Secure Internet Gateway Feature Template
Configure an Umbrella SIG service with pairs of active/standby tunnel interfaces. Per tunnel interface, configure the interface name, the admin status, the IKEv2 parameters, the IPSec parameters, the tunnel source interface, the tunnel destination, the IP maximum transmission unit (MTU), the Transmission Control Protocol maximum segment size (TCP MSS), and more.
Diagram
Classes
edge_feature_templates (sdwan)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
secure_internet_gateway_templates | List | [secure_internet_gateway_templates] | No |
secure_internet_gateway_templates (sdwan.edge_feature_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[^<>!&" ]{1,128}$ | Yes | |
description | String | Yes | ||
device_types | List | Choice[C8500-12X4QC , C1111-4PLTEEA , C1161-8P , C1117-4PLTEEAW , C1121X-8P , C8200-1N-4T , ISR-4331 , C1127X-8PMLTEP , C1117-4PMLTEEAWE , ISR-4451-X , C8200L-1N-4T , C1113-8PLTEEA , IR-1821 , ASR-1001-X , ISR-4321 , C1116-4PLTEEAWE , C1109-4PLTE2P , C1121-8P , ASR-1002-HX , C1111-8PLTEEAW , C1112-8PWE , C1101-4PLTEP , ISR1100-4GLTENA-XE , C1111-8PLTELA , IR-1835 , C1121X-8PLTEP , IR-1833 , C8300-1N1S-4T2X , C1121-4P , ISR-4351 , C1117-4PLTELA , C1116-4PWE , C1113-8PM , IR-1831 , C1127-8PLTEP , C1121-8PLTEPW , C1113-8PW , ASR-1001-HX , C1128-8PLTEP , C1113-8PLTEEAW , C1117-4PW , C1116-4P , C1113-8PMLTEEA , C1112-8P , ISR-4461 , C1116-4PLTEEA , ISR-4221 , C1117-4PM , C1113-8PLTELAWZ , C1117-4PMWE , C1131-8PLTEPW , C1109-2PLTEVZ , C1113-8P , C1117-4P , C8300-2N2S-6T , C1127-8PMLTEP , ISR-4221X , ISR1100-4GLTEGB-XE , C8500-12X , C1109-2PLTEGB , C1113-8PLTEW , C1121X-8PLTEPW , ISR1100-6G-XE , C1121-4PLTEP , C1111-8PLTEEA , C1117-4PLTEEA , C1127X-8PLTEP , C1109-2PLTEUS , C1112-8PLTEEAWE , C1161X-8P , C8500L-8S4X , C1111-8PW , C1161X-8PLTEP , C1101-4PLTEPW , ISR1100X-4G-XE , IR-1101 , C1111-4P , C1111-4PW , C1111-8P , C1117-4PMLTEEA , C1113-8PLTELA , C1131X-8PW , C1111-8PLTELAW , C1131-8PW , C1161-8PLTEP , ISR1100X-6G-XE , ISR-4431 , C1101-4P , C8500-20X6C , C1109-4PLTE2PW , C1113-8PMWE , C1118-8P , C1126-8PLTEP , C8300-1N1S-6T , C1121-8PLTEP , C8300-2N2S-4T2X , C1131X-8PLTEPW , C1112-8PLTEEA , C1111-4PLTELA , ASR-1002-X , C1111X-8P , C1126X-8PLTEP , ASR-1006-X , C8000V , ISR1100-4G-XE , C1117-4PLTELAWZ ] | No | |
high_availability_interface_pairs | List | [high_availability_interface_pairs] | Yes | |
interfaces | List | [interfaces] | Yes | |
sig_provider | Choice | umbrella , zscaler , other | Yes | |
tracker_source_ip | IP | No | ||
tracker_source_ip_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
trackers | List | [trackers] | No | |
umbrella_primary_data_center | String | No | ||
umbrella_primary_data_center_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
umbrella_secondary_data_center | String | No | ||
umbrella_secondary_data_center_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
zscaler_aup_block_internet_until_accepted | Boolean | true , false | No | |
zscaler_aup_enabled | Boolean | true , false | No | |
zscaler_aup_force_ssl_inspection | Boolean | true , false | No | |
zscaler_aup_timeout | Integer | No | ||
zscaler_authentication_required | Boolean | true , false | No | |
zscaler_caution_enabled | Boolean | true , false | No | |
zscaler_ips_control_enabled | Boolean | true , false | No | |
zscaler_firewall_enabled | Boolean | true , false | No | |
zscaler_location_name_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
zscaler_primary_data_center | String | No | ||
zscaler_primary_data_center_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
zscaler_secondary_data_center | String | No | ||
zscaler_secondary_data_center_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
zscaler_surrogate_display_time_unit | Choice | minute , hour , day | No | |
zscaler_surrogate_idle_time | Integer | No | ||
zscaler_surrogate_ip | Boolean | true , false | No | |
zscaler_surrogate_ip_enforce_for_known_browsers | Boolean | true , false | No | |
zscaler_surrogate_refresh_time | Integer | No | ||
zscaler_surrogate_refresh_time_unit | Choice | minute , hour , day | No | |
zscaler_xff_forward | Boolean | true , false | No |
high_availability_interface_pairs (sdwan.edge_feature_templates.secure_internet_gateway_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
active_interface | String | Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3})$ | Yes | |
active_interface_weight | Integer | min: 1 , max: 255 | Yes | |
backup_interface | String | Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3}|none)$ | Yes | |
backup_interface_weight | Integer | min: 1 , max: 255 | Yes |
interfaces (sdwan.edge_feature_templates.secure_internet_gateway_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
description | String | No | ||
description_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
dpd_interval | Integer | min: 10 , max: 65535 | No | |
dpd_interval_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
dpd_retries | Integer | min: 0 , max: 255 | No | |
dpd_retries_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ike_ciphersuite | Choice | aes256-cbc-sha1 , aes256-cbc-sha2 , aes128-cbc-sha1 , aes128-cbc-sha2 | No | aes256-cbc-sha1 |
ike_ciphersuite_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ike_group | Choice | 2 , 14 , 15 , 16 | No | 14 |
ike_group_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ike_pre_shared_key | String | No | ||
ike_pre_shared_key_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ike_pre_shared_key_local_id | Any | IP or String | No | |
ike_pre_shared_key_local_id_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ike_pre_shared_key_remote_id | Any | IP or String | No | |
ike_pre_shared_key_remote_id_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ike_rekey_interval | Integer | min: 300 , max: 1209600 | No | 14400 |
ike_rekey_interval_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ipsec_ciphersuite | Choice | aes256-cbc-sha1 , aes256-cbc-sha384 , aes256-cbc-sha256 , aes256-cbc-sha512 , aes256-gcm , null-sha1 , null-sha384 , null-sha256 , null-sha512 | No | aes256-gcm |
ipsec_ciphersuite_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ipsec_perfect_forward_secrecy | Choice | group-2 , group-14 , group-15 , group-16 , none | No | none |
ipsec_perfect_forward_secrecy_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ipsec_rekey_interval | Integer | min: 300 , max: 1209600 | No | 3600 |
ipsec_rekey_interval_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
ipsec_replay_window | Integer | min: 64 , max: 4096 | No | 512 |
ipsec_replay_window_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
mtu | Integer | min: 576 , max: 2000 | No | |
mtu_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
name | String | Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3})$ | No | |
name_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
shutdown | Boolean | true , false | No | |
tcp_mss | Integer | min: 500 , max: 1460 | No | |
tcp_mss_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
track | Boolean | true , false | No | |
tracker | String | No | ||
tracker_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
tunnel_dc_preference | Choice | primary-dc , secondary-dc | Yes | |
tunnel_destination | IP | No | ||
tunnel_destination_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
tunnel_public_source_ip | IP | No | ||
tunnel_public_source_ip_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
tunnel_source_interface | String | No | ||
tunnel_source_interface_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
tunnel_type | Choice | gre , ipsec | Yes |
trackers (sdwan.edge_feature_templates.secure_internet_gateway_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
endpoint_api_url | String | No | ||
endpoint_api_url_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
interval | Integer | min: 20 , max: 600 | No | |
interval_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
multiplier | Integer | min: 1 , max: 10 | No | |
multiplier_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
name | String | No | ||
name_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
threshold | Integer | min: 100 , max: 1000 | No | |
threshold_variable | String | Regex: ^[^"~ $&+,]255$` | No |
Examples
Example-1: SIG Configuration for Secure and Resilient SD-WAN Connectivity
A company wants to implement a Secure Internet Gateway (SIG) for its SD-WAN edge devices to ensure secure internet access. The SIG will route internet-bound traffic via Cisco Umbrella with high availability configured for redundancy. The company requires IPsec tunnels for secure communication and IKE authentication for encryption.
The Netascode YAML configuration for Secure Internet Gateway (SIG) enables a consistent and automated approach to deploying security and routing policies across diverse SD-WAN edge devices. It defines high-availability interface pairs with failover priorities, configures IPsec and GRE tunnels using secure encryption (e.g., AES-256-GCM), and integrates SIG providers like Cisco Umbrella and Zscaler with options to specify primary and secondary data centers. The configuration also includes dynamic tracking to monitor internet path health, ensuring seamless failover, while customizable settings such as MTU, TCP MSS, and DPD enhance tunnel performance. This YAML-driven method simplifies large-scale SD-WAN deployments by standardizing configurations, reducing errors, and supporting centralized policy enforcement.
sdwan: edge_feature_templates: secure_internet_gateway_templates: - name: Corp-SIG-Umbrella description: Secure Internet Gateway for SD-WAN Edge device_types: - ISR-4331 - ISR-4351 high_availability_interface_pairs: - active_interface: ipsec1 active_interface_weight: 100 backup_interface: ipsec2 backup_interface_weight: 50 interfaces: - name: ipsec1 description: Primary IPsec Tunnel ike_ciphersuite: aes256-cbc-sha2 ipsec_ciphersuite: aes256-gcm tunnel_type: ipsec tunnel_dc_preference: primary-dc - name: ipsec2 description: Backup IPsec Tunnel ike_ciphersuite: aes256-cbc-sha2 ipsec_ciphersuite: aes256-gcm tunnel_type: ipsec tunnel_dc_preference: secondary-dc sig_provider: umbrella umbrella_primary_data_center: us-east umbrella_secondary_data_center: us-west trackers: - name: "SIG-Health" endpoint_api_url: https://api.umbrella.com/health interval: 60 multiplier: 3 threshold: 200