Zia Platform Services Document 55

Zscaler Platform Services Document
Zscaler Internet Access
Zscaler’s Security-as-a-Service cloud platform delivers a safe and productive Internet experience for every user, from any
device and from any location. Zscaler effectively moves security into the Internet backbone, operating in more than 100 data
centers around the world and enabling organizations to fully leverage the promise of cloud and mobile computing with
unparalleled and uncompromising protection and performance. Zscaler delivers unified, carrier-grade Internet security,
advanced persistent threat (APT) protection, data loss prevention (DLP), SSL decryption, traffic shaping, policy management
and threat intelligence. The Security-as-a-Service cloud platform offers more than just IT scalability; it allows an organization
to scale its business operations securely without the need for on-premises hardware, appliances, or software.
Zscaler Confidential
Copyright © 2017 Zscaler, Inc. Zscaler® and the Zscaler logo are trademarks of Zscaler, Inc. in the United States. All other trademarks, trade names, or
service marks used or mentioned herein belong to their respective owners.
110 Rose Orchard Way, San Jose, CA 95134 | Phone: 1-800-953-3897 | www.zscaler.com 10/17
Contents
Introduction ...............................................................................................................................................................5
Zscaler Internet Security: Key Features ......................................................................................................................................... 7
Zscaler Cloud-Based Architecture .................................................................................................................................................. 8
SLA for High Availability and Latency ............................................................................................................................................ 9
Traffic Forwarding: GRE Tunnels, IPSec Tunnels, PAC Files, and Proxy Chaining ...................................... 10
Overview ........................................................................................................................................................................................ 10
Description ..................................................................................................................................................................................... 10
GRE Tunnel ...................................................................................................................................................................... 10
IPSec VPN Tunnel ............................................................................................................................................................ 11
PAC Files........................................................................................................................................................................... 11
Proxy Chaining ................................................................................................................................................................. 12
Customer Responsibilities ............................................................................................................................................................ 12
Dedicated Proxy Port ............................................................................................................................................ 13

Overview ........................................................................................................................................................................................ 13
Description ..................................................................................................................................................................................... 13
Authentication: SAML, LDAP, Passwords, Kerberos, ZAB, and Surrogate IP ................................................ 13

Overview ........................................................................................................................................................................................ 13
Description ..................................................................................................................................................................................... 13
SAML (Security Assertion Markup Language) ................................................................................................................. 14
LDAP (Secure Lightweight Directory Access Protocol) ................................................................................................... 14
Passwords (Used with Hosted User Database only) ...................................................................................................... 14
Kerberos ........................................................................................................................................................................... 15
ZAB (Zscaler Authentication Bridge) ............................................................................................................................... 16
Surrogate IP ..................................................................................................................................................................... 17
Logging and Reporting ......................................................................................................................................... 18

Overview ........................................................................................................................................................................................ 18
Description ..................................................................................................................................................................................... 18
Zscaler Nanolog Streaming Service (NSS) for Web Logs ................................................................................. 19

Overview ........................................................................................................................................................................................ 19
Description ..................................................................................................................................................................................... 19
Zscaler Nanolog Streaming Service (NSS) for Firewall and DNS Logs ........................................................... 20
Overview ........................................................................................................................................................................................ 20
Description ..................................................................................................................................................................................... 20
Malware Protection ................................................................................................................................................ 20

Overview ........................................................................................................................................................................................ 20
Description ..................................................................................................................................................................................... 21
2 Zscaler Confidential
Advanced Threats Protection ............................................................................................................................... 21
Overview ........................................................................................................................................................................................ 21
Description ..................................................................................................................................................................................... 21
Sandbox .................................................................................................................................................................. 22
Overview ........................................................................................................................................................................................ 22
Description ..................................................................................................................................................................................... 22
Standard Sandbox ........................................................................................................................................................... 22
Cloud Sandbox ................................................................................................................................................................ 23
Browser Control ..................................................................................................................................................... 25

Overview ........................................................................................................................................................................................ 25
Description ..................................................................................................................................................................................... 25
URL Filtering .......................................................................................................................................................... 25

Overview ........................................................................................................................................................................................ 25
Description ..................................................................................................................................................................................... 25
Firewall Policy ........................................................................................................................................................ 26

Overview ........................................................................................................................................................................................ 26
Description ..................................................................................................................................................................................... 26
Standard Firewall ............................................................................................................................................................ 26
Cloud Firewall .................................................................................................................................................................. 27
FTP Control ............................................................................................................................................................ 29

Overview ........................................................................................................................................................................................ 29
Description ..................................................................................................................................................................................... 29
Bandwidth Control................................................................................................................................................. 30
Overview ........................................................................................................................................................................................ 30
Description ..................................................................................................................................................................................... 30
SSL Inspection ....................................................................................................................................................... 31

Overview ........................................................................................................................................................................................ 31
Description ..................................................................................................................................................................................... 31
SSL Inspection with Customer Root Certificate ................................................................................................. 32

Overview ........................................................................................................................................................................................ 32
Description ..................................................................................................................................................................................... 32
Data Loss Prevention (DLP) ................................................................................................................................. 32

Overview ........................................................................................................................................................................................ 32
Description ..................................................................................................................................................................................... 33
Zscaler Confidential 3
Cloud Application Control .................................................................................................................................... 33

Overview ........................................................................................................................................................................................ 33
Description ..................................................................................................................................................................................... 34
Zscaler Identity Proxy ........................................................................................................................................... 35

Overview ........................................................................................................................................................................................ 35
Description ..................................................................................................................................................................................... 35
File Type Control ................................................................................................................................................... 35

Overview ........................................................................................................................................................................................ 35
Description ..................................................................................................................................................................................... 35
Zscaler App ............................................................................................................................................................ 36

Overview ........................................................................................................................................................................................ 36
Description ..................................................................................................................................................................................... 36
Mobile Malware Protection ................................................................................................................................... 37

Overview ........................................................................................................................................................................................ 37
Description ..................................................................................................................................................................................... 37
Mobile Applications Control ................................................................................................................................. 37

Overview ........................................................................................................................................................................................ 37
Description ..................................................................................................................................................................................... 38
Virtual ZENs (VZENs) ............................................................................................................................................ 38

Overview ........................................................................................................................................................................................ 38
Description ..................................................................................................................................................................................... 38
Priority Categorization Service ............................................................................................................................ 39

Overview ........................................................................................................................................................................................ 39
Description ..................................................................................................................................................................................... 40
Device Protection .................................................................................................................................................. 40

Overview ........................................................................................................................................................................................ 40
Description ..................................................................................................................................................................................... 40
Private ZENs (PZENs)............................................................................................................................................ 41

Overview ........................................................................................................................................................................................ 41
Description ..................................................................................................................................................................................... 41
Private Nanolog Streaming Service (NSS) Appliance for Web Logs ............................................................... 42
Overview ........................................................................................................................................................................................ 42
Description ..................................................................................................................................................................................... 42
Intelligent Routing (Guest Wi-Fi).......................................................................................................................... 43

