Secure Internet Gateway Feature Template
Configure an Umbrella SIG service with pairs of active/standby tunnel interfaces. Per tunnel interface, configure the interface name, the admin status, the IKEv2 parameters, the IPSec parameters, the tunnel source interface, the tunnel destination, the IP maximum transmission unit (MTU), the Transmission Control Protocol maximum segment size (TCP MSS), and more.
Diagram
Classes
edge_feature_templates (sdwan)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| secure_internet_gateway_templates | List | [secure_internet_gateway_templates] | No |
secure_internet_gateway_templates (sdwan.edge_feature_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^<>!&" ]{1,128}$ | Yes | |
| description | String | Yes | ||
| device_types | List | Choice[C8500-12X4QC, C1111-4PLTEEA, C1161-8P, C1117-4PLTEEAW, C1121X-8P, C8200-1N-4T, ISR-4331, C1127X-8PMLTEP, C1117-4PMLTEEAWE, ISR-4451-X, C8200L-1N-4T, C1113-8PLTEEA, IR-1821, ASR-1001-X, ISR-4321, C1116-4PLTEEAWE, C1109-4PLTE2P, C1121-8P, ASR-1002-HX, C1111-8PLTEEAW, C1112-8PWE, C1101-4PLTEP, ISR1100-4GLTENA-XE, C1111-8PLTELA, IR-1835, C1121X-8PLTEP, IR-1833, C8300-1N1S-4T2X, C1121-4P, ISR-4351, C1117-4PLTELA, C1116-4PWE, C1113-8PM, IR-1831, C1127-8PLTEP, C1121-8PLTEPW, C1113-8PW, ASR-1001-HX, C1128-8PLTEP, C1113-8PLTEEAW, C1117-4PW, C1116-4P, C1113-8PMLTEEA, C1112-8P, ISR-4461, C1116-4PLTEEA, ISR-4221, C1117-4PM, C1113-8PLTELAWZ, C1117-4PMWE, C1131-8PLTEPW, C1109-2PLTEVZ, C1113-8P, C1117-4P, C8300-2N2S-6T, C1127-8PMLTEP, ISR-4221X, ISR1100-4GLTEGB-XE, C8500-12X, C1109-2PLTEGB, C1113-8PLTEW, C1121X-8PLTEPW, ISR1100-6G-XE, C1121-4PLTEP, C1111-8PLTEEA, C1117-4PLTEEA, C1127X-8PLTEP, C1109-2PLTEUS, C1112-8PLTEEAWE, C1161X-8P, C8500L-8S4X, C1111-8PW, C1161X-8PLTEP, C1101-4PLTEPW, ISR1100X-4G-XE, IR-1101, C1111-4P, C1111-4PW, C1111-8P, C1117-4PMLTEEA, C1113-8PLTELA, C1131X-8PW, C1111-8PLTELAW, C1131-8PW, C1161-8PLTEP, ISR1100X-6G-XE, ISR-4431, C1101-4P, C8500-20X6C, C1109-4PLTE2PW, C1113-8PMWE, C1118-8P, C1126-8PLTEP, C8300-1N1S-6T, C1121-8PLTEP, C8300-2N2S-4T2X, C1131X-8PLTEPW, C1112-8PLTEEA, C1111-4PLTELA, ASR-1002-X, C1111X-8P, C1126X-8PLTEP, ASR-1006-X, C8000V, ISR1100-4G-XE, C1117-4PLTELAWZ] | No | |
| high_availability_interface_pairs | List | [high_availability_interface_pairs] | Yes | |
| interfaces | List | [interfaces] | Yes | |
| sig_provider | Choice | umbrella, zscaler, other | Yes | |
| tracker_source_ip | IP | No | ||
| tracker_source_ip_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| trackers | List | [trackers] | No | |
| umbrella_primary_data_center | String | No | ||
| umbrella_primary_data_center_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| umbrella_secondary_data_center | String | No | ||
| umbrella_secondary_data_center_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| zscaler_aup_block_internet_until_accepted | Boolean | true, false | No | |
| zscaler_aup_enabled | Boolean | true, false | No | |
| zscaler_aup_force_ssl_inspection | Boolean | true, false | No | |
| zscaler_aup_timeout | Integer | No | ||
| zscaler_authentication_required | Boolean | true, false | No | |
| zscaler_caution_enabled | Boolean | true, false | No | |
| zscaler_ips_control_enabled | Boolean | true, false | No | |
| zscaler_firewall_enabled | Boolean | true, false | No | |
| zscaler_location_name_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| zscaler_primary_data_center | String | No | ||
| zscaler_primary_data_center_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| zscaler_secondary_data_center | String | No | ||
| zscaler_secondary_data_center_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| zscaler_surrogate_display_time_unit | Choice | minute, hour, day | No | |
| zscaler_surrogate_idle_time | Integer | No | ||
| zscaler_surrogate_ip | Boolean | true, false | No | |
| zscaler_surrogate_ip_enforce_for_known_browsers | Boolean | true, false | No | |
| zscaler_surrogate_refresh_time | Integer | No | ||
| zscaler_surrogate_refresh_time_unit | Choice | minute, hour, day | No | |
| zscaler_xff_forward | Boolean | true, false | No |
high_availability_interface_pairs (sdwan.edge_feature_templates.secure_internet_gateway_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| active_interface | String | Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3})$ | Yes | |
| active_interface_weight | Integer | min: 1, max: 255 | Yes | |
| backup_interface | String | Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3}|none)$ | Yes | |
| backup_interface_weight | Integer | min: 1, max: 255 | Yes |
