Add to collection(s) Add to saved
  1. No category
Uploaded by paulwup

DOCUMENT ZIA Platform Services Document

advertisement 
Zscaler Internet Access
Platform Services Document
Zscaler’s Security-as-a-Service cloud platform delivers a safe and productive Internet experience for every user, from any device and from any location. Zscaler
effectively moves security into the Internet backbone, operating in more than 100 data centers around the world and enabling organizations to fully leverage the
promise of cloud and mobile computing with unparalleled and uncompromising protection and performance. Zscaler delivers unified, carrier-grade Internet security,
advanced persistent threat (APT) protection, data loss prevention (DLP), SSL inspection, traffic shaping, policy management and threat intelligence. The Security-as-aService cloud platform offers more than just IT scalability; it allows an organization to scale its business operations securely without the need for on-premises hardware,
appliances, or software.
ZSCALER CONFIDENTIAL INFORMATION
©2020 Zscaler, Inc. All rights reserved.
1
/ Zscaler Internet Access Platform Services Document
Table of Contents
Introduction................................................................................................................................ 8
Zscaler Internet Access: Key Features ......................................................................................... 9
Zscaler Cloud-Based Architecture ...............................................................................................11
SLA for High Availability and Latency ..........................................................................................14
Traffic Forwarding: GRE Tunnels, IPSec Tunnels, PAC Files, and Proxy Chaining .......................... 15
Overview .....................................................................................................................................15
Description ..................................................................................................................................15
Customer Responsibilities ...........................................................................................................20
Dedicated Proxy Port ................................................................................................................ 21
Overview .....................................................................................................................................21
Description ..................................................................................................................................21
Customer Responsibilities ...........................................................................................................21
Authentication: SAML, LDAP, Passwords, Kerberos, ZAB, SCIM, and Surrogate IP....................... 22
Overview .....................................................................................................................................22
Description ..................................................................................................................................22
Logging and Reporting .............................................................................................................. 29
Overview .....................................................................................................................................29
Description ..................................................................................................................................29
Customer Responsibilities ...........................................................................................................30
Zscaler Nanolog Streaming Service (NSS) for Web Logs .............................................................. 31
Overview .....................................................................................................................................31
Description ..................................................................................................................................31
Customer Responsibilities ...........................................................................................................32
Zscaler Nanolog Streaming Service (NSS) for Firewall and DNS Logs ........................................... 33
Overview .....................................................................................................................................33
Description ..................................................................................................................................33
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
2
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities ...........................................................................................................34
Malware Protection .................................................................................................................. 35
Overview .....................................................................................................................................35
Description ..................................................................................................................................35
Customer Responsibilities ...........................................................................................................36
Advanced Threats Protection .................................................................................................... 37
Overview .....................................................................................................................................37
Description ..................................................................................................................................37
Customer Responsibilities ...........................................................................................................38
Sandbox.................................................................................................................................... 39
Overview .....................................................................................................................................39
Description ..................................................................................................................................39
Customer Responsibilities ...........................................................................................................42
Browser Control ........................................................................................................................ 43
Overview .....................................................................................................................................43
Description ..................................................................................................................................43
Customer Responsibilities ...........................................................................................................43
URL Filtering ............................................................................................................................. 44
Overview .....................................................................................................................................44
Description ..................................................................................................................................44
Customer Responsibilities ...........................................................................................................45
Firewall Policy ........................................................................................................................... 46
Overview .....................................................................................................................................46
Description ..................................................................................................................................46
Customer Responsibilities ...........................................................................................................50
FTP Control ............................................................................................................................... 51
Overview .....................................................................................................................................51
Description ..................................................................................................................................51
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
3
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities ...........................................................................................................51
Bandwidth Control .................................................................................................................... 52
Overview .....................................................................................................................................52
Description ..................................................................................................................................52
Customer Responsibilities ...........................................................................................................53
SSL Inspection ........................................................................................................................... 54
Overview .....................................................................................................................................54
Description ..................................................................................................................................54
Customer Responsibilities ...........................................................................................................55
SSL Inspection with Customer Root Certificate .......................................................................... 56
Overview .....................................................................................................................................56
Description ..................................................................................................................................56
Customer Responsibilities ...........................................................................................................56
Data Loss Prevention (DLP) ....................................................................................................... 58
Overview .....................................................................................................................................58
Description ..................................................................................................................................58
Customer Responsibilities ...........................................................................................................59
API-based CASB ........................................................................................................................ 60
Overview .....................................................................................................................................60
Description ..................................................................................................................................60