Overview ........................................................................................................................................................................................ 43
Description ..................................................................................................................................................................................... 43
Introduction
The IT landscape has shifted dramatically in today’s world. Cloud computing, mobility, and the Internet of Things are
massive, unstoppable trends and have created new challenges for IT departments, ranging from security against new
threat vectors to ensuring compliance with corporate policies and protecting against data loss. Organizations are finding
that individual point solutions like firewalls, UTMs, IDPs, and virus scanning have difficulty addressing constantly changing
threats and are challenging to tie together in a cohesive fashion to effectively identify and block the full breadth of threats.
Further, organizations are seeing that such centralized, hardware-based security gateways simply no longer make sense in
today's perimeter-less Internet, cloud, and mobile-first world.
Organizations are looking to cloud-based solutions to reduce security administrative overhead and streamline capital
investments in security infrastructure. They are seeing the significant value of purchasing security as a service with a
Service Level Agreement (SLA) as opposed to purchasing numerous point products that address individual issues and are
limited to the corporate perimeter.
Zscaler Internet Security meets all of these needs and more. Zscaler offers a unified Security-as-a Service cloud platform
that seamlessly integrates multiple security and compliance applications without the need for on-premises hardware,
appliances, or software. The platform provides pervasive security for an organization’s users, scanning all inbound and
outbound traffic in real time to ensure compliance with corporate policies and protection from the latest threats. Further,
Zscaler’s cloud platform protects users across locations and devices, following users wherever they may be accessing the
Internet, and enables access to transaction logs and interactive reports across devices, locations, applications, and
platforms to help organizations understand their global security and compliance posture. Finally, Zscaler’s multitenant
architecture ensures that organizations benefit from the “network effect.” When a new threat is identified for any one of
Zscaler’s more than 5,000 customers, Zscaler immediately updates its signatures, thus protecting all users across its
network.
Zscaler Internet Security: Key Features
• Unified Policy and Reporting: Through one unified admin portal, create and manage security policies, view policy
recommendations, and perform reporting and analysis of traffic across devices and locations. You can also access
supplemental information quickly with tooltips for each field. Through the customizable admin portal dashboard, gain
real-time visibility into Internet traffic so that quick action can be taken upon anomalous trends or security threats.
• Role-based Administration: Control what different admins can do in the admin portal by delegating responsibilities and
granularly controlling levels of access to the admin portal, ensuring that admins do not create conflicting policies and
settings.
• Inline Threat Protection: Scan all HTTP/HTTPS inbound/outbound traffic, including SSL encrypted traffic, to secure
devices, users, data, and web applications against advanced security threats.
• Behavioral Analysis (BA): Implement non-signature based protection against zero-day exploits.
• URL Filtering: Protect your organization from harmful URLs using granular policies that specify who can access what
when, where, and how.
• Cloud Application Control: Manage access to cloud applications like webmail, streaming media, social networking, and
instant messaging with granular policies that specify who can access what when, where, and how.
• Bandwidth Control: Allocate bandwidth to prioritize business-critical web applications.
• Data Loss Prevention (DLP): Protect users across devices and networks to ensure data security, data privacy, and
regulatory requirements are met.
• Nanolog Streaming Service (NSS): Seamlessly transmit web and firewall logs from the Zscaler Cloud to the enterprise
security information and event management (SIEM) in real time.
• User Authentication: Authenticate users with existing security frameworks, including local password files, Active
Directory, Open LDAP, SAML, and Kerberos.
• Mobile Security: Apply consistent user-based policy across mobile devices, track mobile traffic, and protect against
web-based threats and malicious apps.
• Next Generation Firewall: Protect users connecting to the Internet with application visibility and user access-level
controls for all ports and protocols.
• Zscaler App: Install on devices to protect traffic even when users are outside the corporate network.
• Shift: Protect users with Zscaler’s DNS anycast servers as well as inline inspection and malware protection.
• Virtual ZENs (VZENs): Deploy to extend Zscaler’s cloud architecture to the customer’s organizational premises using
virtual machines (recommended only for organizations with specific regulatory or connectivity requirements).
• Packaging Options: Choose from multiple service packages to best address unique business requirements.
• Support: Receive expert management and monitoring of all deployed security policies.
Zscaler Cloud-Based Architecture
Zscaler operates the world’s largest Security-as-a-Service cloud platform to provide the industry’s only 100% cloud-delivered
web and mobile security solution. The Zscaler platform processes more than 40 billion transactions daily from more than 15
million users in 190 countries, across more than 100 data centers located at strategic inter-connection points across the
Internet. All hub data centers are certified as ISO 27001 or SAS70 (or a similar local certification) as applicable and are Tier III
facilities with redundant connectivity into multiple backbones and dual power feeds with UPS and backup generators. They
also possess fire detection and suppression equipment. Failover from one data center to another is seamless.
Zscaler has a highly scalable, global multi-cloud infrastructure. An organization is provisioned on one cloud and its traffic is
processed by that cloud only. The name of the cloud on which an organization is provisioned is specified in the administrative
URL that the customer admin uses to log in to Zscaler. For example, if an organization logs into https://admin.zscaler.net, then
the organization is provisioned on the zscaler.net cloud.
Each Zscaler cloud has three key components—the Central Authority, Zscaler Enforcement Nodes and Nanolog clusters.
The Central Authority (CA) is the brain and nervous system of a Zscaler cloud. It monitors the cloud and provides a central
location for software and database updates, policy and configuration settings, and threat intelligence. The CA consists of
one active server and two servers in passive standby mode. The active CA replicates data in real time to the two standby
CAs, so any of them can become active at any time. Each server is hosted in a separate location to ensure fault tolerance.
Zscaler Enforcement Nodes (ZENs) are full-featured inline Internet security gateways that inspect all Internet traffic bi-
directionally for malware and enforce security and compliance policies. An organization can forward its traffic to any ZEN in
the world or use the advanced geo-IP resolution capability of Zscaler to direct its users’ traffic to the nearest ZEN. When
the user moves to a different location, the policy follows the user, with the ZEN downloading the appropriate policy. Each
ZEN can handle hundreds of thousands of concurrent users with millions of concurrent sessions. With the exception of
sandboxing, all inspection engines run within the ZEN. Customer traffic is not passed to any other component within the
Zscaler infrastructure. The TCP stack on the ZEN runs in user mode, and is specially crafted to ensure multitenancy and
data security. ZENs never store any data to disk. Packet data is held in memory for inspection and then, based on policy, is
either forwarded or dropped. Log data generated for every transaction is compressed, tokenized, and exported over secure
TLS connections to Log Routers that direct the logs to the Nanolog cluster, hosted in the appropriate geographical region,
for each organization. ZENs are always deployed in active-active load balancing mode all over the world, and the CA
monitors the health of ZENs to ensure availability.
Nanolog clusters store transaction logs and provide reports. Each cluster consists of one active server and two servers in
passive standby mode. The active Nanolog immediately replicates data to the other two servers, so any of them can
become active at any time, with no data loss. Each Nanolog server is hosted in a separate location to ensure fault
tolerance. Every second, a Nanolog cluster receives logs from all over the world, correlates them to a specific customer
organization, and writes them to disk for high-speed retrieval of reporting and analytics. A Nanolog cluster processes over
12 billion logs per day. Additionally, Zscaler offers a Nanolog Streaming Service (NSS), which uses a virtual appliance to
stream web and firewall traffic logs in real time from the Zscaler Nanolog to the customer’s security information and event
management (SIEM) system.
Additionally, each cloud has various support systems and servers, including:
• Sandbox servers, where files selected for BA are sent for analysis and reports are stored.
• PAC file servers, which host Zscaler PAC files and custom PAC files uploaded to Zscaler. Configuring browsers to use
PAC files is one of the traffic forwarding methods that Zscaler supports.
• Administrative interface servers, which provide an intuitive, multi-tenant interface for policy management and reporting.
• Log Routers, which ensure logs for each organization are stored in the appropriate Nanolog cluster.
All components communicate with each other over an encrypted SSL tunnel.
Finally, Zscaler Feed Central is a separate Zscaler cloud used solely for the centralized distribution of various feeds to the
Zscaler clouds. Zscaler has a number of partnerships—with Microsoft, Google, RSA, Verisign, and others—for getting data
feeds, including feeds for URL filtering, anti-virus definitions, and IP reputation. Zscaler Feed Central distributes its threat
intelligence and other feeds to the CA, which then sends updates to the ZENs, ensuring that every ZEN has the latest
version of the URL database and the latest malware and threat information.
SLA for High Availability and Latency

With Zscaler’s high-performance architecture, customers can enable all features and provide full security to users without
compromising performance. Zscaler provides Service Legal Agreements (SLA) for high availability and latency (see
http://www.zscaler.com/legal/end-user-subscription-agreement.php). Customers can validate that SLAs are met by going to
https://trust.zscaler.com, where they can find updated information about each cloud's status, maintenance, and incident
events.
Traffic Forwarding: GRE Tunnels, IPSec Tunnels, PAC Files, and
Proxy Chaining
Overview
Customer organizations must forward all Internet traffic to Zscaler to allow Zscaler to scan web and mobile traffic bi-
directionally. Zscaler supports a number of methods for forwarding Internet traffic, including GRE tunnels, IPSec tunnels,
PAC files, and proxy chaining.
Zscaler recommends that customers use a combination of tunneling and PAC files to forward traffic to Zscaler. If the
customer has an internal router, switch, or firewall that supports GRE, and the egress port has a static address, Zscaler
recommends that the customer configure a GRE tunnel to forward all outbound traffic from the customer’s location to
Zscaler. If the customer’s router or firewall does not support GRE or if the customer uses dynamic IP addresses, the
customer can use an IPSec VPN tunnel instead. Note that IPSec tunnels have additional processing overhead on the
customer’s equipment, compared to GRE tunnels. Zscaler also recommends that the customer deploy mechanisms such
as IP SLA to monitor tunnel health and enable fast failover. In addition to the GRE or IPSec VPN tunnel, Zscaler
recommends that customers install a PAC file for each user to ensure coverage outside the corporate network.
Description
Zscaler supports the following forwarding methods.
GRE Tunnel
• If the customer has an internal router, switch, or firewall that supports GRE, and the egress port has a static address,
Zscaler recommends that the customer configure a GRE tunnel to forward all outbound traffic from the customer’s
location to Zscaler.
• Zscaler recommends that the customer also install a PAC file for each user to ensure coverage outside the corporate
network.
• Zscaler recommends the following deployments. They provide visibility into the internal IP addresses, which can be
used for Zscaler security policies and logging. They also ensure high availability. If the primary GRE tunnel or an
intermediate connection goes down, all traffic is then rerouted through the backup GRE tunnel to the secondary data
center.
o GRE tunnels from the internal router to the Zscaler Enforcement Nodes (ZEN): Configure two GRE tunnels
from an internal router behind the firewall to the ZENs—a primary tunnel from the router to a ZEN in one data
center, and a secondary tunnel from the router to a ZEN in another data center.
o GRE tunnels from the corporate firewall to the ZENs: Configure two GRE tunnels from the firewall to the
ZENs—a primary tunnel from the firewall to a ZEN in one data center, and a secondary tunnel from the
firewall to a ZEN in another data center.
The customer must ensure that if the primary tunnel goes down, the router detects it and changes the routing table or
routing instance so that the secondary tunnel is used for traffic forwarding and vice versa, with mechanisms like IP
SLA that are native to the router.
• If the customer’s firewall or router performs NAT before it sends traffic through the tunnel, the customer should consider
disabling NAT to allow Zscaler to see internal IP addresses. This enables Zscaler to use internal IP addresses for
logging and reporting.
• GRE tunnels offer the following benefits:
o They support failover in case the primary ZEN becomes unavailable.
o There is minimal overhead, and no configuration is required on computers or laptops.
o Users on the customer’s corporate network cannot bypass Zscaler.
IPSec VPN Tunnel
• If the customer’s router or firewall does not support GRE, or if the customer uses dynamic IP addresses, the customer
can use an IPSec VPN tunnel to forward traffic to Zscaler.
• Zscaler recommends that the customer also install a PAC file for each user to ensure coverage outside the corporate
network.
• Zscaler recommends the following deployments. They provide visibility into the internal IP addresses, which can be
used for Zscaler security policies and logging. They also ensure high availability. If the primary tunnel or an
intermediate connection goes down, all traffic is then rerouted through the backup tunnel to the secondary data
center.
o IPSec tunnels from the internal router to the ZENs: Configure two IPSec tunnels from an internal router to the
ZENs—a primary tunnel from the router to a ZEN in one data center and a secondary tunnel from the router to
a ZEN in another data center.
o IPSec tunnels from the corporate firewall to the ZENs: Configure two IPSec tunnels from the firewall to the
ZENs—a primary tunnel from the firewall to a ZEN in one data center, and a secondary tunnel from the firewall
to a ZEN in another data center. On the firewall, the customer defines one rule to send HTTP and HTTPS traffic
through the IPSec tunnel to ZENs.
The customer must ensure that if the primary tunnel goes down, that the router detects it and changes the routing
table or routing instance so that the secondary tunnel is used for traffic forwarding and vice versa, with mechanisms
like IP SLAs that are native to the router.
• IPSec VPN tunnels offer the following benefits:
o They support failover if the primary ZEN becomes unavailable.
o No configuration is required on computers or laptops.
o Users on the customer’s corporate network cannot bypass Zscaler.
PAC Files
• The customer can use either a default PAC file or a custom PAC file hosted by Zscaler.
• The default PAC file uses Geo-location technology to find the ZENs that are closest to the user and instructs the
browser to forward its Internet traffic to the nearest ZEN. Because it is the browser itself that is configured to retrieve
the PAC file and forwards traffic accordingly, traffic is forwarded to Zscaler regardless of the user’s network.
• The customer must ensure that users do not have admin rights so they cannot circumvent Zscaler by installing a
nonstandard browser.
• Users can have local admin rights, but require network admin rights to change the PAC file.
• Zscaler recommends that the customer either use the Zscaler default PAC file or copy and paste it into a new PAC
file, and then add any necessary arguments and exceptions.
• Zscaler recommends that the customer use the variables $(GATEWAY) and $(SECONDARY_GATEWAY) to define
the primary and secondary ZENs and to ensure the device always connects to the nearest ZEN regardless of the
location of the device.
• PAC files offer the following benefits:
o They direct the browser to forward traffic to Zscaler whether the user is onsite or offsite.
o All major browsers support PAC files.
o Microsoft Internet Explorer PAC settings can be enforced organization-wide using Microsoft Active
Directory Group Policies (GPO).
Proxy Chaining
• This is a quick and easy way to forward the customer’s traffic to Zscaler for evaluation purposes, but Zscaler
does not recommend proxy chaining as a long-term solution because proxy servers that support failover
support only manual failover, which is not recommended for production environments.
• The customer’s organization can configure the proxy server to forward traffic to a ZEN. This method leverages
the customer’s existing proxy servers, with no additional changes to the network.
• The latency of the proxy server will affect the traffic forwarding latency.
• If the proxy server also performs caching, downstream authentication could be an issue.
• If the local proxy has a cache, it could affect policy enforcement and reporting.
• Zscaler recommends that the customer also install a PAC file for each user to ensure coverage outside the
corporate network.
Customer Responsibilities
• The customer must ensure the organization has been provisioned on Zscaler.
• The customer must use one of the supported methods to forward its Internet traffic to Zscaler and ensure their traffic is
forwarded to Zscaler. Customer must ensure redundancy.
• The customer must ensure that firewall configurations and network settings allow the types of traffic necessary. See
https://ips.<zscaler-cloud-name>/addresses. For example, customers on the Zscalerone cloud should go to
https://ips.zscalerone.net/addresses.
• The customer is responsible for ensuring that internal traffic (to the corporate intranet) is not directed to Zscaler.
• For GRE and IPSec tunnels and proxy chaining, the customer must use hardware that is interoperable and supported
by Zscaler. The customer must ensure that hardware is installed and operated according to applicable third party
vendor specifications and recommendations, and ensure that hardware has the capacity required for forwarding traffic
to Zscaler.
Dedicated Proxy Port
Overview
The customer can subscribe to one or more dedicated proxy ports, associate them with a location, and then forward the
organization’s road warrior traffic to those ports.
Description
Forwarding road warriors to the customer’s subscribed ports enables Zscaler to do the following:
• When SSL inspection is enabled at the location, apply all the SSL settings to road warrior traffic, including the ability to
exclude URL categories and custom domains from decryption. This also allows road warriors to automatically authenticate
using the customer’s Security Assertion Markup Language (SAML) ID provider.
• Apply the location’s policies, instead of the default policy, to road warrior traffic that cannot be authenticated, such as
transactions that use unknown agents or non-HTTP protocols.
• Support FTP over HTTP for road warriors, enabling Zscaler’s anti-virus engine to scan content for viruses and spyware
when a road warrior’s browser connects to FTP sites and downloads files.
• Identify a road warrior’s organization and display its logo on the login page. In addition, if SAML authentication is used,
road warriors are not prompted to enter their login name.
• Customer can indicate a port preference between 10001 to 60000. If the port is available, it will be allocated to the
customer. Otherwise, a random unused port is allocated.
• The customer is responsible for ensuring that Internet traffic is forwarded to the subscribed proxy port.
• The customer must ensure proper settings are configured in the Zscaler admin portal.
• The customer must ensure that the first transaction is a transaction that can be authenticated by Zscaler. The first
transaction may be an HTTPS transaction from a browser if Zscaler is permitted to temporarily intercept it.
• The customer is responsible for loading SSL certificates as trusted certificates on the browser to ensure SSL interception
does not trigger warnings from the browser.
Authentication: SAML, LDAP, Passwords, Kerberos, ZAB, and Surrogate IP

