Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Breakout and Breakout Profiles Overview

Site-to-site traffic between spoke sites of a tenant is sent (on overlay tunnels) directly from one site to another depending on the tenant topology or through the hub or enterprise hub. However, for Internet-bound or Software as a Service (SaaS) traffic, you can break out the traffic in different ways:

  • Local breakout—The traffic exits the VPN directly at the site and goes to the destination.


    If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

  • Backhaul or central breakout—The traffic exits the VPN at the provider hub or at the enterprise hub (if a enterprise hub is associated with the spoke site) and then goes to the destination.

  • Cloud breakout—The traffic is sent from the site to a designated cloud-based security platform instead of traffic being sent over an underlay.


    From CSO Release 4.1.0 onwards, Zscaler is the only cloud-based security platform supported.

In CSO Release 4.0, only local breakout and central breakout (backhaul) are supported and the breakout option is enabled only at the site level. However, from CSO Release 4.1.0 onward, breakout is supported at the site, department, and application (cacheable only) levels by using breakout profiles that are applied using SD-WAN policy intents. Non-cacheable applications follow the site-specific or department-specific behavior as configured in the SD-WAN policy intent.


For sites added in CSO Release 4.1.0 onward, you cannot configure breakout directly at the site level and must use breakout profiles referenced in SD-WAN policy intents for this purpose.

Cloud Breakout

In releases before CSO Release 5.1.0, as part of providing the tunneled breakout to Zscaler, the tunnel source public IP address was obtained only from the WAN interface. With pool-based NAT supported from Release 5.1.0 onward, the tunnel creation to Zscaler (when pool-based NAT is configured) obtains the source address from the WAN link's NAT pool.

When multiple Zscaler tunnels are needed on a WAN interface (for example, when primary and secondary cloud breakout nodes are configured), the pool IP address must be large enough to accommodate these tunnels. In the case of multiple Zscaler tunnels, no two Zscaler tunnels will have the same source IP address. However, the IP address that is used as Zscaler tunnel’s source address, can also be used in the NAT pools.

Breakout Profiles

The following three types of breakout profiles are supported in CSO:

  • Local breakout (underlay)

  • Backhaul (central breakout)

  • Cloud breakout

After you add a breakout profile, you must create an SD-WAN policy intent specifying the source (site, site group, or department) and application and the applicable breakout profile.

SD-WAN Policy Intents for Breakout

For SD-WAN policy intents configured at different source endpoints, the following is applicable:

  • Site—A policy intent configured at the site level applies to all the departments within the site. In addition, by default, the site-level configuration is also applicable to all applications because the default configuration for applications is Any.

  • Department—A policy intent configured at the department level (for tenants with network segmentation enabled) overrides the policy intent configured at the site level. Similar to the behavior for the site-level policy intent, by default, a department-level policy intent is also applicable to all applications because the default configuration for applications is Any.

  • Application (cacheable only)—A policy intent (at the application level) where you specify one or more cacheable applications overrides the policy intent specified at either the department level or the site level only for the specified applications.

Benefits of Breakout Profiles

  • Breakout profiles used in intent-based Internet breakout policies (through SD-WAN policy intents) give users granular control over the Internet breakout behavior for specific applications.