Customer Responsibilities ...........................................................................................................60
Cloud Application Control ......................................................................................................... 61
Overview .....................................................................................................................................61
Description ..................................................................................................................................61
Customer Responsibilities ...........................................................................................................62
Zscaler Identity Proxy ................................................................................................................ 63
Overview .....................................................................................................................................63
Description ..................................................................................................................................63
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
4
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities ...........................................................................................................63
File Type Control ....................................................................................................................... 64
Overview .....................................................................................................................................64
Description ..................................................................................................................................64
Customer Responsibilities ...........................................................................................................64
Zscaler Client Connector............................................................................................................ 65
Overview .....................................................................................................................................65
Description ..................................................................................................................................65
Customer Responsibilities ...........................................................................................................66
Mobile Malware Protection ...................................................................................................... 67
Overview .....................................................................................................................................67
Description ..................................................................................................................................67
Customer Responsibilities ...........................................................................................................67
Mobile Applications Control ...................................................................................................... 68
Overview .....................................................................................................................................68
Description ..................................................................................................................................68
Customer Responsibilities ...........................................................................................................68
Priority Categorization Service .................................................................................................. 69
Overview .....................................................................................................................................69
Description ..................................................................................................................................69
Server/IoT Protection................................................................................................................ 70
Overview .....................................................................................................................................70
Description ..................................................................................................................................70
Customer Responsibilities ...........................................................................................................70
Inline Guest Wi-Fi Protection..................................................................................................... 71
Overview .....................................................................................................................................71
Description ..................................................................................................................................71
Customer Responsibilities ...........................................................................................................71
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
5
/ Zscaler Internet Access Platform Services Document
Private ZENs (PZENs) ................................................................................................................. 72
Overview .....................................................................................................................................72
Description ..................................................................................................................................72
Customer Responsibilities ...........................................................................................................73
Virtual ZENs (VZENs) ................................................................................................................. 74
Overview .....................................................................................................................................74
Description ..................................................................................................................................74
Customer Responsibilities ...........................................................................................................75
Private Service Edge .................................................................................................................. 76
Overview .....................................................................................................................................76
Description ..................................................................................................................................76
Customer Responsibilities ...........................................................................................................77
Virtual Service Edge .................................................................................................................. 78
Overview .....................................................................................................................................78
Description ..................................................................................................................................78
Customer Responsibilities ...........................................................................................................79
Private Nanolog Streaming Service (NSS) Appliance for Web Logs .............................................. 81
Overview .....................................................................................................................................81
Description ..................................................................................................................................81
Customer Responsibilities ...........................................................................................................82
Intelligent Routing (Guest Wi-Fi) ............................................................................................... 83
Overview .....................................................................................................................................83
Description ..................................................................................................................................83
Customer Responsibilities ...........................................................................................................84
Zscaler Test Tenants .................................................................................................................. 86
Overview .....................................................................................................................................86
Description ..................................................................................................................................86
Customer Responsibilities ...........................................................................................................86
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
6
/ Zscaler Internet Access Platform Services Document
Cloud Browser Isolation ............................................................................................................ 87
Overview .....................................................................................................................................87
Description ..................................................................................................................................87
Customer Responsibilities ...........................................................................................................88
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
7
/ Zscaler Internet Access Platform Services Document
Introduction
The IT landscape has shifted dramatically in today’s world. Cloud computing, mobility, and the
Internet of Things are massive, unstoppable trends and have created new challenges for IT
departments, ranging from security against new threat vectors to ensuring compliance with
corporate policies and protecting against data loss. Organizations are finding that individual point
solutions like firewalls, UTMs, IdPs, and virus scanning have difficulty addressing constantly
changing threats and are challenging to tie together in a cohesive fashion to effectively identify and
block the full breadth of threats. Further, organizations are seeing that such centralized, hardwarebased security gateways simply no longer make sense in today's perimeter-less Internet, cloud, and
mobile-first world.
Organizations are looking to cloud-based solutions to reduce security administrative overhead and
streamline capital investments in security infrastructure. They are seeing the significant value of
purchasing security-as-a-service with a Service Level Agreement (SLA) as opposed to purchasing
numerous point products that address individual issues and are limited to the corporate perimeter.
Zscaler Internet Access (ZIA) meets all these needs and more. Zscaler offers a unified Security-asa Service cloud platform that seamlessly integrates multiple security and compliance applications
without the need for on-premises hardware, appliances, or software. The platform provides
pervasive security for an organization’s users, scanning all inbound and outbound traffic in real time
to ensure compliance with corporate policies and protection from the latest threats.
