Help Center User GuideGetting StartedFAQ
User Guide
Getting Started

Configuring Breakout on SD-WAN Sites

The following is the workflow for configuring breakout (local breakout [underlay], backhaul [central breakout], or cloud breakout):


  1. Before configuring breakout, ensure that you complete the following tasks:


    1. If you are using enterprise hub sites, add, configure, and activate one or more enterprise hub sites. See Adding Enterprise Hubs with SD-WAN Capability or SD-WAN and LAN Capabilities.
    2. Add, configure, and activate one or more on-premise spoke sites with SD-WAN capability. See Adding an On-Premise Spoke Site with SD-WAN Capability.

      Note You must attach an on‐premise spoke site with SDWAN capability to a provider hub site or an enterprise hub site, or to both hub sites.

    3. (Optional) If you are using application-based breakout, ensure that you install the application ID license (if it is required for the device) and signatures on the devices (associated with the sites).
  2. Depending on the type of breakout you are configuring, add one or more breakout profiles for the following types of breakout:
    • Local breakout (underlay)

    • Backhaul (central breakout)

    • Cloud breakout

    See Adding Breakout Profiles.

  3. For cloud breakout, add cloud breakout settings and then assign the cloud breakout settings to one or more on-premise spoke or enterprise hub sites. See Adding Cloud Breakout Settings and Assigning Cloud Breakout Settings to Sites.
  4. Add one or more SD-WAN policy intents in which you reference the previously-added breakout profiles. See Creating SD-WAN Policy Intents.
  5. Deploy the SD-WAN policy. See Deploying Policies.
  6. Configure firewall policy intents to allow Internet-bound traffic from the sites or departments for which you configured breakout (through the SD-WAN policy intent). See Adding Firewall Policy Intents.
  7. Deploy the firewall policy. See Deploying Policies.
  8. For cloud breakout using Zscaler, ensure that the user IDs in the Zscaler account are configured as follows:
    • for the primary tunnel

    • for the secondary tunnel

    Where Site-Name is the name of the site (in CSO) for which the breakout is configured and Tenant-Name is the name of the tenant (in CSO) to which the site belongs.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support