Skip to main content
Skyhigh Security

Configure GRE Tunnels on Secure Web Gateway

To configure GRE tunnels on Secure Web Gateway, you specify an IP address that will serve as web traffic collection point within your network. 

After you have saved this IP address on Secure Web Gateway as an external IP address, Secure Web Gateway allocates two GRE tunnels, a primary and a secondary tunnel. They are used to connect your network to Secure Web Gateway and route web traffic through them. Two tunnels are allocated to ensure failover functions can be performed.

For these tunnels, Secure Web Gateway also allocates IP addresses, which you need to specify when you complete the part of the GRE tunnel configuration that is not completed on Secure Web Gateway.

You can also specify and save more than one IP address as external IP addresses for Secure Web Gateway.

  1. On the user interface for Secure Web Gateway, place your mouse pointer over the settings icon in the top right corner, then select Infrastructure > Web Gateway Setup from the drop-down menus.
  2. On the setup main page, begin with configuring a location for your network.

    • Scroll down to Configure Locations and click New Location.

    • On the Configure Location page, enter a name for the location in the Name field, for example, London.

      clipboard_e9496405c2ad0040ac78ca538bad60608.png

  3. If you want to add SAML authentication as method for authenticating users who send requests for web access, select a configuration from the list provided under Select SAML Configuration. Users are then authenticated according to the settings of this configuration.

    If you have configured SAML authentication as part of your web policy, select None here. Otherwise, SAML authentication will not use the settings you have configured for your web policy, but the settings of the configuration that you have selected here.

    To use advanced settings for SAML authentication, you need to configure them as part of your web policy. 

  4. If you want to store log data about web traffic in a particular region, select this region from the list provided under Log Data Residency.

  5. As mapping type for the location you have configured for your network, select GRE Tunnel Mapping.

    clipboard_e678b54c4f6e7beffb25674c5c4e1dec2.png

  6. Optionally specify one or more reserved subnets. Secure Web Gateway will not use an IP address from within these subnets as the external IP address.

    Under Subnet, type the IP address range for each subnet you want to specify, for example, 100.64.0.0/4. You can also add a plain-text comment for each subnet. Use the + icon to add more subnets.

    clipboard_ebf97d86dec4063af7c7ab21606b06997.png

    Or click Add Subnet and select Import CSV from the drop-down menu to import the subnet range in a .csv file using the file manager on your system.

  7. Specify an IP address as external IP address for Secure Web Gateway.

    Under External address, enter the IP address you want to use, for example, 203.0.13.0. You can also add a plain-text comment for this IP address.

    clipboard_ed5d6cf5c0a5518823431070977339dd4.png

    You can also specify more than one IP address as external IP address here. Use the + icon to add IP addresses.

    Or click Add Address and select Import CSV from the drop-down menu. Then, using the file manager on your system, import the external IP address in a .csv file.

  8. Click Save.

After you have saved these settings, Secure Web Gateway allocates two GRE tunnels as follows:

  • Primary GRE tunnel Connects your network to Secure Web Gateway on the Point of Presence (PoP) in the cloud that is usually best available.

  • Secondary GRE tunnel — Connects your network to Secure Web Gateway on the Point of Presence (PoP) in the cloud that is second in availability when the first PoP happens to be not available.

You can view the settings for the tunnels on the user interface. For more information about routing web traffic to the best available Point of Presence, see Routing Web Traffic to PoPs

Secure Web Gateway also displays the IP addresses you need to configure as interfaces for the GRE tunnels on the network device or in the SD-WAN service you are using, see Configuring GRE Tunnels on Your Network Device or in Your SD-WAN Service.

  • Was this article helpful?