Configure Full Tunnel

How to set up full tunnel in CSE

Updated on Jan 26, 2026
5 minutes to read
Contributors

Full Tunnel Overview
- Steps
  - Step 1: Configure a Full Tunnel CIDR Range in an Access Tier
  - Step 2: Add the Access Tier to your Service Tunnel Configuration

Full Tunnel Overview

Cloud Secure Edge (CSE) Service Tunnels can be configured in “Full Tunnel” mode: In this scenario, the admin specifies that all traffic leaving a user’s device should be routed through an encrypted tunnel.

Full tunnels are suitable for the following use cases:

Drop-in replacement for an existing “remote access” full tunnel VPN
Security compliance mandates that all network traffic from a device needs to flow through on-premise security appliances (this also requires a Private Edge deployment model)

Note: Full Tunnel is only supported for Private Edge deployments; it is not supported for Global Edge deployments.

Steps

Step 1: Configure a Full Tunnel CIDR Range in an Access Tier

1.1 In the CSE Command Center, navigate from Networks > Access Tiers, and create a new Access Tier or select an existing one to edit.

1.2 Under the Access Tier Configure tab, ensure that Yes is selected for Will you be securing a Service Tunnel with this Access Tier?.

1.3 Under Network Settings > What network would you like to make available?, enter 0.0.0.0/1 as the first CIDR range entry, then add another and enter 128.0.0.0/1 as the second CIDR range entry.

Note: Do not use 0.0.0.0/0 in the public CIDRs specification. A default route for 0.0.0.0/0 already exists on the device and clobbering it can result in unpredictable behaviour. Instead of replacing the default route, override it with two more specific rules - 0.0.0.0/1 and 128.0.0.0/1 - that add up to the default.

1.4 Either save your changes if editing an existing Access Tier or complete your Access Tier installation and validation if creating a new one.

Step 2: Add the Access Tier to your Service Tunnel Configuration

2.1 In the CSE Command Center, navigate from Private Access > Service Tunnels, and create a new Service Tunnel or select an existing one to edit.

2.2 In the Service Tunnel configuration, select Add Network. Select the Access Tier configured in Step 1 from the dropdown menu.

2.3 Recommended: Add any commonly accessed private domains to your Service Tunnel configuration: Navigate from Assignment Settings > DNS Suffix, and enter each DNS suffix associated with a hostname you need to be accessible. If you do not configure these private domains, end users in your org will not be able to access them.

2.4 Either save your changes if editing an existing Service Tunnel or complete your Service Tunnel configuration if creating a new one.