Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Breakout on SD-WAN Sites


The following is the workflow for configuring breakout (local breakout [underlay], backhaul [central breakout], or cloud breakout):

  1. Before configuring breakout, ensure that you complete the following tasks:
    1. Add, configure, and activate at least one cloud hub site. See Adding Cloud Hub Sites for SD-WAN Deployment.
    2. (Optional) If you are using gateway sites, add, configure, and activate one or more gateway sites. See Adding Gateway Sites for SD-WAN Deployments.
    3. Add, configure, and activate one or more on-premise spoke sites. See Adding On-Premise Spoke Sites for SD-WAN Deployment.
    4. (Optional) If you are using application-based breakout, ensure that you install the application ID license (if it is required for the device) and signatures on the devices (associated with the sites).
  2. Depending on the type of breakout you are configuring, add one or more breakout profiles for the following types of breakout:
    • Local breakout (underlay)

    • Backhaul (central breakout)

    • Cloud breakout

    See Adding Breakout Profiles.

  3. For cloud breakout, add cloud breakout settings and then assign the cloud breakout settings to one or more on-premise spoke or gateway sites. See Adding Cloud Breakout Settings and Assigning Cloud Breakout Settings to Sites.
  4. Add one or more SD-WAN policy intents in which you reference the previously-added breakout profiles. See Creating SD-WAN Policy Intents.
  5. Deploy the SD-WAN policy. See Deploying Policies.
  6. Configure firewall policy intents to allow Internet-bound traffic from the sites or departments for which you configured breakout (through the SD-WAN policy intent). See Creating Firewall Policy Intents.
  7. Deploy the firewall policy. See Deploying Policies.
  8. For cloud breakout using Zscaler, ensure that the user IDs in the Zscaler account are configured as follows:
    • for the primary tunnel

    • for the secondary tunnel

    Where Site-Name is the name of the site (in CSO) for which the breakout is configured and Tenant-Name is the name of the tenant (in CSO) to which the site belongs.