Overview
Authentication enables Zscaler to identify the traffic that it receives so it can enforce configured department, group, and
user policies, and provide user and department logging and reporting. Though Zscaler supports various mechanisms, it
recommends deploying Identity Federation using SAML for provisioning and authentication.
Description
Zscaler supports the following methods for authentication.
SAML (Security Assertion Markup Language)
Description
• Zscaler supports SAML 2.0 with POST Binding and above for authentication.
• This is the method Zscaler recommends for authentication.
• Using SAML for authentication enables Single Sign-On (SSO), so users can authenticate once to an identity
provider (IdP) and then access various services.
• SAML requires no changes to the existing firewall, but road warriors who are trying to authenticate will require
access to the SAML IdP from the Internet.
• First-time Zscaler authentication may be made transparent to the user.
• SAML can be obtained for free through some Zscaler partners.
Requirements
• Obtain the SAML service and implement it.
• If the customer wants to use a cloud-based IdP, the customer must check its availability in their region.
LDAP (Secure Lightweight Directory Access Protocol)
Description
• If the customer’s organization uses a directory server like an Active Directory (AD) or an LDAP server to manage
user information, Zscaler can synchronize user information from the directory server to the Zscaler database
and perform an LDAP query to the directory server to authenticate those users.
• With LDAP, the customer’s organization can use the customer’s existing authentication infrastructure, and no
software or hardware installation is required on site.
• Zscaler synchronizes only the email address, the name, and the user’s group and department. Passwords are
not synchronized or saved in the Zscaler cloud.
Requirements
• The customer must configure the firewall to allow the Zscaler service, as described in https://ips.<zscaler-
cloud-name>/addresses. For example, customers on the zscalerone cloud should go to
https://ips.zscalerone.net/addresses.
• Zscaler must have read-only access to the directory.
• The directory server must allow Zscaler to perform an LDAP BIND.
Passwords (Used with Hosted User Database only)
Description
• When users are added directly to the Zscaler database (through adding information manually on the Zscaler
admin portal, importing information from a CSV file, or ZAB), Zscaler can perform password-based
authentication.
• The passwords are uploaded to the Zscaler database with the username, group, and department
information. Passwords are stored in the database in a salted hashed format.
• Valid email addresses are not required if the customer administrator can manage password changes. With
one-time token enabled, valid email addresses are required, but users will manage their own password
changes; the customer administrator need not manage password changes.
• The customer can define the complexity of passwords and configure expiry periods. For additional security,
the customer can require users to enter a password different from their corporate password.
• No software or hardware installation is required on site.
Requirements
• Administrators need to manage passwords if valid email addresses are not used.
Kerberos
Description
• This is a ticket-based authentication protocol that does not use cookies for authentication, so Zscaler can
authenticate users for applications that do not use cookies, like Office 365.
• Kerberos enables SSO authentication. Users authenticate themselves once with their domain controller, when
they log in to their corporate domain. They do not have to log in and authenticate to Zscaler.
• The customer’s organization can use Kerberos as its sole authentication method or combine it with another
method, such as SAML or LDAP.
• Kerberos is a secure open standard protocol that most operating systems support, including Windows 7,
Windows 8, OS X, Linux, and FreeBSD. Additionally, most browsers support Kerberos authentication, including
Internet Explorer, Firefox, and Safari.
• It can be used to authenticate road warriors (DirectAccess or a third party VPN solution that can provide
connectivity to the Domain Controller is required).
• Zscaler can enforce granular user, group, and department policies on browser-based FTP transactions as well
as HTTPS transactions, without having to decrypt the HTTPS transactions.
• The customer’s organization does not need to configure its firewall to allow incoming connections from the
Zscaler Enforcement Nodes (ZENs).
• Zscaler does not support Kerberos on Windows XP, Apple iOS, or Android devices.
Requirements
• The customer must use a PAC file to forward traffic to Zscaler. Zscaler supports Kerberos authentication only
for traffic forwarded in explicit mode. Therefore, even if a location is forwarding traffic to Zscaler through a
GRE or IPSec tunnel, the customer must use a PAC file to forward traffic in order to use Kerberos for
authentication.
• Users must be provisioned on Zscaler before they can use Kerberos for authentication. The login name that is
used for provisioning must be identical to the name in the Kerberos token.
• Ensure that the DNS server on site can resolve Zscaler host names (Zscaler PAC servers; Central Authority,
which hosts the Zscaler Key Distribution Center (KDC); and ZENs). If this is not possible from the location,
then the customer’s organization must conditionally forward Zscaler cloud domain resolution to the Zscaler
DNS servers.
• Zscaler KDC must be reachable from the users’ computers.
• Domain controller must be reachable from the users’ computers.
• Additionally, the following are required in a Windows environment:
o A domain controller that runs Windows Server 2003 or higher.
o Client devices must run Windows Vista or higher.
ZAB (Zscaler Authentication Bridge)
Description
• The ZAB is a virtual appliance that enables the customer’s organization to provision users by automatically
importing user information from an AD or LDAP server to the Zscaler database, without requiring inbound
connections to the customer’s directory server.
• The ZAB can be used solely as a provisioning tool in conjunction with another authentication mechanism, such
as SAML or Kerberos. Alternatively, it can be used for authentication as well, using LDAP with SSL client
certificates.
• The virtual appliance is managed and maintained by the customer’s organization.
• The ZAB requires minimal administration. After the customer deploys it, the customer can configure settings
to automatically synchronize users on demand or daily, weekly, or monthly.
• User data can be synchronized periodically or on demand.
• The ZAB does not synchronize passwords. Passwords are always stored and maintained on the customer’s
directory server.
Requirements
• The customer must download and install the virtual appliance.
• The customer must adhere to the resource requirements of the virtual appliance and Hypervisor. The ZAB
requires outbound connections to Zscaler. The customer must ensure that their outbound firewall is
configured to allow the necessary connections, as described in the following:
https://ips.<zscaler-cloud-name>/addresses/zab.html. For example, customers on the zscalerone cloud
should go to https://ips.zscalerone.net/addresses/zab.html.
• The customer must forward its Internet traffic to Zscaler.
• The customer must use one of the supported methods to authenticate users.
• The customer must use third party software and hardware that are interoperable and supported by Zscaler. The
customer must ensure that the software and hardware are installed and operated according to applicable third party
vendor specifications and recommendations, and ensure that they have the necessary capacity.
Surrogate IP
Description
• The customer can enable the Zscaler service to map a user to a device IP address so it applies the user’s
policies, instead of the location’s policies, to traffic it receives from unknown user agents, and optionally, from
known browsers.
• If the customer enables Surrogate IP for known browsers, the service will leverage IP-to-user mapping to
authenticate users and apply user policies even if users browse to sites that support cookies. This enables the
service to authenticate without requiring the browser to complete HTTP redirects for every transaction, ensuring
performance even for users who connect, for example, over high-latency satellite links.
• If the user browses the Internet from multiple IP addresses, the service maps all the IP addresses to the user
and associates the transactions with the user in the logs.
• If the customer enables this feature on a location with at least one subscribed port, the service maps the
external IP address and not the internal or device IP address to the user, so it can apply user-level policies to
road warrior traffic that it cannot authenticate.
Requirements
• The customer’s organization must forward traffic to Zscaler with one of the following methods:
o A GRE or IPSec tunnel without NAT.
o Proxy chaining with the XFF Forwarding option enabled on the location.
o A dedicated proxy port.
• The customer must enable authentication for the location in the admin portal.
• The customer must enable this feature in the admin portal.
NOTE: There may be scenarios in which the service does not authenticate traffic (for example, traffic to URLs or cloud
apps selected under Authentication Bypass, or traffic to applications that do not support cookie authentication). For policies
in which users and departments can be specified in the criteria, the customer has control over which rules the service
applies to such unauthenticated traffic. This is useful for customers who currently place a default block on Internet traffic (a
URL filtering rule that blocks all traffic which is not explicitly allowed through the URL filtering policy).
Logging and Reporting
Overview
Zscaler gives the customer instant, detailed visibility into globally correlated user transaction logs across devices, locations,
applications, and platforms. Zscaler’s dashboards provide real-time visibility into the customer’s Internet traffic so that
Internet usage can be tracked and action quickly taken upon anomalous trends or security threats. Zscaler’s Analytics lets
the customer interactively mine billions of transaction logs for reports that provide insight on specific queries.
Description
• Zscaler automatically logs all user transactions and stores them in the Zscaler cloud. Transactions are stored for six
months. To comply with local laws and regulations, the customer can specify in which geographical region logs are
stored. For example, a German organization may have its logs stored in Europe.
• Zscaler only logs traffic metadata, user and company binary identifiers, and other transaction information. There is no
actual content in the logs. For example, if a user sends email through Gmail or a similar service, Zscaler only logs
information about the transaction; it does not log the content.
• Zscaler does not keep any data relevant to PCI/HIPPA compliance in its cloud.
• Multiple dashboards provide different views and present data in interactive charts, so the customer can instantly jump
from a chart to individual transactions.
• The customer can generate real-time reports that give specific insights into web and mobile activity by user,
department, or location. Zscaler offers a wide range of standard reports or the customer can create custom reports.
• Zscaler also provides an HTML-based Executive Report designed for sharing by email or in print with an organization’s
executive audiences. The report provides a snapshot of an organization’s security posture and highlights the value
derived from the Zscaler platform.
• Interactive CIO and CISO reports that provide detailed information in graphical widgets and allow readers to drill down
into the logs and analytics behind the information.
• The customer can schedule reports for regular delivery to specified recipients.
• The customer can exclude locations from all user-related reports in the dashboard, Interactive Reports, and the
Executive Report.
• The customer can seamlessly drill down from any dashboard or report to the logs, where they can view details like the
specific URLs that users requested, risk score of each URL, and much more. The customer can also annotate any
dashboard or report with notes.
• As the customer works with data for reporting, the tool records the workflow in the History bar below the chart. Every
time the customer makes a change to the chart, such as adding a filter or changing the chart type, the admin portal
adds the previous version to the History bar. The customer can then click any chart in the History bar to see it again.
• The customer can also implement role-based reporting, allowing the customer to define different roles for different
users, and specify what reports and dashboards those users can access.
• Admins can customize their dashboards if their role includes full dashboard access.
• CIO, CTO, and CISO Insights reports provide monthly summaries of the organization’s IT and security posture.
• An Industry Peer Comparison report compares the customer’s organizations performance to that of both peer
organizations and all organizations using the Zscaler service.
• The customer is responsible for ensuring that Internet traffic is forwarded to Zscaler.
• Authentication is required for user and department logging and reporting.
Zscaler Nanolog Streaming Service (NSS) for Web Logs

