Secure Internet Gateway Feature Template

Configure an Umbrella SIG service with pairs of active/standby tunnel interfaces. Per tunnel interface, configure the interface name, the admin status, the IKEv2 parameters, the IPSec parameters, the tunnel source interface, the tunnel destination, the IP maximum transmission unit (MTU), the Transmission Control Protocol maximum segment size (TCP MSS), and more.

Diagram

Classes

edge_feature_templates (sdwan)

Name	Type	Constraint	Mandatory	Default Value
secure_internet_gateway_templates	List	`[secure_internet_gateway_templates]`	No

secure_internet_gateway_templates (sdwan.edge_feature_templates)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[^<>!&" ]{1,128}$`	Yes
description	String		Yes
device_types	List	Choice[`C8500-12X4QC`, `C1111-4PLTEEA`, `C1161-8P`, `C1117-4PLTEEAW`, `C1121X-8P`, `C8200-1N-4T`, `ISR-4331`, `C1127X-8PMLTEP`, `C1117-4PMLTEEAWE`, `ISR-4451-X`, `C8200L-1N-4T`, `C1113-8PLTEEA`, `IR-1821`, `ASR-1001-X`, `ISR-4321`, `C1116-4PLTEEAWE`, `C1109-4PLTE2P`, `C1121-8P`, `ASR-1002-HX`, `C1111-8PLTEEAW`, `C1112-8PWE`, `C1101-4PLTEP`, `ISR1100-4GLTENA-XE`, `C1111-8PLTELA`, `IR-1835`, `C1121X-8PLTEP`, `IR-1833`, `C8300-1N1S-4T2X`, `C1121-4P`, `ISR-4351`, `C1117-4PLTELA`, `C1116-4PWE`, `C1113-8PM`, `IR-1831`, `C1127-8PLTEP`, `C1121-8PLTEPW`, `C1113-8PW`, `ASR-1001-HX`, `C1128-8PLTEP`, `C1113-8PLTEEAW`, `C1117-4PW`, `C1116-4P`, `C1113-8PMLTEEA`, `C1112-8P`, `ISR-4461`, `C1116-4PLTEEA`, `ISR-4221`, `C1117-4PM`, `C1113-8PLTELAWZ`, `C1117-4PMWE`, `C1131-8PLTEPW`, `C1109-2PLTEVZ`, `C1113-8P`, `C1117-4P`, `C8300-2N2S-6T`, `C1127-8PMLTEP`, `ISR-4221X`, `ISR1100-4GLTEGB-XE`, `C8500-12X`, `C1109-2PLTEGB`, `C1113-8PLTEW`, `C1121X-8PLTEPW`, `ISR1100-6G-XE`, `C1121-4PLTEP`, `C1111-8PLTEEA`, `C1117-4PLTEEA`, `C1127X-8PLTEP`, `C1109-2PLTEUS`, `C1112-8PLTEEAWE`, `C1161X-8P`, `C8500L-8S4X`, `C1111-8PW`, `C1161X-8PLTEP`, `C1101-4PLTEPW`, `ISR1100X-4G-XE`, `IR-1101`, `C1111-4P`, `C1111-4PW`, `C1111-8P`, `C1117-4PMLTEEA`, `C1113-8PLTELA`, `C1131X-8PW`, `C1111-8PLTELAW`, `C1131-8PW`, `C1161-8PLTEP`, `ISR1100X-6G-XE`, `ISR-4431`, `C1101-4P`, `C8500-20X6C`, `C1109-4PLTE2PW`, `C1113-8PMWE`, `C1118-8P`, `C1126-8PLTEP`, `C8300-1N1S-6T`, `C1121-8PLTEP`, `C8300-2N2S-4T2X`, `C1131X-8PLTEPW`, `C1112-8PLTEEA`, `C1111-4PLTELA`, `ASR-1002-X`, `C1111X-8P`, `C1126X-8PLTEP`, `ASR-1006-X`, `C8000V`, `ISR1100-4G-XE`, `C1117-4PLTELAWZ`]	No
high_availability_interface_pairs	List	`[high_availability_interface_pairs]`	Yes
interfaces	List	`[interfaces]`	Yes
sig_provider	Choice	`umbrella`, `zscaler`, `other`	Yes
tracker_source_ip	IP		No
tracker_source_ip_variable	String	Regex: `^[^"~`$&+,]255$`	No
trackers	List	`[trackers]`	No
umbrella_primary_data_center	String		No
umbrella_primary_data_center_variable	String	Regex: `^[^"~`$&+,]255$`	No
umbrella_secondary_data_center	String		No
umbrella_secondary_data_center_variable	String	Regex: `^[^"~`$&+,]255$`	No
zscaler_aup_block_internet_until_accepted	Boolean	`true`, `false`	No
zscaler_aup_enabled	Boolean	`true`, `false`	No
zscaler_aup_force_ssl_inspection	Boolean	`true`, `false`	No
zscaler_aup_timeout	Integer		No
zscaler_authentication_required	Boolean	`true`, `false`	No
zscaler_caution_enabled	Boolean	`true`, `false`	No
zscaler_ips_control_enabled	Boolean	`true`, `false`	No
zscaler_firewall_enabled	Boolean	`true`, `false`	No
zscaler_location_name_variable	String	Regex: `^[^"~`$&+,]255$`	No
zscaler_primary_data_center	String		No
zscaler_primary_data_center_variable	String	Regex: `^[^"~`$&+,]255$`	No
zscaler_secondary_data_center	String		No
zscaler_secondary_data_center_variable	String	Regex: `^[^"~`$&+,]255$`	No
zscaler_surrogate_display_time_unit	Choice	`minute`, `hour`, `day`	No
zscaler_surrogate_idle_time	Integer		No
zscaler_surrogate_ip	Boolean	`true`, `false`	No
zscaler_surrogate_ip_enforce_for_known_browsers	Boolean	`true`, `false`	No
zscaler_surrogate_refresh_time	Integer		No
zscaler_surrogate_refresh_time_unit	Choice	`minute`, `hour`, `day`	No
zscaler_xff_forward	Boolean	`true`, `false`	No

