You can configure an IPSec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPSec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPSec VPN tunnel to the backup ZEN.
Zscaler IPSec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPSec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three backup VPN tunnels.
Ensure that you have the following information for each tunnel:
To configure an IPSec VPN to a Zscaler ZEN:
To learn more, see the Interoperability List.
Zscaler recommends to always send traffic from a router and not a firewall.
Zscaler currently doesn't recommend forwarding traffic from Check Point (GAIA version 77.20) because Check Point doesn't support:
Also be aware that NAT-T encapsulation mode is not supported with Check Point and this setting has to be disabled.
To disable this setting: