SaaS & Internet Breakout Validation

Objective

Verify that the branch z40 routes:

Non-SaaS internet traffic through the tunnels (backhauled to the concentrator), and
SaaS applications directly out the branch WAN (no backhaul),

using the Net Balancer’s Branches and SAAS APPS tabs, and validate via interface counters and syslog.

Prerequisites

Admin access to zWAN Director.
A z40 (“branch”) onboarded and online.
At least one WAN interface up (e.g., WAN00) and at least one IPSEC tunnel up (e.g., IPSEC01, IPSEC03).
A Windows or Linux client on the z40 LAN.
You can reach a few common SaaS sites (choose any that exist in your SAAS APPS list—e.g., Microsoft 365/Teams, Zoom, Google Workspace).

Baseline (5 min)

In Director, open: Edge Controllers > [Your Device] > Analytics > Statistics > Interfaces.
Note current Tx/Rx for:
- IPSECxx (your tunnel interface, e.g., IPSEC01)
- WANxx (your internet uplink, e.g., WAN00)
From the client, open any non-SaaS site (e.g., example.com) just to see normal traffic counters increment.

Configure Branch Gateways (Branches tab)

Path: Edge Controllers > [Your Device] > Network > Net Balancer > BRANCHES
Button: ADD GATEWAY (uses the dialog you showed)

You will create three gateway types (as needed in your environment):

A) Internet Breakout (backhaul default via tunnels)

This tells the branch to route normal internet traffic through the tunnels to the concentrator by default.

Click ADD GATEWAY.
Type: select Internet Breakout.
In Link Configuration:
- Gateway IP Address: pick your IPSEC gateway (e.g., IPSEC01).
- Local Interface: select the appropriate local interface used with that path (choose per your deployment).
- Weight: leave default or set per policy.
- Timeout Coefficient: leave default (e.g., x1 (Fast)).
Click ADD, then ensure the Configured Status toggle is ON for this gateway.

Notes from your guidance: choosing IPSEC00/IPSEC01 here causes “regular” (non-SaaS) internet traffic to be backhauled to the concentrator by default.

B) Tunnel (define which WANs build/maintain the tunnels)

This tells the branch which local WANs are used to establish/maintain tunnel heartbeat.

ADD GATEWAY → Type: Tunnel.
Gateway IP Address / Local Interface: select your WANxx (e.g., WAN00, optionally add another for redundancy with its own weight).
Set Weight / Timeout Coefficient as desired.
ADD and enable it.

C) SAAS (direct internet breakout for selected SaaS apps)

This tells the branch which local path to use for SaaS traffic (direct to internet, no tunnel backhaul).

ADD GATEWAY → Type: SAAS.
Gateway IP Address / Local Interface: select WANxx interface(s) to use for SaaS (e.g., WAN00, optionally WAN01 with its own weight).
Set Weight / Timeout Coefficient as desired.
ADD and enable it.

All three gateway types use the same fields (Gateway IP Address, Local Interface, Weight, Timeout Coefficient) in the dialog you shared.

Select SaaS Applications (SAAS APPS tab)

Path: Edge Controllers > [Your Device] > Network > Net Balancer > SAAS APPS

In the SAAS APPS tab, select (check) a few well-known apps that appear in your list (e.g., Microsoft 365/Teams, Zoom, Google).
Save/Apply (if a control is present).

Per your note: simply selecting apps here makes those apps bypass the tunnels and use the SAAS gateway (i.e., WAN breakout).

(Optional) Additional steering with Balancing Rules

Path: Net Balancer > BALANCING RULES

If you need steering beyond the built-in SaaS list, you can create rules using the Flow Classification matchers you’ve already provided (e.g., FQDN, Web Category, DPI, IP/Port).

Example: route a specific FQDN (e.g., a software update domain) to SAAS (WAN), while leaving everything else backhauled.

(If you want me to write the exact clicks for each matcher, send a screenshot of the “New Rule” dialog and I’ll mirror its fields exactly.)

