Guidelines for setting up an automatic tunnel between Secure Access with Firewall Threat Defense devices

Set up routing on the Firewall Threat Defense device to route traffic over the tunnel.

Delete the Firewall Threat Defense device from the topology and add it again with the required routing configuration to update routing settings in a SASE topology.

When change management is enabled, tunnels are not deployed automatically to Secure Access. Manually deploy tunnels to Secure Access from the Site-to-Site VPN page after the change management ticket is approved.

To create a multi-ISP SASE topology, you must establish multiple tunnels from a Firewall Threat Defense device to Secure Access using different interfaces. Since each SASE topology supports only one WAN interface, use the SASE wizard to create multiple topologies.

When you configure multi-ISP SASE topologies that use the same region and device but different VPN interfaces, ensure all topologies have identical settings. The tunnel ID prefix, passphrase, and routing configurations match across all topologies.

To update routing settings in a multi-ISP SASE topology, delete the Firewall Threat Defense device from each topology and add it again with the required configuration. Ensure routing settings are consistent across all topologies.

Clustering is not supported.