high_availability_interface_pairs (sdwan.edge_feature_templates.secure_internet_gateway_templates)

Name	Type	Constraint	Mandatory
active_interface	String	Regex: `^(ipsec[0-9]{0,3}\|gre[0-9]{0,3})$`	Yes
active_interface_weight	Integer	min: `1`, max: `255`	Yes
backup_interface	String	Regex: `^(ipsec[0-9]{0,3}\|gre[0-9]{0,3}\|none)$`	Yes
backup_interface_weight	Integer	min: `1`, max: `255`	Yes

interfaces (sdwan.edge_feature_templates.secure_internet_gateway_templates)

Name	Type	Constraint	Mandatory	Default Value
description	String		No
description_variable	String	Regex: `^[^"~`$&+,]255$`	No
dpd_interval	Integer	min: `10`, max: `65535`	No
dpd_interval_variable	String	Regex: `^[^"~`$&+,]255$`	No
dpd_retries	Integer	min: `0`, max: `255`	No
dpd_retries_variable	String	Regex: `^[^"~`$&+,]255$`	No
ike_ciphersuite	Choice	`aes256-cbc-sha1`, `aes256-cbc-sha2`, `aes128-cbc-sha1`, `aes128-cbc-sha2`	No	`aes256-cbc-sha1`
ike_ciphersuite_variable	String	Regex: `^[^"~`$&+,]255$`	No
ike_group	Choice	`2`, `14`, `15`, `16`	No	`14`
ike_group_variable	String	Regex: `^[^"~`$&+,]255$`	No
ike_pre_shared_key	String		No
ike_pre_shared_key_variable	String	Regex: `^[^"~`$&+,]255$`	No
ike_pre_shared_key_local_id	Any	IP or String	No
ike_pre_shared_key_local_id_variable	String	Regex: `^[^"~`$&+,]255$`	No
ike_pre_shared_key_remote_id	Any	IP or String	No
ike_pre_shared_key_remote_id_variable	String	Regex: `^[^"~`$&+,]255$`	No
ike_rekey_interval	Integer	min: `300`, max: `1209600`	No	`14400`
ike_rekey_interval_variable	String	Regex: `^[^"~`$&+,]255$`	No
ipsec_ciphersuite	Choice	`aes256-cbc-sha1`, `aes256-cbc-sha384`, `aes256-cbc-sha256`, `aes256-cbc-sha512`, `aes256-gcm`, `null-sha1`, `null-sha384`, `null-sha256`, `null-sha512`	No	`aes256-gcm`
ipsec_ciphersuite_variable	String	Regex: `^[^"~`$&+,]255$`	No
ipsec_perfect_forward_secrecy	Choice	`group-2`, `group-14`, `group-15`, `group-16`, `none`	No	`none`
ipsec_perfect_forward_secrecy_variable	String	Regex: `^[^"~`$&+,]255$`	No
ipsec_rekey_interval	Integer	min: `300`, max: `1209600`	No	`3600`
ipsec_rekey_interval_variable	String	Regex: `^[^"~`$&+,]255$`	No
ipsec_replay_window	Integer	min: `64`, max: `4096`	No	`512`
ipsec_replay_window_variable	String	Regex: `^[^"~`$&+,]255$`	No
mtu	Integer	min: `576`, max: `2000`	No
mtu_variable	String	Regex: `^[^"~`$&+,]255$`	No
name	String	Regex: `^(ipsec[0-9]{0,3}\|gre[0-9]{0,3})$`	No
name_variable	String	Regex: `^[^"~`$&+,]255$`	No
shutdown	Boolean	`true`, `false`	No
tcp_mss	Integer	min: `500`, max: `1460`	No
tcp_mss_variable	String	Regex: `^[^"~`$&+,]255$`	No
track	Boolean	`true`, `false`	No
tracker	String		No
tracker_variable	String	Regex: `^[^"~`$&+,]255$`	No
tunnel_dc_preference	Choice	`primary-dc`, `secondary-dc`	Yes
tunnel_destination	IP		No
tunnel_destination_variable	String	Regex: `^[^"~`$&+,]255$`	No
tunnel_public_source_ip	IP		No
tunnel_public_source_ip_variable	String	Regex: `^[^"~`$&+,]255$`	No
tunnel_source_interface	String		No
tunnel_source_interface_variable	String	Regex: `^[^"~`$&+,]255$`	No
tunnel_type	Choice	`gre`, `ipsec`	Yes