interfaces (sdwan.edge_feature_templates.secure_internet_gateway_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| description | String | No | ||
| description_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| dpd_interval | Integer | min: 10, max: 65535 | No | |
| dpd_interval_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| dpd_retries | Integer | min: 0, max: 255 | No | |
| dpd_retries_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ike_ciphersuite | Choice | aes256-cbc-sha1, aes256-cbc-sha2, aes128-cbc-sha1, aes128-cbc-sha2 | No | aes256-cbc-sha1 |
| ike_ciphersuite_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ike_group | Choice | 2, 14, 15, 16 | No | 14 |
| ike_group_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ike_pre_shared_key | String | No | ||
| ike_pre_shared_key_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ike_pre_shared_key_local_id | Any | IP or String | No | |
| ike_pre_shared_key_local_id_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ike_pre_shared_key_remote_id | Any | IP or String | No | |
| ike_pre_shared_key_remote_id_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ike_rekey_interval | Integer | min: 300, max: 1209600 | No | 14400 |
| ike_rekey_interval_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ipsec_ciphersuite | Choice | aes256-cbc-sha1, aes256-cbc-sha384, aes256-cbc-sha256, aes256-cbc-sha512, aes256-gcm, null-sha1, null-sha384, null-sha256, null-sha512 | No | aes256-gcm |
| ipsec_ciphersuite_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ipsec_perfect_forward_secrecy | Choice | group-2, group-14, group-15, group-16, none | No | none |
| ipsec_perfect_forward_secrecy_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ipsec_rekey_interval | Integer | min: 300, max: 1209600 | No | 3600 |
| ipsec_rekey_interval_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| ipsec_replay_window | Integer | min: 64, max: 4096 | No | 512 |
| ipsec_replay_window_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| mtu | Integer | min: 576, max: 2000 | No | |
| mtu_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| name | String | Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3})$ | No | |
| name_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| shutdown | Boolean | true, false | No | |
| tcp_mss | Integer | min: 500, max: 1460 | No | |
| tcp_mss_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| track | Boolean | true, false | No | |
| tracker | String | No | ||
| tracker_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| tunnel_dc_preference | Choice | primary-dc, secondary-dc | Yes | |
| tunnel_destination | IP | No | ||
| tunnel_destination_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| tunnel_public_source_ip | IP | No | ||
| tunnel_public_source_ip_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| tunnel_source_interface | String | No | ||
| tunnel_source_interface_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| tunnel_type | Choice | gre, ipsec | Yes |
trackers (sdwan.edge_feature_templates.secure_internet_gateway_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| endpoint_api_url | String | No | ||
| endpoint_api_url_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| interval | Integer | min: 20, max: 600 | No | |
| interval_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| multiplier | Integer | min: 1, max: 10 | No | |
| multiplier_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| name | String | No | ||
| name_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| threshold | Integer | min: 100, max: 1000 | No | |
| threshold_variable | String | Regex: ^[^"~$&+,]255$` | No |
Examples
sdwan:
edge_feature_templates:
secure_internet_gateway_templates:
- name: FT-CEDGE-SIG-UMBRELLA01
description: Umbrella SIG 1x HA Tunnel
interfaces:
- dpd_interval: 10
dpd_retries: 3
name: ipsec1
ike_rekey_interval: 14400
ipsec_ciphersuite: aes256-cbc-sha1
mtu: 1400
tcp_mss: 1360
tunnel_dc_preference: primary-dc
sig_provider: secure-internet-gateway-umbrella
tunnel_source_interface_variable: sig_tunnel1_source_interface
- dpd_interval: 10
dpd_retries: 3
name: ipsec2
ike_rekey_interval: 14400
ipsec_ciphersuite: aes256-cbc-sha1
mtu: 1400
tcp_mss: 1360
tunnel_dc_preference: secondary-dc
sig_provider: secure-internet-gateway-umbrella
tunnel_source_interface_variable: sig_tunnel1_source_interface
high_availability_interface_pairs:
- active_interface: ipsec1
active_interface_weight: 1
backup_interface: ipsec2
backup_interface_weight: 1
tracker_source_ip_variable: sig_tracker_src_ip