IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 to 2000 bytes

Default: 1400 bytes
TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None
DPD Interval

Specify the interval for IKE to send Hello packets on the connection.

Range: 10 to 3600 seconds

Default: 10
DPD Retries

Specify the number of seconds between DPD retry messages if the DPD retry message is missed by the peer.

After one DPD message is missed by the peer, the router changes the state and sends a DPD retry message at a faster retry interval, which is the number of seconds between DPD retries if the DPD message is missed by the peer. The default DPD retry message is sent every 2 seconds. Five DPD retry messages can be missed before the tunnel is marked as down.

Range: 2 to 60 seconds

Default: 3

IKE

IKE Rekey Interval

Specify the interval for refreshing IKE keys.

Range: 300 to 86400 seconds (1 hour to 14 days)

Default: 14400 seconds
IKE Cipher Suite

Specify the type of authentication and encryption to use during IKE key exchange.

Choose one of the following:

  • AES 256 CBC SHA1

  • AES 256 CBC SHA2

  • AES 128 CBC SHA1

  • AES 128 CBC SHA2

The IPsec Cipher Suite defaults vary by the type of the SIG:

  • Umbrella: AES 256 GCM

  • Zscaler: None

  • Generic: NULL SHA 512
IKE Diffie-Hellman Group

Specify the Diffie-Hellman group to use in IKE key exchange, whether IKEv1 or IKEv2.

  • 2 1024-bit modulus

  • 14 2048-bit modulus

  • 15 3072-bit modulus

  • 16 4096-bit modulus

The IKE group defaults vary by the type of the SIG:

  • Umbrella: 14 2048-bit modulus

  • Zscaler: 2 1024-bit modulus

  • Generic: 16 4096-bit modulus

IPSec

IPsec Rekey Interval

Specify the interval for refreshing IPsec keys.

Range: 300 to 1209600 seconds (1 hour to 14 days)

Default: 3600 seconds
IPsec Replay Window

Specify the replay window size for the IPsec tunnel.

Options: 64, 128, 256, 512, 1024, 2048, 4096.

Default: 512
IPsec Cipher Suite

Specify the authentication and encryption to use on the IPsec tunnel.

Options:

  • AES 256 CBC SHA1

  • AES 256 CBC SHA 384

  • AES 256 CBC SHA 256

  • AES 256 CBC SHA 512

  • AES 256 GCM

  • NULL SHA1

  • NULL SHA 384

  • NULL SHA 256

  • NULL SHA 512

Default: AES 256 GCM
Perfect Forward Secrecy

Specify the PFS settings to use on the IPsec tunnel. Choose one of the following Diffie-Hellman prime modulus groups:

  • Group-2 1024-bit modulus

  • Group-14 2048-bit modulus

  • Group-15 3072-bit modulus

  • Group-16 4096-bit modulus

  • None: disable PFS

The Perfect Forward Secrecy defaults vary by the type of the SIG:

  • Umbrella: None

  • Zscaler: None

  • Generic: Group 16

Note

When a security policy associated with Zscaler is removed from a device and a new configuration group is deployed, the corresponding tunnel entry sometimes fails to be deleted from Zscaler's cloud services. As a result, attempting to establish a new tunnel may result in a DUPLICATE_ITEM error due to the presence of the existing entry. To resolve this issue, manually delete the stale tunnel entry from the Zscaler cloud whenever a security policy is removed from a device.
7.

Configure high availability to designate active and back-up tunnels and distribute traffic among tunnels.

Click Add Interface Pair. In the Add Interface Pair dialog box, configure the following:

Field Description
Active Interface

Choose a tunnel that connects to the primary data center.
Active Interface Weight

Enter weight (weight range 1 to 255) for load balancing.

Load balancing helps in distributing traffic over multiple tunnels and this helps increase the network bandwidth. If you enter the same weights, you can achieve ECMP load balancing across the tunnels. However, if you enter a higher weight for a tunnel, that tunnel has higher priority for traffic flow.

For example, if you set up two active tunnels, where the first tunnel is configured with weight of 10, and the second tunnel with weight configured as 20, then the traffic is load-balanced between the tunnels in a 10:20 ratio.
Backup Interface

To designate a back-up tunnel, choose a tunnel that connects to the secondary data center.

To omit designating a back-up tunnel, choose None .

Backup Interface Weight

Enter weight (weight range 1 to 255) for load balancing.

Load balancing helps in distributing traffic over multiple tunnels and this helps increase the network bandwidth. If you enter the same weights, you can achieve ECMP load balancing across the tunnels. However, if you enter a higher weight for a tunnel, that tunnel has higher priority for traffic flow.

For example, if you set up two back-up tunnels, where the first tunnel is configured with weight of 10, and the second tunnel with weight configured as 20, then the traffic is load-balanced between the tunnels in a 10:20 ratio.