Introduction
Configuring a Zscaler GRE (Generic Routing Encapsulation) tunnel on Juniper SRX, along with SLA/failover capabilities, involves several steps. The process may vary slightly based on the specific Juniper SRX model and Junos OS version you are using. Below is a general configuration that you can follow. Make sure to adapt the instructions to your specific environment and equipment.
Assumptions
4.4.4.2/30 is your WAN/Internet IP
165.225.114.8 is the Zscaler Cloud IP
172.20.70.177/30 is your GRE tunnel interface IP
10.0.8.0/24 is your LAN/Inside network
Ge-0/0/3 unit 44 is the inside interface
Sample Configuration
====tunnel interface-====
set interfaces gr-0/0/0 unit 0 description primary_GRE
set interfaces gr-0/0/0 unit 0 tunnel source 4.4.4.2
set interfaces gr-0/0/0 unit 0 tunnel destination 165.225.114.8
set interfaces gr-0/0/0 unit 0 family inet mtu 1476
set interfaces gr-0/0/0 unit 0 family inet address 172.20.70.177/30
set security zones security-zone Zscaler interfaces gr-0/0/0.0
==========security policy=====
set security policies from-zone Inside to-zone Zscaler policy permit-Inside-Zscaler match source-address any
set security policies from-zone Inside to-zone Zscaler policy permit-Inside-Zscaler match destination-address any
set security policies from-zone Inside to-zone Zscaler policy permit-Inside-Zscaler match application any
set security policies from-zone Inside to-zone Zscaler policy permit-Inside-Zscaler then permit
============route instance=====
set routing-instances RI_Zscaler instance-type forwarding
set routing-instances RI_Zscaler routing-options static route 0.0.0.0/0 next-hop 172.20.70.178
==========route options=====
set routing-options rib-groups RIBG_Zscaler import-rib inet.0
set routing-options rib-groups RIBG_Zscaler import-rib RI_Zscaler.inet.0
set routing-options interface-routes rib-group inet RIBG_Zscaler
==========firewall filter====
set firewall family inet filter Ftiler_Inside term 0 from source-address 10.0.8.0/24
set firewall family inet filter Ftiler_Inside term 0 from destination-address 0.0.0.0/0
set firewall family inet filter Ftiler_Inside term 0 from destination-address 10.0.0.0/8 except
set firewall family inet filter Ftiler_Inside term 0 from destination-address 172.16.0.0/12 except
set firewall family inet filter Ftiler_Inside term 0 then routing-instance RI_Zscaler
set firewall family inet filter Ftiler_Inside term 1 then accept
==========apply firewall filter to interface ==========
set interfaces ge-0/0/3 unit 44 family inet filter input Ftiler_Inside
===========service RPM probe======
set services rpm probe ping_Zscaler_1 test primary_tunnel probe-type icmp-ping
set services rpm probe ping_Zscaler_1 test primary_tunnel target address 172.20.70.178
set services rpm probe ping_Zscaler_1 test primary_tunnel probe-count 5
set services rpm probe ping_Zscaler_1 test primary_tunnel probe-interval 2
set services rpm probe ping_Zscaler_1 test primary_tunnel test-interval 2
set services rpm probe ping_Zscaler_1 test primary_tunnel source-address 172.20.70.177
set services rpm probe ping_Zscaler_1 test primary_tunnel thresholds successive-loss 5
set services rpm probe ping_Zscaler_1 test primary_tunnel thresholds total-loss 5
=========apply rpm to ip monitoring=====
set services ip-monitoring policy PRB-tracking match rpm-probe ping_Zscaler_1
set services ip-monitoring policy PRB-tracking then preferred-route routing-instances RI_Zscaler route 0.0.0.0/0 next-hop 4.4.4.1
========
Useful Link
https://help.zscaler.com/zia/gre-configuration-example-juniper-srx