CDT Secure Access Service Edge (CDT SASE)

A component of the California Government Enterprise Network (CGEN), CDT Secure Access Service Edge (CDT SASE) is a CDT managed network security service. CDT SASE provides Application Layer (Layer 7) security capabilities for CDT customers Virtual Route Forwarding (VRF) connectivity to CGEN and the Internet.

CDT manages the infrastructure and the customer chooses to manage the security policies or have CDT manage security policies. This infrastructure includes network equipment designed with region diversity, fault tolerance and scalability. Customers are still responsible for their own local area network (LAN).

Internet, Redundant Internet Links, CDT Managed WAN, CSGNET, CDT SASE, Customer VRF/ZoneX - Customer Cloud: AWS, AZURE Goggle, Oracle, Customer VRF/Zone Y - TMS, CDT SASE, Customer VRF/ZoneX - Field office, Customer VRF/ZoneY, HQ, CDT SASE, Customer VRF/ZoneY:SDWAN.


  • Layer 7 Firewall inspection including, URL filtering, IPS, malware and application level filtering
  • Dashboard login (with customer managed rules) to monitor firewall health, logs, and reporting of customer traffic
  • Geographically separated services for redundancy


VRF Filtering

CDT SASE provides protection by becoming the default gateway of one or many customer VRF(s). CDT SASE configures the customer VRF(s) as a Security Zone. The internet connectivity is provided by the existing CGEN WAN connectivity.

Layer 7 Filtering

CDT SASE provides Layer 7 filtering that you would expect from today’s modern Security Solutions. The CDT service request process will include detailed information you may need.

Customer Management

Customers can self-manage policies and have access to Monitor, Configure, and Troubleshoot their CDT SASE instance. Talk to your Account Lead about fully managed instances.


CDT SASE physical presence is located in Rancho Cordova and San Jose.

CDT SASE is available to any CDT Customer.

Currently Available Features
Planned Features
Software Defined Wide Area Network (SDWAN)SDWAN Virtual Network Function (VNF)
Firewall as a Service (FWaaS)Prisma Access Global Protect
Web Content Filtering (via FWaaS)Web Content Filtering (via Prisma Access)
DNS Security (via Infoblox)Security Orchestration, Automation, and Response
CDT Network Protection
Security Information and Event Management

What if I don’t have a VRF?
CDT will create any needed VRF configuration needed.

What throughput does the CDT SASE support?
From 250Mbps to 6Gbps, in increments of 250Mbps.

Is CDT SASE Redundant?
Yes, it is fault-tolerant in Rancho Cordova, CA, and region redundant in San Jose, CA

Why do I need to buy a minimum of 500Mbps to manage my own policies?
This is the required minimum to ensure the rates are competitive, based on license usage.

Is anything not supported on CDT SASE?
CDT SASE does not support end user VPN connections at this time.

Can CDT SASE terminate an IPSEC tunnel?
Yes, CDT SASE will terminate site-to-site Internet Protocol Security (IPsec) tunnels.

What technology/vendor does CDT SASE use?
The CDT Case / Request process will include this information and any other detailed information you may need. 

StageCDTCustomer (Managing own Security Policies)Customer (CDT Managing Security Policies)
PlanningParticipate in design meetings to determine customer requirements and appropriate solutions.Actively engage with CDT and vendor partners to collaboratively determine the best network connectivity option. Consider access mechanisms, security, integration, application architecture, disaster recovery, bandwidth needs, and customer specific requirements.Actively engage with CDT and vendor partners to collaboratively determine the best network connectivity option. Consider access mechanisms, security, integration, application architecture, disaster recovery, bandwidth needs, and customer specific requirements.
ProvisioningTurn up and test logical connections. Document connectivity.Provide CDT with any customer side of network information required to provision CDT SASE. Implement needed security policies.Provide CDT with any customer side of network information required to provision CDT SASE. Provide security rules for CDT to implement (if known).
Support24 x 7 x 365 CDT Service Desk support for network connectivity. Collaborate with customer and vendor partners for trouble resolution. Plan and augment capacity as needed.Implement security policies as required. Monitor Customer environment based on agency need. Collaborate with CDT for trouble resolution.Submit Firewall Request for Security Policy changes. Collaborate with CDT for trouble resolution.

The rate schedule represents standard CDT services. If a Customer requires technology solutions that are not part of the standard, CDT will review the Customer’s request and provide customized pricing as necessary.

Service DescriptionService IdentifierProduct NameUnit of MeasurementRateService CodeNotes
CDT SASE ConsultingNetwork ConsultingConsultingPer Hour$208.00G263Level 2 (Information Technology Manager I, Associate Telecommunication Engineer, Information Technology Specialist III)
CDT SASE ConsultingNetwork ConsultingConsultingPer Hour$191.00G363Level 3 (Information Technology Supervisor II, Information Technology Specialist II)
CDT SASE ConsultingNetwork ConsultingConsultingPer Hour$174.00G463Level 4 (Information Technology Supervisor I, Information Technology Specialist I)
CDT SASE ConsultingNetwork ConsultingConsultingPer Hour$129.00G563Level 5 (Information Technology Associate, Information Technology Technician)
Secure Access Service EdgeSecure Access Service EdgeNetwork ServicesMonthly/250 MB$293.00N788

Subscriptions to this service are available.


Customer enrollment in the CDT SASE is a two-step process that begins with the Customer submitting a Case/Request for a New Network Design and Cost Estimate for CDT SASE (link below). CDT will contact the Customer and schedule a requirements gathering meeting.

If the Customer wants to move forward, the Customer attaches the design and cost estimate to a second Case/Request for CDT SASE.

Enrollment in the CDT SASE

  1. The Customer contacts their Account Lead.
  2. The Customer submits a Case/Request for New Network Design and Cost Estimate for CDT SASE. A requirements gathering and design meeting will be scheduled by CDT if required.
  3. Based on this meeting, CDT attaches a cost estimate and high-level design to the Case/Request.
  4. Case/Request is closed.
  5. The Customer submits a second Case/Request for CDT SASE implementation by selecting Secure Access Service Edge (CDT SASE).
  6. CDT works with the Customer to implement design, test, and turn up connectivity.
  7. Case/Request is closed.

Submit a Case/Request a Design and Cost Estimate for CDT SASERequest Design/Cost Estimate
Submit a Case/Request CDT SASE ImplementationRequest Implementation

If you have questions or need further clarification, please contact your CDT Account Lead by using the Account Lead Directory, or call Customer Engagement at (916) 431-5390.