Overview
Zscaler’s NSS is a virtual machine (VM) the customer can use to stream web traffic logs in real time from the Zscaler Nanolog
to the customer’s on-premises security information and event management (SIEM) system. NSS helps the customer comply
with regulatory mandates on local log archival, correlate logs from multiple devices, and conduct historical web log analysis.
Description
• When an organization deploys NSS, NSS opens a secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then
streams copies of the logs to NSS in a highly compressed format to reduce bandwidth footprint; the original logs are
retained on the Nanolog.
• When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude unwanted
logs, converts the filtered logs to the configured output format so they can be parsed by the customer’s SIEM, and then
streams the logs to the SIEM over a raw TCP connection.
• For full site redundancy, each organization can subscribe to up to two NSS systems for web logs in an active-active
configuration. Each NSS supports up to eight parallel SIEM connections called feeds. Each feed can have a different list
of fields, a different format, and different filters.
• NSS can be deployed via VMWare or AWS.
• NSS requires minimal administration. After the customer deploys it, NSS automatically polls Zscaler for updates and
installs them.
• For monitoring purposes, the customer can configure a separate alert feed. Zscaler will send the alerts in an RFC-
compliant syslog format to the specified IP address and port.
• The customer can open a Behavioral Analysis report based on the MD5 parameter retrieved from the logs in the SIEM.
• The customer must use a SIEM that is interoperable and supported by Zscaler.
• The customer must ensure that all the requirements to run NSS as a virtual machine are met.
• The customer must adhere to the Hypervisor, VM specifications, and Internet bandwidth requirements.
• Ensure that all firewall requirements are met as detailed in https://ips.<zscaler-cloud-name>/addresses/nss.html. For
example, customers on the zscalerone cloud should go to https://ips.zscalerone.net/addresses/nss.html. NSS requires
only outbound connections to the Zscaler cloud.
Zscaler Nanolog Streaming Service (NSS) for Firewall and DNS Logs
Overview
Zscaler’s NSS Firewall is a virtual machine (VM) the customer can use to stream firewall and DNS logs in real time from the
Zscaler Nanolog to the customer’s on-premises security information and event management (SIEM) system. NSS helps the
customer comply with regulatory mandates on local log archival, correlate logs from multiple devices, and conduct historical
web log analysis.
Description
• When an organization deploys NSS, NSS opens a secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then
streams copies of the firewall and DNS logs to NSS in a highly compressed format to reduce bandwidth footprint; the
original logs are retained on the Nanolog.
• For firewall logs, the customer can stream full session logs (all sessions of firewall rules are logged individually, except
HTTPS), aggregate logs (individual sessions are grouped together based on {user, rule, network service, network
application} and recorded periodically), or both full session and aggregate logs. For DNS logs, the customer can stream
logs for each request.
• When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude unwanted
logs, converts the filtered logs to the configured output format so they can be parsed by the customer’s SIEM, and then
streams the logs to the SIEM over a raw TCP connection.
• For full site redundancy, each organization can subscribe to up to two NSS systems (for firewall and DNS logs) in an
active-active configuration. Each NSS supports up to eight parallel SIEM connections called feeds. Each feed can have a
different list of fields, a different format, and different filters.
• NSS can be deployed via VMWare or AWS.
installs them.
• The customer must ensure that all the requirements to run NSS as a virtual machine are met.
• The customer must adhere to the Hypervisor, VM specifications, and Internet bandwidth requirements.
Malware Protection
Overview
Zscaler provides inline signature-based anti-malware protection, detecting and blocking all known viruses, spyware, and
other kinds of malware.
Description
• Zscaler scans inbound and outbound HTTP (and HTTPS traffic if SSL inspection is enabled) in real-time with near-
zero latency. Zscaler scans files with up to five layers of recursive compression.
• Zscaler uses a real-time signature database of objects on the Internet known to be unsafe and runs the customer’s
traffic through multiple anti-virus engines.
• Zscaler runs the customer’s traffic through multiple engines and leverages malware feeds from more than 20 threat-
sharing partners like Microsoft, Adobe, and Google.
• Zscaler has a recommended default malware protection policy to ensure the security of the customer’s traffic. While
the customer can modify this default policy, Zscaler recommends that the customer not change the default settings.
• By default, Zscaler allows users to upload and download password-protected archive files, but the customer can
change these settings to suit business needs.
• By default, Zscaler allows users to upload and download files that are not scannable because they are in an
unrecognized file format, excessive in size, or recursively compressed, but the customer can change these settings to
suit business needs.
• Zscaler displays end user notifications when users are blocked. The customer can create custom end user
notifications, configured in different languages with images and links to sources that further educate users on
compliance policies. The customer can also redirect users to a URL that hosts the customer’s own end user
notifications and use Javascript to display content in other languages.
• The customer must ensure proper settings are configured in the Zscaler admin portal. Otherwise, default settings will
apply.
• Authentication is required for Zscaler to enforce user, group, and department policies.
Advanced Threats Protection

