About Firewall and Proxy Integrations
Integrating your firewall and proxies with Skyhigh Cloud Connector allows you to leverage Skyhigh CASB Service Groups within egress/ingress policies. This means you can use existing functionality to inoculate against undiscovered high-risk services that anyone in your organization may be using.
Depending on the capabilities of your edge devices, you may configure settings so that changes made to your Skyhigh CASB Service Groups are reflected on your edge devices using the Automatic update process. Otherwise, updates will need to be made manually.
Admins can enable an approval workflow where changes are queued for review before they are sent to your edge device. Then they can enable notifications that send an Email Summary to the configured email IDs, to keep them informed of changes made to edge devices.
These firewall/proxy integrations are managed in Settings > Integrations > Firewall/Proxy. Then click, Edit Integration. For details, see Integrating an Edge Device.
Native support exists for the following devices:
- Broadcom
- Fortigate
- Skyhigh Security Web Gateway
- Palo Alto Networks Panorama
- Zscaler
NOTE: On the Firewall/Proxy Integration page, whenever a service is added or removed within a service group, the #URLs and Changes Since Last Sync columns may take a few minutes to update, or may only be updated when you refresh the page. However, the # Services column is updated in real time.
How are Service Group Changes Synced
When you configure your firewall or proxy devices, you'll select a way for Service Group changes to be synced to edge devices:
- Automatic. Automatic updates are synced to edge devices automatically.
- Manual. Manual updates require downloading a file, editing if necessary, then uploading it to an edge device.
IMPORTANT: Automatic updates require Skyhigh Cloud Connector v3.3 or later.
KNOWN ISSUE: Do not use white space when you create the service group name. You can use "_" or "-" instead of a space. If there is white space in the service group name, and if the service group is used in Panorama integration, there can be problems accessing the published URL list.
Available Integration Modes are defined as:
- Published URL List. This is how Automatic updates are processed. On the Firewall/Proxy Integration page, click Published URL List to display the URL(s) you will use to synchronize the edge device server. (This URL query string includes your Cloud Connector's symbolic server name and your edge device ID. If you have multiple Cloud Connector installed and pointing to this tenant, they will all be listed here.)
- Config File. For Manual updates, you'll have to manually download config files before uploading them to each device. This filename is displayed on the Firewall/Proxy Integration page. Click Download.
- API Integration. Panorama devices use an API Integration or Published URL.
IMPORTANT: If you have Panorama 7.1 or later, use the Publish URL method instead of configuring Cloud Connector.
For details, see Integrating an Edge Device.
Approvals
If your integrated edge devices support Automatic syncing, you can enable an approval workflow to be notified of automatic updates and other activity. This way, no automatic updates are synced to edge devices without the approval of a Policy Manager. Each change must be downloaded, then uploaded to the edge device for changes in Service Groups to be applied.
Administrators may approve updates when changes to URLs in a Service Group occur, such as:
- If new services match a service group's inclusion criteria.
- If existing services no longer match a service group's inclusion criteria.
- When an admin manually adds or removes services.
- If the URL for a service changes.
NOTE: If all your edge devices are set to use the Manual update process, the approval workflow is not applicable, and is disabled.
For details, see Integrating an Edge Device.
Email Summary
Notifications for changes to Service Groups can send an Email Summary containing all URL changes by Service Group synced to each edge device. You can specify who the recipients should be of the notifications should be. The recipients must be Skyhigh CASB users who have the Administrator role. Notifications can be set to trigger on a Daily/Weekly/or Monthly basis. (Selecting a frequency of None basically turns off the Email Summary.) These emails summarize all URL changes (by Service Group, for each device) that occurred during the past Day/Week/Month.
For details, see Integrating an Edge Device.
Skyhigh Cloud Connector Integration
Before your edge device is integrated with the Skyhigh CASB dashboard, Skyhigh Cloud Connector should be installed and configured. Make sure to perform any further integration steps required for your edge device: