Description
A component of the California Government Enterprise Network (CGEN), CDT Secure Access Service Edge (CDT SASE) is a CDT managed network security service. CDT SASE provides Application Layer (Layer 7) security capabilities for CDT customers Virtual Route Forwarding (VRF) connectivity to CGEN and the Internet.
CDT manages the infrastructure and the customer chooses to manage the security policies or have CDT manage security policies. This infrastructure includes network equipment designed with region diversity, fault tolerance and scalability. Customers are still responsible for their own local area network (LAN).

Benefits
- Layer 7 Firewall inspection including, URL filtering, IPS, malware and application level filtering
- Dashboard login (with customer managed rules) to monitor firewall health, logs, and reporting of customer traffic
- Geographically separated services for redundancy
Optional
- Send logs to customer syslog server
- 24 x 7 monitoring, service desk, and security operations center (SOC) monitoring
- Filtering for field office(s), headquarters, TMS-B, Cloud Provider Interconnect (CPI), and SD-WAN
Specifications
VRF Filtering
CDT SASE provides protection by becoming the default gateway of one or many customer VRF(s). CDT SASE configures the customer VRF(s) as a Security Zone. The internet connectivity is provided by the existing CGEN WAN connectivity.
Layer 7 Filtering
CDT SASE provides Layer 7 filtering that you would expect from today’s modern Security Solutions. The CDT service request process will include detailed information you may need.
Customer Management
Customers can self-manage policies and have access to Monitor, Configure, and Troubleshoot their CDT SASE instance. Talk to your Account Lead about fully managed instances.
Location
CDT SASE physical presence is located in Rancho Cordova and San Jose.
Availability
CDT SASE is available to any CDT Customer.
Currently Available Features | Planned Features |
---|---|
Software Defined Wide Area Network (SDWAN) | SDWAN Virtual Network Function (VNF) |
Firewall as a Service (FWaaS) | Prisma Access Global Protect |
Web Content Filtering (via FWaaS) | Web Content Filtering (via Prisma Access) |
DNS Security (via Infoblox) | Security Orchestration, Automation, and Response |
CDT Network Protection | |
Security Information and Event Management |
Roles & Responsibilities
Stage | CDT | Customer (Managing own Security Policies) | Customer (CDT Managing Security Policies) |
---|---|---|---|
Planning | Participate in design meetings to determine customer requirements and appropriate solutions. | Actively engage with CDT and vendor partners to collaboratively determine the best network connectivity option. Consider access mechanisms, security, integration, application architecture, disaster recovery, bandwidth needs, and customer specific requirements. | Actively engage with CDT and vendor partners to collaboratively determine the best network connectivity option. Consider access mechanisms, security, integration, application architecture, disaster recovery, bandwidth needs, and customer specific requirements. |
Provisioning | Turn up and test logical connections. Document connectivity. | Provide CDT with any customer side of network information required to provision CDT SASE. Implement needed security policies. | Provide CDT with any customer side of network information required to provision CDT SASE. Provide security rules for CDT to implement (if known). |
Support | 24 x 7 x 365 CDT Service Desk support for network connectivity. Collaborate with customer and vendor partners for trouble resolution. Plan and augment capacity as needed. | Implement security policies as required. Monitor Customer environment based on agency need. Collaborate with CDT for trouble resolution. | Submit Firewall Request for Security Policy changes. Collaborate with CDT for trouble resolution. |
Rates
The rate schedule represents standard CDT services. If a Customer requires technology solutions that are not part of the standard, CDT will review the Customer’s request and provide customized pricing as necessary.
Service Description | Service Identifier | Product Name | Unit of Measurement | Rate | Service Code | Notes |
---|---|---|---|---|---|---|
CDT SASE Consulting | Network Consulting | Consulting | Per Hour | $208.00 | G263 | Level 2 (Information Technology Manager I, Associate Telecommunication Engineer, Information Technology Specialist III) |
CDT SASE Consulting | Network Consulting | Consulting | Per Hour | $191.00 | G363 | Level 3 (Information Technology Supervisor II, Information Technology Specialist II) |
CDT SASE Consulting | Network Consulting | Consulting | Per Hour | $174.00 | G463 | Level 4 (Information Technology Supervisor I, Information Technology Specialist I) |
CDT SASE Consulting | Network Consulting | Consulting | Per Hour | $129.00 | G563 | Level 5 (Information Technology Associate, Information Technology Technician) |
Secure Access Service Edge | Secure Access Service Edge | Network Services | Monthly/250 MB | $293.00 | N788 |
Subscriptions to this service are available.
Request service
Customer enrollment in the CDT SASE is a two-step process that begins with the Customer submitting a Case/Request for a New Network Design and Cost Estimate for CDT SASE (link below). CDT will contact the Customer and schedule a requirements gathering meeting.
If the Customer wants to move forward, the Customer attaches the design and cost estimate to a second Case/Request for CDT SASE.
Enrollment in the CDT SASE
If you have questions or need further clarification, please contact your CDT Account Lead by using the Account Lead Directory, or call Customer Engagement at (916) 431-5390.
Service Request Name Link
Submit a Case/Request a Design and Cost Estimate for CDT SASE Request Design/Cost Estimate
Submit a Case/Request CDT SASE Implementation Request Implementation
FAQs
1. What if I don’t have a VRF?
CDT will create any needed VRF configuration needed.
2. What throughput does the CDT SASE support?
From 250Mbps to 6Gbps, in increments of 250Mbps.
3. Is CDT SASE Redundant?
Yes, it is fault-tolerant in Rancho Cordova, CA, and region redundant in San Jose, CA.
4. Why do I need to buy a minimum of 500Mbps to manage my own policies?
This is the required minimum to ensure the rates are competitive, based on license usage.
5. Is anything not supported on CDT SASE?
CDT SASE does not support end user VPN connections at this time.
6. Can CDT SASE terminate an IPsec tunnel?
Yes, CDT SASE will terminate site-to-site Internet Protocol Security (IPsec) tunnels.
7. What technology/vendor does CDT SASE use?
The CDT Case / Request process will include this information and any other detailed information you may need.