trackers (sdwan.edge_feature_templates.secure_internet_gateway_templates)

Name	Type	Constraint	Mandatory
endpoint_api_url	String		No
endpoint_api_url_variable	String	Regex: `^[^"~`$&+,]255$`	No
interval	Integer	min: `20`, max: `600`	No
interval_variable	String	Regex: `^[^"~`$&+,]255$`	No
multiplier	Integer	min: `1`, max: `10`	No
multiplier_variable	String	Regex: `^[^"~`$&+,]255$`	No
name	String		No
name_variable	String	Regex: `^[^"~`$&+,]255$`	No
threshold	Integer	min: `100`, max: `1000`	No
threshold_variable	String	Regex: `^[^"~`$&+,]255$`	No

Examples

Example-1: SIG Configuration for Secure and Resilient SD-WAN Connectivity

A company wants to implement a Secure Internet Gateway (SIG) for its SD-WAN edge devices to ensure secure internet access. The SIG will route internet-bound traffic via Cisco Umbrella with high availability configured for redundancy. The company requires IPsec tunnels for secure communication and IKE authentication for encryption.

The Netascode YAML configuration for Secure Internet Gateway (SIG) enables a consistent and automated approach to deploying security and routing policies across diverse SD-WAN edge devices. It defines high-availability interface pairs with failover priorities, configures IPsec and GRE tunnels using secure encryption (e.g., AES-256-GCM), and integrates SIG providers like Cisco Umbrella and Zscaler with options to specify primary and secondary data centers. The configuration also includes dynamic tracking to monitor internet path health, ensuring seamless failover, while customizable settings such as MTU, TCP MSS, and DPD enhance tunnel performance. This YAML-driven method simplifies large-scale SD-WAN deployments by standardizing configurations, reducing errors, and supporting centralized policy enforcement.

sdwan:
  edge_feature_templates:
    secure_internet_gateway_templates:
      - name: Corp-SIG-Umbrella
        description: Secure Internet Gateway for SD-WAN Edge
        device_types:
          - ISR-4331
          - ISR-4351
        high_availability_interface_pairs:
          - active_interface: ipsec1
            active_interface_weight: 100
            backup_interface: ipsec2
            backup_interface_weight: 50
        interfaces:
          - name: ipsec1
            description: Primary IPsec Tunnel
            ike_ciphersuite: aes256-cbc-sha2
            ipsec_ciphersuite: aes256-gcm
            tunnel_type: ipsec
            tunnel_dc_preference: primary-dc
          - name: ipsec2
            description: Backup IPsec Tunnel
            ike_ciphersuite: aes256-cbc-sha2
            ipsec_ciphersuite: aes256-gcm
            tunnel_type: ipsec
            tunnel_dc_preference: secondary-dc
        sig_provider: umbrella
        umbrella_primary_data_center: us-east
        umbrella_secondary_data_center: us-west
        trackers:
          - name: "SIG-Health"
            endpoint_api_url: https://api.umbrella.com/health
            interval: 60
            multiplier: 3
            threshold: 200