Overview
Zscaler’s Advanced Threats Protection provides a variety of advanced security features.
Description
• Zscaler identifies suspicious content within a page (injected scripts, vulnerable ActiveX, zero-pixel iFrames, and
much more) as well as domain information to calculate a Zscaler PageRisk™ score. This score is evaluated
against a PageRisk™ tolerance value that the customer sets, and Zscaler will allow or block the page depending
on the value.
• Zscaler leverages malware feeds from more than 20 threat-sharing partners like Microsoft, Adobe, and Google to
protect against the latest threats.
• Zscaler’s Advanced Threats Protection policy provides access to the following features:
o Botnet Protection: Zscaler can protect against botnets that could be secretly installed on user devices to perform
malicious tasks at the instruction of Command & Control servers.
o Malicious Active Content Protection: Zscaler can protect against websites that attempt to download dangerous
content to user browsers.
o Fraud Protection: Zscaler can protect against phishing sites that mimic legitimate sites (such as banking and
financial sites) in order to collect confidential information.
o Cross-Site Scripting (XSS) Protection: Zscaler can protect against XSS, in which malicious code injected into
websites are downloaded to user browsers from compromised web servers.
o Suspicious Destinations Protection: Zscaler can block requests to any country based on ISO3166 mapping of
countries to their IP address space. Websites are blocked based on the location of the web server.
o Unauthorized Communication Protection: Zscaler can protect against communications like IRC tunneling
applications and "anonymizer" sites that are used to bypass firewalls and proxies.
o Peer-to-Peer (P2P) File Sharing Protection: Zscaler can block BitTorrent, an application that could enable users
to illegally share copyrighted or protected content.
o P2P Anonymizer Protection: Zscaler can block Tor, an application that could enable users to bypass policies
controlling what websites they may visit or Internet resources they may access.
o P2P VoIP Protection: Zscaler can block applications like Google Talk and Skype to protect against the high
bandwidth utilization associated with such applications.
• Zscaler displays end user notifications when users are blocked. The customer can create custom end user notifications,
configured in different languages with images and links to sources that further educate users on compliance policies. The
customer can also redirect users to a URL that hosts the customer’s own end user notifications and use Javascript to
display content in other languages.
apply.
Sandbox
Overview
Zscaler provides an additional layer of security against zero-day threats and Advanced Persistent Threats (APTs) with
integrated file sandboxing analysis. Zscaler offers two versions: Standard and Cloud Sandbox.
Description
Standard Sandbox
• Zscaler conducts sandboxing analysis on suspicious Windows executables and Windows libraries downloaded from
suspicious URLs. A portion of the Windows executables and libraries are collected and run in a virtual environment to
detect and block threats.
• If a user attempts to download a file that was found to be malicious by the Sandbox, Zscaler displays an end user
notification. The customer can create custom end user notifications, configured in different languages with images and
links to sources that further educate users on compliance policies. The customer can also redirect users to a URL that
hosts the customer’s own end user notifications and use JavaScript to display content in other languages.
• Zscaler logs transactions in real time and provides behavioral analysis data. The logs show the threat name listing the
exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just the malware category, based on the behavior
recognized by Zscaler, whenever possible.
• The logs also contain an MD5 column that displays a hash of all files analyzed. With basic Sandbox, the customer
cannot view the behavioral analysis report that provides further information about a file and its behavior.
• The transaction logs list the malicious files that were detected by Cloud Sandbox—files that fell outside the scope of
suspicious executables/libraries from suspicious URLs. These files are not blocked (because no policy exists to
enforce the blocks), but they are detected and displayed as malicious in the customer’s transaction logs.
• Once Zscaler detects malicious files, it propagates fingerprints of malicious files to all Zscaler Enforcement Nodes
(ZENs) throughout the cloud, effectively maintaining a real time blacklist to prevent users anywhere in the world from
downloading malicious files.
Cloud Sandbox
• With Cloud Sandbox, the customer can create multiple policy rules. For each rule, the customer can specify:
• Criteria:
o File types
o URL Categories
o Users, Groups, Departments, and Locations
o Sandbox Categories (Adware, Malware/Botnet, P2P/Anonymizer)
• Action:
o Allow or Block
o Action that Zscaler takes when a user downloads a file for the first time: Allow and do not scan, Allow
and scan, Quarantine during analysis and allow download only after analysis.
• Zscaler provides a default rule. The customer cannot delete the default rule but can modify the Sandbox
Categories (in Criteria) and whether the rule allows or blocks (in Action). The customer can also add rules. Rules
are applied in the rule order list from first to last. The default rule is always the last rule checked.
• Zscaler conducts sandboxing analysis for all supported file types:
o Archives:
- RAR
- ZIP
o Scripts inside ZIP archives:
- .js
- .vbs
- .svg
- .ps1
- .hta
- .wsf
- .cmd
- .lnkRAR
o Executables:
- Windows Executables
- Windows Library
o Microsoft Office:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft RTF
o Mobile:
- Android Application Package
o Web Content:
- Adobe Flash
- Java Applet
o Other:
- Adobe PDF
• If a user attempts to download a file that was found to be malicious by the sandbox, Zscaler displays an end user
notification. The customer can create custom end user notifications, configured in different languages with images
and links to sources that further educate users on compliance policies. The customer can also redirect users to a
URL that hosts the customer’s own end user notifications and use Javascript to display content in other
languages.
• Zscaler logs transactions in real time and provides behavioral analysis data. The logs show the threat name listing
the exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just the malware category, based on the behavior
recognized by Zscaler, whenever possible.
• The logs also contain an MD5 column that displays a hash of all files analyzed. With Cloud Sandbox, the
customer can click a value in this column to view the Sandbox report. Sandbox reports provide information about
a file and its behavior as well other types of information, including forensic details like which registry keys were
changed, which network connections were initiated, and which files were read.
• Once Zscaler detects malicious files, it propagates fingerprints of malicious files to all Zscaler Enforcement Nodes
(ZENs) throughout the cloud, effectively maintaining a real time blacklist to prevent users anywhere in the world
from downloading malicious files.
• The customer must ensure proper settings are configured in the Zscaler admin portal. Otherwise, default settings
apply.
Browser Control
Overview
Zscaler can warn or block users from connecting to the Internet when they are using outdated or vulnerable browsers,
plugins, and applications.
Description
• Zscaler examines and assesses all applications that are used to access the Internet to ensure that they are not
outdated or unsafe. Zscaler examines browser versions and patches (as well as beta browsers), Internet applications
(for example, Adobe Flash, Java, Apple QuickTime), and media download applications (for example, Windows Media
Player).
• The customer can choose to block specific browser versions.
• Zscaler displays end user notifications when users are blocked. The customer also can create custom end user
notifications.
• Zscaler displays end user notifications when users are warned or blocked. The customer can create custom end user
notifications, configured in different languages with images and links to sources that further educate users on
notifications and use Javascript to display content in other languages.
apply.
URL Filtering
Overview
Zscaler’s URL Filtering Policy protects the customer’s organization from inappropriate or harmful web content.
Description
• The customer can create policy rules specifying the following criteria: URL categories, HTTP Request, Users, Groups,
Departments, Locations, and Time. The rule also allows the customer to set daily quotas by bandwidth or time, and
specify whether Zscaler allows, cautions against, or blocks access. Zscaler scans every HTTP request and response
to enforce the URL filtering policy the customer defines, irrespective of location or device.
• To enable granular access control, Zscaler organizes URLs into a hierarchy of categories. The customer can choose
from six predefined classes, which are each divided into predefined super-categories (30 in total), and then further into
predefined categories. The six predefined classes are Bandwidth Loss, Business Use, General Surfing, Legal Liability,
Productivity Loss, and Security Risk. The customer can limit access at the class level or drill down further into super-
categories and categories, depending on business needs. In addition to the predefined categories, the customer can
create custom categories based on URLs or on keywords within the URLs or page content.
• Zscaler leverages multiple global databases that are updated daily with feeds from various partners. When any given
URL is not already covered by the database, Zscaler uses its Dynamic Content Classification (DCC) engine to scan
the page for any content that would place it in the predefined Legal Liability class. The URL is then classified and the
original request for the page is handled according to the customer’s policy for URLs in that class.
• Zscaler displays end user notifications when users are cautioned or blocked. The customer can create custom end
user notifications, configured in different languages with images and links to sources that further educate users on
notifications.
• In certain cases, the customer can allow some users or groups to override a block. For example, in an educational
setting, the customer can block students from access to YouTube, but allow the teachers. Users will be prompted to
enter their override password, and they will be able to access the blocked page during their current browser session.
apply.
• SSL inspection may be required for applying granular policy to encrypted sites. Otherwise, companywide policy will
apply.
Firewall Policy
Overview
Zscaler protects users connecting to the Internet and provides application visibility and user access-level controls for all ports
and protocols, including applications that are difficult to manage and maintain, like port hopping applications (e.g., Skype,
BitTorrent, Tor) and cloud-based business applications with changing IP addresses (e.g., MS Office365, Google Apps,
Salesforce.com). Zscaler offers two versions: Standard and Cloud Firewall.
Description
Standard Firewall
• Zscaler’s Standard Firewall supports all ports and protocols.
• The Standard Firewall functions on 5-tuple policy (Source IP, Destination IP, Source Port, Destination Port, and Protocol).
• By default, the firewall has a default filtering rule that allows all Internet traffic. Rules are applied in the rule order list from
first to last. The default rule is always the last rule checked. The customer cannot delete the default rule but can modify its
action and logging option.
• For each new firewall filtering rule, the customer can specify:
o Criteria:
- Where and When: Locations (up to eight) and Time interval.
- Network Services: The customer can choose from a list of predefined network services and add custom
network services. The customer can also create and add network service groups.
- Source IPs: IP addresses and source IP groups created by the customer.
- Destination IPs: IP addresses, destination IP groups created by the customer, IP-based countries, IP
categories.
o Action: For each rule, the customer can specify one of four actions: Allow, Block/Drop, Block with ICMP error
message, Block with TCP reset.
• The Standard Firewall dashboard provides network service visibility.
• Full Logging is available with an additional license.
o Hourly (default mode for rules that allow traffic): Individual sessions are grouped together based on {user, rule,
network service, network application}.
o Full (default mode for rules that block traffic): Logs all sessions of the rule individually, except HTTP(S).
• The customer can subscribe to Zscaler’s Nanolog Streaming Service (NSS) to stream firewall logs to an on-premises
security information and event management (SIEM) system.
• If a web policy and firewall policy are configured for a web application, web policy is applied first, then firewall policy is
enforced.
• NAT Control: The standard firewall can perform destination NAT.
o The customer can create NAT control rules using the same criteria as firewall filtering rules, with the exception of
network applications, which NAT control does not support, as well as users and groups, which requires cloud
firewall.
o For each rule, the customer can choose to redirect traffic either to specific IP addresses or ports.
Cloud Firewall
• The Cloud Firewall supports all ports and protocols.
• The Cloud Firewall redirects outbound HTTP, HTTPS, FTP and DNS traffic that is destined to a non-standard port and
that does not match any predefined network service to the web engine for inspection. For example, if HTTP traffic is
destined to a server on a non-standard port, Zscaler redirects the traffic to the web proxy engine even if the port is not
configured in an HTTP predefined services group. This option is enabled by default.
• With Cloud Firewall, the customer has application visibility and control, as well as user-based policy control.
• Web-based and non-web-based applications are classified by Zscaler’s advanced Deep Packet Inspection (DPI) engine.
• User-level support: To enforce firewall policy at the user level, authentication and surrogate IP must be enabled.
Otherwise, the firewall applies organization and location policies.
• With Cloud Firewall, full logging and reporting is included.
• The Cloud Firewall dashboard provides network applications visibility.
• By default, the firewall has a default filtering rule which allows all Internet traffic. Rules are applied in the rule order list
from first to last. The default rule is always the last rule checked. The customer cannot delete the default rule but can
modify its action and logging option.
• For each new firewall filtering rule, the customer can specify:
o Criteria:
- Who, Where, and When: Users (up to four), Groups (up to eight), Departments (up to eight), Locations
(up to eight), and Time interval.
- Network services: The customer can choose from a list of predefined network services and add custom
network services. The customer can create network services with overlapping ports for the same
protocols and add these network services to the firewall control policy. For example, FTP on port 21 is a
standard network service. A custom network service that includes port 21 can be defined. The customer
can also create and add network service groups.
- Network applications: The customer can choose from a list of predefined network applications. The
customer can also create and add network application groups.
- Source IPs: IP addresses and source IP groups created by the customer.
- Destination IPs: IP addresses, destination IP groups created by the customer, IP-based countries, IP
categories.
o Action: For each rule, the customer can specify one of four actions: Allow, Block/Drop, Block with ICMP error
message, Block with TCP reset.
o Logging option:
- Hourly (default mode for rules that allow traffic): Individual sessions are grouped together based on
{user, rule, network service, network application}.
- Full (default mode for rules that block traffic): Logs all sessions of the rule individually, except HTTP(S).
• If a web policy and firewall policy are configured for a web application, web policy is applied first, then firewall policy is
enforced.
• NAT Control: The Cloud Firewall can perform destination NAT.
o The customer can create NAT control rules using the same criteria as firewall filtering rules, with the exception of
network applications, which NAT control does not support.
o For each rule, the customer can choose to redirect traffic either to specific IP addresses and ports, or to support
domains with multiple destination IP addresses or with destination IP addresses that may change, customers can
enter FQDNs as well as IP addresses in the destination field for each rule.
• DNS Control: With Cloud Firewall, the customer can control DNS requests and responses.
o The DNS Control policy has default rules that allow all DNS traffic. Rules are applied in the rule order list from
first to last. The default rule is always the last rule checked. The customer cannot delete the default rules but can
modify their actions.
o For each new DNS transaction rule, the customer can specify:
- Criteria:
▪ Who, Where, and When: Users (up to four), Groups (up to eight), Departments (up to eight),
Locations (up to eight), and Time interval.
▪ Who, Where, and When: Users (up to four), Groups (up to eight), Departments (up to eight),
Locations (up to eight), and Time interval.
▪ Source IPs: IP addresses and source IP groups created by customer.
▪ Destination/Resolved IPs: DNS Server IP addresses, DNS Server IP groups, Resolved IP-
based Countries, Requested Domain/Resolved IP Categories.
- Action: For each rule, the customer can specify one of four actions: Allow, Block, Redirect request, and
Redirect response.
o Zscaler logs all sessions of the rule individually, except HTTP(S). This option cannot be changed.
o The DNS dashboard give the customer visibility into applications running in the customer’s networks.
o Zscaler supports DNS queries sent over UDP and TCP.
• The customer can subscribe to Zscaler’s Nanolog Streaming Service (NSS) to stream firewall and DNS logs to an
on-premises security information and event management (SIEM) system.
• The customer is responsible for ensuring that IP traffic is forwarded to Zscaler from a known location via a GRE or IPSec
tunnel.
apply.
• To enforce firewall policies at the user level, authentication and surrogate IP must be enabled. Otherwise, the firewall
applies organization and location policies.
FTP Control
Overview
Zscaler by default does not allow users from a location to upload or download files from FTP sites, but the customer can
configure the policy to allow access to specific sites.
Description
• The FTP policy applies to traffic from the known locations of an organization.
• Zscaler supports FTP over HTTP. The anti-virus engine will scan the content for Viruses and Spyware. These
connections are also subject to rules created under the URL Filtering Policy in the admin portal.
• Zscaler supports passive FTP only. If the destination server does not support passive FTP, Zscaler generates an alert
message to this effect in the end user's browser.
• If a road warrior uses a dedicated port, then Zscaler supports FTP over HTTP for road warriors. So when a road
warrior’s browser connects to FTP sites and downloads files, Zscaler’s anti-virus engine will be able to scan the
content for viruses and spyware.
• Zscaler does not support AV scanning for native FTP traffic.
• URL Filtering Policy rules take precedence over the FTP Control policy. For example, you have a URL Filtering Policy
rule that blocks access to Adult Material, Zscaler will block users who try to transfer files from ftp://ftp.playboy.com/
• User-, department-, or group-level URL filtering rules blocking access to specific sites will not be enforced for FTP sites
because FTP does not support cookies. Only rules applied to all users will be enforced. For example, if you have a
catch-all URL Filtering rule that says "block access to Adult Material," anybody trying to ftp to ftp://ftp.playboy.com/ will
get blocked.
• The customer is responsible for ensuring that traffic is forwarded to Zscaler.
apply.
Bandwidth Control
Overview
Zscaler provides built-in web bandwidth control and traffic shaping capabilities for web applications and URL categories to
ensure that business critical applications are prioritized and that recreational or non-business critical applications do not
affect productivity.
Description
• Zscaler provides bandwidth control at two levels. At the first level, Zscaler provides bandwidth control by location. The
customer can configure maximum upload and download bandwidth limits for each location in the organization. These
limits apply to the entire Internet traffic of the location, irrespective of the web application traffic flowing through the
network. At the second level, for each location, the customer can define bandwidth control policy based on application
classes.
• Zscaler defines the following bandwidth classes: Business & Economy, Financial Apps, General Surfing, Large Files,
Productivity, Sales/Support Apps, Streaming Media/File Share, VoIP, and Web Conferencing. The customer must add
URL categories and cloud applications (or cloud application categories) to the predefined bandwidth classes. The
customer can also add custom application classes that the customer defines.
• In the bandwidth control policy, the customer can set bandwidth control rules to prioritize business-critical applications
and define how bandwidth is allocated when contention occurs. Each rule defines a maximum and minimum
guaranteed percentage of bandwidth for the application classes in the rule along with other parameters like maximum
concurrent connections, location, and time of day.
• The Zscaler bandwidth algorithm allows an application class full bandwidth utilization until there is contention for the
bandwidth by a traffic class with a higher priority. When application classes compete for bandwidth, Zscaler takes
action based on rules that the customer configures in the bandwidth control policy.
• Zscaler rebalances the bandwidth in real time and buffers packets for application classes that hit the bandwidth quota
limit. This behavior ensures that business critical applications get priority, with no deterioration in quality.
• Zscaler applies the policy to all HTTP and HTTPS traffic from the location. The customer does not need to enable SSL
interception because it works at the TCP level.
• The Bandwidth Control dashboard provides real-time visibility into your organization’s bandwidth usage. All customers
can view the Total Bandwidth Consumption graph, even if their organization does not have a Bandwidth Control
subscription. This graph displays the 95th percentile trend line, which is based on the 95th percentile of inbound or
outbound traffic, whichever is higher. Customers can view bandwidth usage in 30-day time intervals, with the ability to
drill down incrementally to 5-minute intervals. Note that all other widgets on the Bandwidth Control dashboard require a
subscription. In addition to the dashboard, administrators for organizations subscribed to Bandwidth Control can
access interactive Bandwidth Control reports and in Web Insights, use the bandwidth control data type and filters to
analyze bandwidth usage.
apply.
• The customer is responsible for adding URL categories and cloud applications or cloud application categories to the
predefined bandwidth classes before defining bandwidth control rules.
• The customer is responsible for ensuring that the bandwidth values set for each location are correct.
SSL Inspection
Overview
Zscaler can perform SSL inspection and decrypt HTTPS traffic to protect the customer’s organization against dangerous
content hidden in incoming or outgoing HTTPS traffic.
Description
• Zscaler decrypts and inspects HTTPS traffic to and from the user’s browser and to and from the destination server,
blocking any malicious content.
• When performing SSL inspection, Zscaler terminates the SSL connection on the proxy to inspect content, and then
reestablishes the connection to the destination server. Zscaler does the same with the HTTPS traffic from the destination
server to the user’s browser.
• Zscaler provides the following features when an organization enables SSL inspection:
o Granular URL and cloud app control policies: Zscaler can enforce granular user, group, and location policies, as
well as read-only controls.
o Globally bypass URLS and URL categories: The customer can prevent Zscaler from decrypting transactions to
specific URLs or URL categories, as well as to specific cloud applications or cloud application categories.
o Content filtering: The customer can configure Zscaler to enforce SafeSearch, enabling it to block malicious or
inappropriate content in a page, such as during a Google search.
o Block unscannable transactions: The customer can enable Zscaler to block the transactions of applications that
Zscaler cannot decrypt because they use non-standard encryption methods and algorithms.
• Zscaler supports the OCSP protocol to verify the validity of server certificates and block access to sites with server
certificates that are unknown or have a revoked status. Further, Zscaler displays an end user notification when it blocks
access to a site due to a bad certificate (if the certificate issuer is unknown, if the certificate has expired, or if the Common
Name in the certificate does not match) and logs these transactions with “bad server cert” in the policy field.
• Zscaler supports TLS version 1.2.
apply.
• The customer must ensure that Zscaler’s root certificate or customer’s root certificate is configured in the browser.
• When the customer enables SSL inspection, the customer is responsible for creating a list of URL categories that are
exempt from SSL inspection (for example, the list may include URLs in the Finance or Health category). The customer
must configure this list carefully because it is applied globally throughout an organization and takes precedence over per-
location SSL scanning.
SSL Inspection with Customer Root Certificate

Overview
For SSL inspection, Zscaler gives the customer the option of using an intermediate certificate signed by the customer’s
own trusted Certificate Authority (CA) (rather than the default Zscaler intermediate certificate).
Description
• The customer can use an intermediate root certificate signed by the customer’s own root CA.
• The customer can upload a certificate chain in addition to the intermediate root certificate, allowing the Zscaler service
to send the intermediate root certificate along with the key chain to a user’s device during SSL inspection.
• After the signed intermediate root certificate has been uploaded to Zscaler, Zscaler can start using the intermediate
certificate immediately. Zscaler presents the site certificate generated using the customer’s intermediate certificate to
the user’s browser, and the browser can then validate the intermediate certificate through the root certificate in its
certificate store.
• The customer can control the validity period of the intermediate certificate or revoke it on the Zscaler admin portal.
• The customer uses AES as the key signing algorithm for both the Zscaler root CA as well as for signing the private key
of self-signed certificates.
• If necessary, the customer can locate Certificate Revocation Lists (CRLs) that provide the serial numbers of revoked
certificate issuers. The Zscaler service provides a CRL distribution point (CDP) for every certificate if generates.
apply.
• The customer must ensure that the customer’s root certificate is configured in the browser.
• The customer is responsible for ensuring that the customer’s root certificate is valid in the admin portal.
Data Loss Prevention (DLP)

Overview
Zscaler protects users across devices and networks, scanning Internet traffic, including SSL-encrypted traffic, to monitor or
block any unauthorized or sensitive data leaving the customer’s organization, in accordance with configured policies.
Description
• The customer can configure a DLP policy by adding rules referencing DLP engines which contain one or more DLP
dictionaries.
• DLP dictionaries contains algorithms designed to detect valid number data like credit card and social security numbers or
other kinds of information relevant to the organization’s compliance policies. Zscaler provides multiple predefined
dictionaries. The customer can also create custom dictionaries to which they add phrases or alphanumeric patterns
associated with the data they want to protect.
• DLP engines are collections of DLP dictionaries that enable the identification of sensitive information across multiple
dictionaries. Zscaler provides multiple predefined DLP engines, and the customer can create custom engines as well.
• You can define granular policy rules that reference one or more DLP engines for the type of data you want to identify. In
addition, for each rule you can choose to allow or block specific data that meet one or more of the following criteria: URL
category, cloud application, file type, minimum data size, users, groups, departments, location, and time Interval.
• For each rule, the customer can specify whether to send a notification to auditors when a violation occurs. The customer
has the option to include attachments of the violating content.
• Zscaler displays end user notifications when users are blocked. The customer can create custom end user notifications,
configured with images and links to sources that further educate users on compliance policies. The customer can also
redirect users to a URL that hosts the customer’s own end user notifications.
• If the customer’s organization has its own on-premises DLP solution, the customer can configure Zscaler DLP rules to
forward information via secure Internet Content Adaption Protocol (ICAP) to the DLP server. There are two main options
when forwarding content. One option includes using Zscaler DLP engines, and the other, bypassing Zscaler DLP engines.
o If Zscaler DLP engines are used, the Zscaler service uses its DLP engines to detect, and allow or block,
specified data. It then forwards information to the customer’s DLP server.
o If Zscaler DLP engines are bypassed, the Zscaler DLP engines do not scan for any specific data. The service
only filters, and allows or blocks content, based on specified criteria before forwarding the content to the
customer’s DLP server.
apply.
Cloud Application Control

Overview
In addition to URLs, Zscaler enables the customer to manage user access to cloud applications (such as Facebook or
Gmail).
Description
• The customer can create a rule and specify the following criteria: Cloud Applications, Users, Groups, Departments,
Locations, and Time. The rule also allows the customer to set daily quotas by bandwidth or time, and specify whether
Zscaler allows, cautions against, or blocks access.
• Zscaler organizes cloud applications into nine broad categories: Consumer, Enterprise Collaboration, Enterprise
Productivity, Instant Messaging, Sales & Marketing, Social Networking & Blogging, Streaming Media & File Sharing,
System & Development, and Webmail.
• For four of the categories (Instant Messaging, Social Networking & Blocking, Streaming Media & File Sharing, and
Webmail), Zscaler allows the customer to provide read-only controls. For example, the customer can set read-only
controls for social networking sites so that users can read content but not post.
notifications.
• The cloud application policy takes precedence over the URL filtering policy by default.
• The customer can configure Zscaler to allow users to access Google apps (including Gmail) for specific domains only.
For example, the customer can allow users to sign in to their corporate Gmail accounts, but block them from signing in
to their personal Gmail accounts.
• The customer can send all Office 365 traffic to the Zscaler cloud and enable the Office 365 One-Click Configuration
feature in the Zscaler admin portal. The Zscaler service then automatically performs the necessary configurations to
enable Office 365.
• The Zscaler service fingerprints more than 300 applications, including Office 365 applications, so that customers do
not have to worry about URL changes for Office 365 applications.
• The Zscaler Cloud Applications dashboard features a widget called Cloud Applications Trend, which displays all the
cloud apps used by the customer’s organization. Zscaler has partnered with Skyhigh, CloudLock, and CipherCloud to
provide a risk profile for each application. The customer can point to a cloud app in the widget and view the risk score
provided by all three, as well as the aggregated score provided by Zscaler. The customer can also download the data
as a CSV file for further analysis, but this information is available on the dashboard and as a CSV file only, not in logs.
apply.
• SSL inspection may be required for applying granular policy to encrypted sites. Otherwise, company-wide policy will
apply.
Zscaler Identity Proxy
Overview
The customer can configure Zscaler as an Identity Provider for the following cloud applications: Salesforce, Box, and Google
Apps. This feature enables the customer to ensure that users can only access these applications through the Zscaler platform.
Description
• The customer can restrict users on their corporate network to accessing these applications only through Zscaler, from
their corporate accounts. Users off the corporate network can access these applications with their corporate credentials
only if they are connecting through Zscaler.
• In addition to configuring settings in the Zscaler admin portal, the customer must configure Zscaler as the Identity Provider
for each application, and also enable single sign-on for each application.
• The login process is transparent for the end user. Once Identity Proxy is configured, and users are authenticated with
Zscaler, users do not need to authenticate again with the cloud applications. Zscaler transforms its authentication cookie
to log users in to the cloud application.
• The customer can log user access to cloud applications from any location or device, as well as from agent-less
deployment.
• The customer must ensure that an authentication mechanism has been installed and that users are provisioned on the
Zscaler service.
• The customer must enable SSL inspection for locations that use Identity Proxy.
• The customer must configure Zscaler as the Identity Provider for each application.
• The customer must ensure proper settings are configured in the Zscaler admin portal.
File Type Control

Overview
Zscaler enables the customer to manage users’ ability to upload or download various file types.
Description
• The customer can create a rule in the File Type Control policy and specify the following criteria: File type, URL
categories, Users, Groups, Departments, Locations, and Time. The rule allows the customer to distinguish between
uploads and downloads and specify whether Zscaler allows, cautions against, or blocks the upload or download.
• Zscaler defines various file types the customer can control, including Archive (like .zip, 7-zip, or .stuffit),
Audio (like .mp3 or .wav), Executable (like .exe or .lnk), Image (like .bmp, WebP, or .psd), Microsoft Office (like .xls or
.doc), Mobile (like .apk or .ipa), Video (like .avi or .mov), Web Content (like .jar or .js), and other kinds of files.
• The customer can create rules for unknown file types. Zscaler performs MIME type checks for application types which
are not well-defined.
• The customer has the option to block unscannable files or password-protected files.
notifications.
apply.
• SSL inspection may be required for applying granular policy to encrypted sites.
Zscaler App
Overview
The Zscaler App is an app that can be installed on users’ devices to protect their traffic even when they are outside the
corporate network.
Description
By default, the app captures web traffic from a user’s device, establishes a lightweight tunnel to the Zscaler Enforcement
Node (ZEN) closest to the user, and forwards the traffic through the tunnel so the ZEN can apply security and access
policies as configured in the Zscaler admin portal.
The app supports all authentication mechanisms supported by the Zscaler service, including SAML with two-factor
authentication.
The app can detect when users connect to a trusted network and disable its web security service so that user traffic is
forwarded to the Zscaler service via the network’s configured traffic forwarding mechanism.
The app can detect when users connect to Wi-Fi hotspots that requires them to pay or accept a use policy before
accessing the web. The app can disable its web security service for a specified period of time, allowing users to take steps
to access the network, before automatically re-enabling its service.
In the Zscaler App Portal (a portal dedicated to app management, accessible directly from the Zscaler admin portal), the
customer can configure app settings that the app downloads when users enroll with the Zscaler service. After enrollment,
the app regularly checks for and downloads any updates the customer makes to these settings in the portal.
The Zscaler App Portal provides a dashboard that provides real-time information about enrolled devices, including the
status of apps running on users’ devices and device fingerprints.
The customer can modify the app’s behavior. The customer can add a custom PAC file when configuring settings so that
the app forwards web traffic according to its instructions, or the customer can allow users’ browser proxy settings to apply.
The customer can configure settings to prevent users from disabling the app and bypassing its web security service.
The customer can configure settings so that the app auto-updates whenever the Zscaler service releases a new version.
The customer also has the option of testing new versions first, then pushing auto-updates from the Zscaler App Portal.
The customer must ensure an authentication mechanism has been installed and users have been provisioned on the
Zscaler service.
The customer must ensure appropriate security and access policies have been configured in the Zscaler admin portal.
To enable SSL inspection for traffic forwarded by the app, enable SSL scanning for mobile traffic in the admin portal.
The customer is responsible for deploying the Zscaler App on users’ devices.
The customer is responsible for configuring and managing app settings in the Zscaler App Portal.
Mobile Malware Protection

Overview
Zscaler provides mobile data and app security for Apple and Android mobile devices when devices are connected to a
corporate Wi-Fi network that is sending traffic to Zscaler transparently over a GRE or IPSec tunnel.
Description
• Zscaler scans mobile traffic and provides comprehensive protection against malware and advanced security threats.
• Zscaler can block apps that leak certain types of information. The customer can choose to block apps that send:
o Unencrypted user credentials
o Location information
o Personally identifiable information
o Device identifiers
o Communications to ad servers
o Communications to unknown servers
• Zscaler provides detailed traffic visibility and granular reporting for mobile applications and device types.
apply.
• SSL inspection may be required for applying granular policy. The customer is responsible for installing the Zscaler root
certificate on user devices.
Mobile Applications Control

Overview
Zscaler can restrict the stores from which users download apps for their mobile devices. Devices must be connected to a
corporate Wi-Fi network that is sending traffic to Zscaler transparently over a GRE or IPSec tunnel.
Description
• Zscaler can enforce rules to restrict the stores from which users download apps for their mobile devices.
The customer can create rules to allow or block based on the following criteria:
o App stores
o Users
o Groups
o Departments
o Locations
o Time
apply.
• SSL inspection may be required for applying granular policy. The customer is responsible for installing the Zscaler root
certificate on user devices.
Virtual ZENs (VZENs)

Overview
When the customer has certain requirements that make forwarding their traffic to the Zscaler public ZENs less than ideal, the
customer can extend the Zscaler patented cloud architecture to their organization’s premises by deploying virtual ZENs
(VZENs), which use virtual machines (VMs) to function as full-featured ZENs dedicated to an organization’s traffic. VZENs
perform the same service as the public ZENs in the Zscaler cloud, including support for features such as Next Generation
Firewall, Behavioral Analysis, and Data Loss Prevention.
Description
• VZENs are part of the Zscaler cloud and communicate with it for user authentication and policy updates, and for logging
and reporting. Logs are transmitted to and stored on the Zscaler cloud as a central repository for integrated analytics.
Customers can view and monitor Internet traffic activity on the admin portal dashboard and make full use of the real-time
logging and interactive reporting capabilities of the service.
• An organization can send its Internet traffic to a VZEN through a GRE tunnel, PAC files, or L2 redirect.
• Admins define policies only once, through the admin portal. After users are signed in and authenticated to the Zscaler
service, the service will always apply their policies, whether they connect to an on-premises VZEN or to a public ZEN
anywhere in the world.
• VZENs are easy to deploy and require minimal administration. Customers have full access to the VZENs for monitoring
and configuration. Zscaler does not require access to the VZENs.
• VZENs are horizontally scalable so customers can easily add more VZENs as their traffic increases.
• VZENs are deployed in a cluster, which features built-in load balancers to ensure availability and redundancy. The load
balancers are specifically designed to distribute user traffic evenly across the VZENs. Zscaler does not recommend using
external load balancers.
• VZENs can be deployed in standalone mode for testing purposes only. Zscaler does not support standalone VZENs in
production environments with live user traffic.
• Zscaler offers three VZEN SKUs, targeted for different throughput and performance requirements: small (30 Mbps),
medium (up to 100 Mbps), and large (up to 600 Mbps).
• When a new VZEN software update is available, VZENs in a cluster automatically stagger their updates to ensure high
availability. No administrative interaction is required.
• If a VZEN has intermittent connectivity to the Zscaler cloud, the weblogs are queued and sent when possible instead of
being dropped. The weblogs and their delays are shown in transaction drilldowns in the admin portal. The Nanolog
Streaming Service (NSS) also has fields to distinguish between weblog generation time and weblog transmission time.
• Customers can use SNMP to monitor a VZEN. Traps can be raised in case of an adverse event that impacts traffic
processing. SNMP is configured locally on the VZEN.
• The customer must ensure that all requirements to deploy VZENs and run a VZEN cluster as a virtual machine are
met.
• The customer can deploy VZENs behind the firewall or in the DMZ.
• The customer must download and install the virtual appliance.
• A VZEN cluster requires outbound connections to Zscaler. The customer must ensure that their outbound firewall is
configured to allow the necessary connections, as described in the following page: https://ips.<zscaler-cloud-
name>/vzen.html. For example, customers on the zscalertwo.net cloud should go to
https://ips.zscalertwo.net/vzen.html.
• The customer must deploy VZENs in clusters for productions environments and have a VZEN subscription for each
VZEN instance in a cluster. A VZEN cluster must contain at least two VZEN instances. Zscaler does not support VZEN
standalones in production environments with live user traffic.
• The customer must adhere to the Hypervisor and VM specifications, as well as Internet bandwidth requirements.
Priority Categorization Service