Further, Zscaler’s cloud platform protects users across locations and devices, following users
wherever they may be accessing the Internet, and enables access to transaction logs and
interactive reports across devices, locations, applications, and platforms to help organizations
understand their global security and compliance posture.
Finally, Zscaler’s multitenant architecture ensures that organizations benefit from the “network
effect.” When a new threat is identified for any one of Zscaler’s more than 5,000 customers, Zscaler
immediately updates its signatures, thus protecting all users across its network.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
8
/ Zscaler Internet Access Platform Services Document
Zscaler Internet Access: Key Features
For a list of the ZIA product suites available, see the ZIA Data Sheet.
•
Unified Policy and Reporting: Through one unified Zscaler Admin Portal, create and manage
security policies, view policy recommendations, and perform reporting and analysis of traffic
across devices and locations. You can also access supplemental information quickly with
tooltips for each field. Through the customizable Admin Portal dashboard, gain real-time
visibility into Internet traffic so that quick action can be taken upon anomalous trends or security
threats.
•
Role-based Administration: Control what different admins can do in the ZIA Admin Portal by
delegating responsibilities and granularly controlling levels of access to the Admin Portal,
ensuring that admins do not create conflicting policies and settings.
•
Inline Threat Protection: Scan all HTTP/HTTPS inbound/outbound traffic, including SSL
encrypted traffic, to secure devices, users, data, and web applications against advanced
security threats.
•
Behavioral Analysis (BA): Implement non-signature based protection against zero-day exploits.
•
Patient 0 Alert: If your Sandbox policy is configured to allow and scan files for the first-time
action, the Zscaler service allows users to download unknown files and then sends the files to
the Sandbox for behavioral analysis. If a file is found to be malicious, this becomes a patient 0
event.
•
URL Filtering: Protect your organization from harmful URLs using granular policies that specify
who can access what when, where, and how.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
9
/ Zscaler Internet Access Platform Services Document
•
Cloud Application Control: Manage access to cloud applications like webmail, streaming media,
social networking, and instant messaging with granular policies that specify who can access
what when, where, and how.
•
Bandwidth Control: Allocate bandwidth to prioritize business-critical web applications.
•
Data Loss Prevention (DLP): Protect users across devices and networks to ensure data
security, data privacy, and regulatory requirements are met.
•
Nanolog Streaming Service (NSS): Seamlessly transmit web and firewall logs from the Zscaler
Cloud to the enterprise security information and event management (SIEM) in real time.
•
Zscaler Splunk App: The Zscaler Splunk App provides detailed dashboards and reporting for all
Zscaler products using ZIA Nanolog Streaming and ZPA Log Streaming services. The Zscaler
Client Connector for Splunk can also ingest DLP incident information, bringing full context for
DLP incidents directly into Splunk.
•
User Authentication: Authenticate users with existing security frameworks, including local
password files, Active Directory, Open LDAP, SAML, and Kerberos.
•
Mobile Security: Apply consistent user-based policy across mobile devices, track mobile traffic,
and protect against web-based threats and malicious apps.
•
Next Generation Firewall: Protect users connecting to the Internet with application visibility and
user access-level controls for all ports and protocols.
•
DNS Tunneling Detection: DNS Tunneling can be used to circumvent traditional security
measures and has the potential to introduce a variety of hazards into networks. To counteract
this threat, Zscaler has introduced the ability to detect, control, and analyze tunneling traffic.
•
MCAS Integration: You can now set up an MCAS integration within the Admin Portal to allow
the Zscaler service to discover and sync Cloud Apps. Integrating with MCAS allows you to
utilize the Zscaler service's policy management functionality (i.e., URL filtering, custom category
and Cloud App control) for blocking non-sanctioned applications.
•
SD-WAN Partner Support: You can now create and manage Software-Defined Wide Area
Networking (SD-WAN) partner keys that enable cloud service API access to your locations and
VPN credential information.
•
IKEv2 Support: Zscaler now supports the Internet Key Exchange version 2 (IKEv2) protocol to
negotiate IPSec VPN Tunnels. IKEv2 is a fast, less complicated control protocol. It improves on
IKEv1 vulnerabilities and simplifies the Security Association (SA) negotiation process.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
10
/ Zscaler Internet Access Platform Services Document
•
Zscaler Client Connector: Install on devices to protect traffic even when users are outside the
corporate network.
•
Shift: Protect users with Zscaler’s DNS anycast servers as well as inline inspection and malware
protection.
•
Virtual Service Edge & Virtual ZENs (VZENs): