Guides
ProductDeveloperPartnerPersonal
Guides

Configure Tunnels with Silver Peak

The content provided here lists information about how to service chain traffic from Silver Peak EdgeConnect to Cisco Umbrella to enable threat protection and containment. Complete this task by setting up interoperable site-to-site IPsec tunnels between EdgeConnect and Umbrella. The following information includes instructions to configure a single internet breakout from the EdgeConnect to Umbrella.

595

Note: This document is based on Silver Peak EdgeConnect version 8.3.0.16. While we expect that IPsec tunnels will continue to work with devices as each vendor updates their device, we cannot guarantee connectivity for versions not explicitly listed as tested.

Table of Contents

Configure Tunnels in Umbrella

Before the Silver Peak can be configured, you must create the correct tunnel FQDN and shared secret in Cisco Umbrella.

  1. Navigate to Deployments > Core Identities > Network Tunnels and click Add.
  2. Give the Tunnel a name and choose Other from the Device Type drop-down menu.
604
  1. On the Set Tunnel ID and Passphrase page:
    a. Select FQDN
    b. Set the Tunnel ID.
    c. Set the Passphrase.
1222
  1. Copy the Tunnel ID and Passphrase once it has been confirmed and save it for the next section.

Configure ADFS for SAML

When configuring ADFS for SAML, the Umbrella SSL inspection can create issues with authentication. This is why it must be disabled for the traffic to the ADFS URL. The following topology describes the traffic flow:

  • Topology: SAML user -> SP Edge -> Umbrella with SSL inspection enabled -> AD FS server

To solve an authentication issue, add the ADFS URL to the exclusion list in the Umbrella SSL inspection configuration.

Configure Silver Peak EdgeConnect

There a few ways to integrate Silver Peak EdgeConnect with Umbrella. The underlying transport to Umbrella remains the same, an IPsec tunnel, but the traffic steering can be done through:

  • Business Intent Overlays (BIO)
  • Route Mapping

BIO is the preferred method of traffic steering. When the Silver Peak EdgeConnect device has internet access, it will establish an IPsec tunnel and carry interesting traffic to Umbrella for threat protection and containment.

Business Intent Overlay

Configure the IPsec Tunnel

Configure an IPsec Tunnel from the Silver Peak EdgeConnect to the Umbrella headend.

  1. In Silver Peak EdgeConnect, navigate to Configuration > System & Networking > Tunnels.
  2. In the Passthrough tab select Add Tunnels, then select the General tab and add the following:
GeneralValue
AliasEnter the name of the tunnel.
ModeSelect IPsec.
AdminSelect up.
Local IPEnter the EdgeConnect internet WAN interface IP Address.
Remote IPEnter the SIG headend IP address.
NATKeep the default option, none.
Peer/ServiceEnter the name of the service
Auto Max BW EnabledSelect the check box.
Max BW KbpsThis field will auto populate based on your WAN bandwidth capacity
  1. Select the IKE tab and add the following:
IKEValue
IKE VersionSelect IKEv2
Pre-Shared KeyEnter the pre-shared key you created in SIG dashboard.
Authentication AlgorithmSelect SHA-256
Encryption AlgorithmSelect AES-256
Diffie-Hellman Group14
LifetimeKeep the default value
Dead Peer Detection Delay Time10
Dead Peer Detection Retry Count3
Local IKE IdentifierEnter the User FQDN created in SIG dashboard
Remote IKE IdentifierEnter the User FQDN created in SIG dashboard
Phase 1 ModeIt is set to Aggressive by default and cannot be changed.
  1. Select the IPsec tab and add the following:
IPSecValue
Authentication AlgorithmSHA-1
Encryption AlgorithmAES-256
IPsec Anti-reply WindowDisable (This field has changed from tick box to a dropdown menu in latest release of the Orchestrator)
LifetimeLeave the values as it is.
Perfect Forward Secrecy GroupSelect disable from the dropdown menu.
491
  1. Click Save.
  2. From Configuration > System & Networking > Tunnels > Passthrough, review the status of the tunnel.
1403
  1. In Umbrella, navigate to Deployments > Core Identities > Network Tunnels and review the status of the tunnel from the Umbrella side.
1563

Create the Business Intent Overlay (BIO)

  1. Navigate to Configuration > Business Intent Overlay.
  2. Select the Business Intent Overlay you want to add to the Umbrella breakout service.
  3. Click the edit icon next to Match “Overlay ACL”, then click Add Rule.
  4. Click Match Criteria, select Others, and then click Save.
1098
  1. Ensure traffic permission is set to Permit and click Apply.
  2. Select the Breakout Traffic to Internet & Cloud Services tab and click the edit icon.
977
  1. Click the edit icon next to Available Policies, choose Umbrella and then click Add.
283
  1. Click Save
    The Umbrella policy appears in the list of Available Policies.
981
  1. Optionally, select and drag the Umbrella Policy from Available Policies to the top of the Preferred Policy Order and then click OK.
977

Route Mapping

Configure the IPsec Tunnel

Configure an IPsec Tunnel from the Silver Peak EdgeConnect to the Umbrella headend.

  1. In Silver Peak EdgeConnect, navigate to Configuration > System & Networking > Tunnels.
  2. In the Passthrough tab select Add Tunnels, select the General tab, and add the following:
GeneralValue
AliasEnter the name of the tunnel.
ModeSelect IPsec.
AdminSelect up.
Local IPEnter the EdgeConnect internet WAN interface IP Address.
Remote IPEnter the SIG headend IP address.
NATKeep the default option, none.
Peer/ServiceLeave this field blank.
Auto Max BW EnabledSelect the check box.
Max BW KbpsThis field will auto populate based on your WAN bandwidth capacity
389
  1. In the IPsec tab, add the following:
IPSecValue
Authentication AlgorithmSHA-1
Encryption AlgorithmAES-256
Enable IPSec Anti-replay WindowUncheck this option.
LifetimeLeave the values as it is.
Perfect Forward Secrecy GroupSelect disable from the dropdown menu.
491
  1. Click Save.
  2. Navigate to Configuration > System & Networking > Tunnels > Passthrough and review the status of the tunnel.
1403
  1. In Umbrella, navigate go to Deployments > Core Identities > Network Tunnels and review the status of the tunnel from the Umbrella side.
1563

Create an Access List for Interesting Traffic

  1. From the EdgeConnect dashboard, navigate to Configuration > Policies > Access Lists and click Add.
450
  1. Click Add Rule, then clickMatch Criteria and select Other.
1098
  1. Click Save.
  2. Confirm that traffic permission is set to Permit and click Apply.

Create a Route Map

  1. In EdgeConnect, navigate to Configuration > Policies > Route Policies and click Add Map.
448
  1. Click Add Rule and then click Match Criteria.
  2. Select ACL and from the drop-down menu choose the ACL created in the previous step.
1102
  1. Click Set Actions and add the following:
  • Destination Type—Passthrough Tunnel
  • Destination—tunnel-to-umbrella
  • Fallback—pass-through
1102
  1. Click Save and then click Apply.

Test the Configuration

Once the Silver Peak EdgeConnect deployment is complete, log in into any machine connected to the LAN subnet and run the ‘curl http://ifconfig.co’ command or through a browser access ‘http://ifconfig.co’. If everything is working as expected and an IP address in the 146.112.x.x range is returned.

Other Resources

Umbrella Cloud Firewall


Configure Tunnels with Sophos XG IPsec < Configure Tunnels with Silver Peak > Configure Tunnels with Fortinet IPsec