Overview
Customers who want to reduce the percentage of Zscaler-Uncategorized content traversing their network can subscribe to the
Zscaler Priority Categorization service. This service significantly improves the end user experience for customers with strict
policies that block or caution uncategorized sites. Customers who allow uncategorized content will improve security and
acceptable use policy controls as some uncategorized sites might be sites that would have been blocked if properly
categorized.
Description
• Zscaler examines and assesses the top 100 uncategorized domains (based on transactions) on a daily basis and
categorizes them
• Zscaler cannot categorize all sites. For example, a site may be unreachable, may be just a login site, or may have no
viewable content. In such cases, Zscaler continues down the list of uncategorized domains until 100 domains have
been categorized. A monthly e-mail report of sites that Zscaler was unable to categorize is sent to the customer. The
customer can attempt to categorize the sites and send them to Zscaler, or manually add them to a custom URL
Category.
• Zscaler performs this categorization every day. The top domains for weekends (Saturday and Sunday) and major
holidays are categorized on the following business day.
• If the uncategorized domains for the day are <100, Zscaler only categorizes that day’s uncategorized sites.
• Zscaler provides customers with an e-mail alias for questions and feedback that will receive priority responses.
Device Protection
Overview
Zscaler Internet Access (ZIA) protects user (employee, contractor, etc.) traffic and does not by default cover other device
traffic. Some customers have requirements to send other traffic through ZIA for policy control and threat protection. Examples
of traffic not included in user traffic and considered device protected traffic include server initiated traffic (the server is the
client), other devices calling out to the Internet (IOT, Point of Sale, public kiosk), and Guest Wi-Fi devices (traffic not
associated with a user seat already covered under the service). An example for protecting device traffic include customers
restricting a server to only communicating to certain IPs or URLs (so they can report on any unexpected server traffic).
Another example would be a customer filtering and protecting infrequent guests who visit their locations and are provided
access to the guest Wi-Fi network.
Description
• Allows customers to send non user traffic (such as server sourced traffic, IoT, guest Wi-Fi) through Zscaler’s service.
• All subscribed licenses (ATP, DLP, etc.) apply to server traffic as well.
• Traffic is purchased by GB/month.
• The customer must purchase the appropriate level of monthly traffic, based on their best estimates. Traffic is allowed
to reasonably grow over time without additional charges during the term of the contract as defined in the EUSA. If the
growth amount is exceeded, then the customer must purchase additional GB of monthly traffic.
• The customer must ensure that traffic is directed to the Zscaler service.
Private ZENs (PZENs)
Overview
Some customers have requirements that make forwarding traffic to the Zscaler public Zscaler Enforcement Nodes (ZENs)
unsuitable (for example, customers who must abide by specific local regulations). In such cases, the customer can extend the
Zscaler-patented cloud architecture to their organization’s premises by deploying private ZENs (PZENs). PZENs use Zscaler
hardware, shipped to the customer and hosted by the customer, to function as full-featured ZENs dedicated to an
organization’s traffic. PZENs perform the same service as the public ZENs in the Zscaler cloud, including support for features
such as Next Generation Firewall, Behavioral Analysis, and Data Loss Prevention.
Description
• PZENs are part of the Zscaler cloud and communicate with it for user authentication and policy updates, as well as for
logging and reporting. Logs are transmitted to and stored on the Zscaler cloud as a central repository for integrated
analytics. Customers can view and monitor Internet traffic activity on the admin portal dashboard and make full use of
the real-time logging and interactive reporting capabilities of the service.
• An organization can send its Internet traffic to a PZEN through a GRE tunnel, PAC files, or L2 redirect.
• Admins define policies only once, through the admin portal. After users are signed in and authenticated to the Zscaler
service, the service will always apply their policies, whether they connect to an on-premises PZEN or to a public ZEN
anywhere in the world.
• PZENs are easy to deploy and require minimal administration. Customers have some access to the PZENs for
monitoring and configuration. Zscaler requires Intelligent Platform Management Interface (IPMI) access to the PZENs.
• PZENs are horizontally scalable so customers can easily add more PZENs as their traffic increases.
• PZENs are deployed in a cluster, which features built-in load balancers to ensure availability and redundancy. The
load balancers are specifically designed to distribute user traffic evenly across the PZENs. Zscaler does not
recommend using external load balancers.
• PZENs can be deployed in standalone mode for testing purposes only. Zscaler does not support standalone PZENs in
production environments with live user traffic.
• When a new PZEN software update is available, PZENs in a cluster will automatically stagger their updates to ensure
high availability. No administrative interaction is required.
• If a PZEN has intermittent connectivity to the Zscaler cloud, the weblogs are queued and sent when possible, instead
of being dropped. The weblogs and their delays are shown in transaction drilldowns in the admin portal. The Nanolog
Streaming Service (NSS) also has fields to distinguish between weblog generation time and weblog transmission time.
• The customer must ensure that all requirements to deploy PZENs and run a PZEN cluster are met.
• The customer can deploy PZENs behind the firewall or in the DMZ.
• A PZEN cluster requires outbound connections to Zscaler. The customer must ensure that their outbound firewall is
configured to allow the necessary connections, as described in the following page: https://ips.<zscaler-cloud-
name>/PZEN.html. For example, customers on the zscalertwo.net cloud should go to
https://ips.zscalertwo.net/PZEN.html.
• The customer must deploy PZENs in clusters for productions environments and have a PZEN subscription for each
PZEN instance in a cluster. A PZEN cluster must contain at least two PZEN instances. Zscaler does not support PZEN
standalones in production environments with live user traffic.
Private Nanolog Streaming Service (NSS) Appliance for Web Logs

Overview
Zscaler’s private NSS is a Zscaler managed appliance the customer can use to stream web traffic logs in real time from the
Zscaler Nanolog to the customer’s on-premises security information and event management (SIEM) system. NSS helps the
customer comply with regulatory mandates on local log archival, correlate logs from multiple devices, and conduct historical
web log analysis.
Description
• When an organization deploys NSS, NSS opens a secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog
then streams copies of the logs to NSS in a highly compressed format to reduce bandwidth footprint; the original logs
are retained on the Nanolog.
• When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude
unwanted logs, converts the filtered logs to the configured output format so they can be parsed by the customer’s
SIEM, and then streams the logs to the SIEM over a raw TCP connection.
• For full site redundancy, each organization can subscribe to up to two NSS systems for web logs in an active-active
configuration. Each NSS supports up to eight parallel SIEM connections called feeds. Each feed can have a different
list of fields, a different format, and different filters.
installs them.
• The customer can open a Behavioral Analysis report based on the MD5 parameter retrieved from the logs in the SIEM.
• The customer must ensure that all the requirements to run the NSS appliance are met.
Intelligent Routing (Guest Wi-Fi)
Overview
Powered by DNS, the Intelligent Routing platform can be used on any device and can be deployed within the enterprise
environment or on Guest Wi-Fi. The Intelligent Routing platform filters DNS responses and employs the same in-line proxy for
inspection and malware protection as the full proxy solution; however, the platform only inspects as required based on threat
detection using Zscaler’s own heuristics.
Description
• With Intelligent Routing, the customer can create security policies for locations using four key features:
o URL filtering by domain category: The customer can select from six filtering options. Each option corresponds to
a predefined group of URL categories that the customer can block.
- All: All sites are blocked.
- Strict: Legal liability sites, including gambling, drugs, profanity, violence, etc., are blocked.
- Moderate: Sites with adult material such as nudity, pornography, etc., are blocked.
- Minimal: Sites with pornography are blocked.
- None: No sites are blocked.
- Custom: The customer can manually select which URL categories to block.
o Threat Security: This feature is equivalent to the advanced threat protection of the Zscaler service, providing
basic protection against spyware and malware (including botnets, malicious active content, unauthorized
communication, and XSS) as well as standard Behavioral Analysis (for all Windows executable files and
Dynamic Link Libraries (DLL) of traffic from URLs in suspicious URL categories).
o Safe Search: This feature is a browser function that helps the customer block inappropriate or explicit images
from search engine results (Google, Yahoo!, Bing, etc.). Enabling Safe Search in Zscaler forces all end users’
web browsers to use Safe Search, and users cannot bypass the restriction.
o SSL Interception: Enabling SSL Inspection allows Zscaler to decrypt HTTPS traffic and protect against
dangerous content hidden in incoming or outgoing HTTPS traffic. However, because SSL interception requires
that a root certificate be first installed in the end user’s browser, enabling SSL interception is not recommended
for Guest Wi-Fi and other deployments where the protected devices are unmanaged and/or installing a certificate
is not desirable. If you do not enable SSL inspection, you can block URL categories that attempt to use SSL.
• With Intelligent Routing configured, when an end user requests a website, a DNS query is sent to one of Zscaler’s DNS
anycast servers. Zscaler checks the configured policy for the location to see which action is required (Block, Inspect, or
Direct):
o If the customer’s policy prohibits the site, the action is Block. The DNS response redirects the client to a block
page configured with standard or custom text.
o If the site is unknown or is known to contain malware, the action is Inspect. The platform sends the traffic to the
Zscaler cloud for full inspection and returns only safe content.
o If the site is allowed by policy, the action is Direct. The client proceeds directly to the site.
• The Intelligent Routing dashboard presents information about the organization from a global view. You can drill down into
individual locations for more granular data, such as the number of transactions allowed or blocked, traffic trend, top
locations, top categories, top domains, and top threats.
• Configure your firewall and ensure that all DNS queries are sent to Zscaler’s anycast DNS servers only.
• The customer must ensure proper settings are configured in the Zscaler Intelligent Routing admin portal. Otherwise,
default settings will apply.
• If SSL inspection is enabled:
o The customer must ensure that Zscaler’s root certificate is configured in the end user’s browser.
o To exempt specific URL categories from SSL inspection (for example, URLs in the Finance or Health
category), the customer must request the exemption via support.

Zia Platform Services Document 55

Uploaded by

Copyright:

Available Formats

Zia Platform Services Document 55

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Zia Platform Services Document 55

Uploaded by

Copyright:

Available Formats

What are the main features of Zscaler Internet Security?

What are the main features of Zscaler Internet Security?

How does Zscaler deliver security through its cloud-based architecture?

How does Zscaler deliver security through its cloud-based architecture?

Zscaler Platform Services Document

Zscaler Internet Access

Dedicated Proxy Port ............................................................................................................................................ 13

Authentication: SAML, LDAP, Passwords, Kerberos, ZAB, and Surrogate IP ................................................ 13

Logging and Reporting ......................................................................................................................................... 18

Zscaler Nanolog Streaming Service (NSS) for Web Logs ................................................................................. 19

Malware Protection ................................................................................................................................................ 20

Browser Control ..................................................................................................................................................... 25

URL Filtering .......................................................................................................................................................... 25

Firewall Policy ........................................................................................................................................................ 26

FTP Control ............................................................................................................................................................ 29

SSL Inspection ....................................................................................................................................................... 31

SSL Inspection with Customer Root Certificate ................................................................................................. 32

Data Loss Prevention (DLP) ................................................................................................................................. 32

Cloud Application Control .................................................................................................................................... 33

Zscaler Identity Proxy ........................................................................................................................................... 35

File Type Control ................................................................................................................................................... 35

Zscaler App ............................................................................................................................................................ 36

Mobile Malware Protection ................................................................................................................................... 37

Mobile Applications Control ................................................................................................................................. 37

Virtual ZENs (VZENs) ............................................................................................................................................ 38

Priority Categorization Service ............................................................................................................................ 39

Device Protection .................................................................................................................................................. 40

Private ZENs (PZENs)............................................................................................................................................ 41

Intelligent Routing (Guest Wi-Fi).......................................................................................................................... 43

SLA for High Availability and Latency

IPSec VPN Tunnel

Authentication: SAML, LDAP, Passwords, Kerberos, ZAB, and Surrogate IP

LDAP (Secure Lightweight Directory Access Protocol)

Passwords (Used with Hosted User Database only)

ZAB (Zscaler Authentication Bridge)

Zscaler Nanolog Streaming Service (NSS) for Web Logs

Advanced Threats Protection

SSL Inspection with Customer Root Certificate

Data Loss Prevention (DLP)

Cloud Application Control

File Type Control

Mobile Malware Protection

Mobile Applications Control

Virtual ZENs (VZENs)

Priority Categorization Service

Private Nanolog Streaming Service (NSS) Appliance for Web Logs

You might also like