Validation

1) Non-SaaS traffic should backhaul (tunnel path)

From the client, browse a non-SaaS site (anything not selected in SAAS APPS).
In Director, open Analytics > Statistics > Interfaces for the device.
Expect:
- IPSECxx counters climb (Tx/Rx).
- WANxx may show uplink activity (since the tunnel rides WAN), but the distinguishing increase should be on IPSECxx versus SAAS test below.

(Optional) On the client, run tracert/mtr to observe a path consistent with backhaul (exact hops depend on your ISP and concentrator visibility).

2) SaaS traffic should break out locally (WAN path)

From the client, actively use one of the SaaS apps you enabled—e.g., open office.com/teams.microsoft.com, start/join a Zoom meeting, or use Google Drive.
In Interfaces stats:
- WANxx (e.g., WAN00) shows a clear increase while IPSECxx does not climb in proportion to this SaaS usage.
Repeat with a second SaaS app to confirm consistent behavior.

3) (Optional) Failover / Weight bias checks

If you’ve added more than one WAN to the SAAS gateway with different Weights, you should see usage skew toward the higher weight.
If you physically/safely down WAN00, SaaS should flow out the remaining WAN you added to the SAAS gateway (if present).
You stated re-convergence is immediate; no hold-down timer is configurable.

4) Logs

Check Edge Controllers > [Device] > System > Logs > Syslog.
- If your build emits “Net Balancer”/load-balancer messages, you can filter on them; otherwise rely on the interface counters + observable app behavior as the primary proof (per your note).

Rollback / Cleanup

SAAS APPS: unselect the apps you enabled (SaaS will resume the default path).
BRANCHES: toggle Configured Status OFF (or delete) for the SAAS gateway if you want to disable SaaS breakout entirely.
Leave Tunnel and Internet Breakout gateways in place for your normal policy, or disable per your lab plan.

Notes & Tips

The BRANCHES tab is where you declare the four gateway types (Branch, Internet Breakout, SAAS, Tunnel) via ADD GATEWAY; each uses the same “Link Configuration” fields you showed (Gateway IP Address, Local Interface, Weight, Timeout Coefficient).
Per your mapping:
- Internet Breakout: point to IPSECxx so non-SaaS traffic backhauls to the concentrator by default.
- Tunnel: use WANxx to define which WANs keep the tunnels/heartbeat up.
- SAAS: use WANxx so selected SaaS apps go direct to internet.
You asked to avoid Global Applications for this POC; interface counters (WANxx vs IPSECxx) and Syslog are the recommended proof points here.

zWAN as a Solution

zTC as a Solution

Secure Endpoint Solutions

Zero Trust Network

Network Infrastructure

Network Storage

SaaS & Internet Breakout Validation

SnapOS

SnapOS

Getting Started

Session Connections

Peripheral & Application Management

Security & Certificates

System Administration & Updates

Diagnostics & Recovery

Support & Resources

zMAN

1.7.2

Analytics & Monitoring

Device Management & Dashboard

Firmware & Repository Management

Installation & Setup

Overview & Architecture

Profiles & Settings Management

Support & Resources

zDM Integration & Provisioning

Solutions

Voice-Over-IP/Video Conferencing

Validation and Test Cases

Proof of Concept Test Cases

zWAN

Deployment

Getting Started

Introduction

Configuration

Installation Guides

POC Evaluation

Director

Device Management

Edge Controllers

Analytics

System

Backup and Restore

Network

Analytics

Reporting

Alerting

User Management

Edge Controllers

z25

Troubleshooting

z40

Device Management

z50

Troubleshooting

Frequently Asked Questions

zGuardian

Antivirus

SSL Inspection

Setup

Logs

Security

zAccess

Endpoint Sessions

Event Logs

Gateway Devices

Network Configuration

Policy Configuration

StorTrends

Best Practice Guides

Configuration Guides

SaaS & Internet Breakout Validation

Objective

Prerequisites

Baseline (5 min)

Configure Branch Gateways (Branches tab)

A) Internet Breakout (backhaul default via tunnels)

B) Tunnel (define which WANs build/maintain the tunnels)

C) SAAS (direct internet breakout for selected SaaS apps)

Select SaaS Applications (SAAS APPS tab)