Add Cloud Breakout Settings

If you want to break out traffic to a cloud-based security platform, then you must add settings for cloud breakout and assign the settings to one or more sites. You assign cloud breakout settings to sites to enable the provisioning of the tunnels from the sites to the cloud breakout node. For traffic to break out from the site, you must reference the cloud breakout profile in an SD-WAN policy intent and then deploy the SD-WAN policy.

To add cloud breakout settings:

Select Configuration > SD-WAN > Breakout Profiles.
The Breakout Profiles page appears.
On the Cloud Breakout Settings tab, click the add icon (+).
The Add Cloud Breakout Settings page appears.
Complete the configuration according to the guidelines provided in Table 1.
Note:
Fields marked with an asterisk (*) are mandatory.
Click OK.
You are returned to the Breakout Profiles page (Cloud Breakout Settings tab) and a confirmation message indicating that the breakout settings are added is displayed.

Table 1: Fields on the Add Cloud Breakout Settings Page
Field	Description
Name	Enter a unique name for the cloud breakout settings. You can use alphanumeric characters and hyphens (-); the maximum length is 15 characters.
Tunnel Type	Select the type of overlay tunnel (IPsec or GRE) used to break out the traffic to the cloud breakout node.
IPsec Configuration Parameters
Domain Name	Displays the domain name that is used to generate the fully qualified domain name (FQDN) for SD-WAN policies. The FQDN is used by cloud security providers to identify the IPsec tunnels. The domain name is populated based on the customer domain name that was provided when the tenant was onboarded. You can modify the domain name.
Phase 1	In Phase 1, the SD-WAN branch site and the cloud breakout node establish a secure tunnel to negotiate the IPsec security associations (SAs).
Encryption Type	Select an encryption type for IPsec proposals: AES-256-CBC (default)—Advanced Encryption Standard (AES) 256-bit encryption algorithm in Cipher Block Chaining (CBC) mode. AES-192-CBC—AES 192-bit encryption algorithm. AES-128-CBC—AES 128-bit encryption algorithm. 3DES-CBC—Triple Data Encryption Algorithm (3DES) in CBC mode. Has a block size of 24 bytes; the key size is 192 bits long.
Authentication Type	Select an IPsec authentication algorithm for security association: SHA-256 (default)—Secure Hash Algorithm (SHA) that converts a text of any length into a string of 256 bits. SHA-384—Produces a 384-bit string. SHA1—Produces a 160-bit string.
DH Group	Specify the Diffie-Hellman (DH) group to match the IPsec encryption algorithm: GROUP2 (default)—1024-bit Modular Exponential (MODP) algorithm. GROUP5—1536-bit MODP algorithm. GROUP14—2048-bit MODP algorithm.
Phase 2	In Phase 2, the SD-WAN branch site and the cloud breakout node negotiate the IPsec security associations for encrypting and authenticating the exchange of data.
Encryption Type	Select an encryption type for IPsec proposals. NULL—No encryption. This is the default. AES-256-CBC—AES 256-bit encryption algorithm. AES-192-CBC—AES 192-bit encryption algorithm. AES-128-CBC—AES 128-bit encryption algorithm.
Authentication Type	Select an IPsec authentication algorithm for security association. HMAC-MD5-96—Produces a 128-bit digest. This is the default. HMAC-SHA-256-128—Produces a 256-bit digest, truncated to 128 bits. HMAC-SHA1-96—Produces a 160-bit digest.
Protocol	This setting is enabled only if you select a non-null encryption type. Select the type of protocol to be used for authentication: ESP—Encapsulating Security Payload (ESP) protocol. This is the default. AH—Authentication Header (AH) Protocol.
Primary Gateway	Specify the configuration parameters for the primary cloud breakout node.
Link Type	Select the preferred type of WAN link (MPLS or Internet) to be used for breaking out the traffic to the primary cloud breakout node. If a WAN link type that matches the preferred path is enabled for breakout, then that WAN link type is used for breakout traffic.
IP Address/Hostname	Enter the IPv4 address or hostname of the primary cloud breakout node. Currently, Zscaler is the only cloud-based security platform supported. CSO validates the IP address or hostname, and if the IP address or host name is not reachable, a `Host Unreachable` message is displayed.
Preshared Key	Enter the preshared key (provided by Zscaler) to be used for Internet Key Exchange (IKE) authentication with the primary cloud breakout node. The key that you enter is masked by default but you can click the eye icon to unmask the key.
Confirm Preshared Key	Re-enter the preshared key for confirmation.
Secondary Gateway	Specify the configuration parameters for the primary cloud breakout node.
Link Type	Select the preferred type of WAN link (MPLS or Internet) to be used for breaking out the traffic to the secondary cloud breakout node. If a WAN link type that matches the preferred path is enabled for breakout, then that WAN link type is used for breakout traffic.
IP Address/Hostname	Enter the IPv4 address or hostname of the secondary cloud breakout node. CSO validates the IP address or hostname, and if the IP address or host name is not reachable, a `Host Unreachable` message is displayed.
Preshared Key	Enter the preshared key (provided by Zscaler) to be used for Internet Key Exchange (IKE) authentication with the secondary cloud breakout node. The key that you enter is masked by default but you can click the eye icon to unmask the key.
Confirm Preshared Key	Reenter the preshared key for confirmation.

After you add cloud breakout settings, you can assign the settings to one or more sites, which provisions the overlay tunnels to the cloud breakout nodes. For more information, see Assigning Cloud Breakout Settings to Sites in the CSO Customer Portal User Guide (available on the CSO Documentation page).

To enable the breakout settings to be applied to SD-WAN traffic of a site, you must assign the cloud breakout setting to the site, and reference a cloud breakout profile in an SD-WAN policy intent, and deploy the SD-WAN policy.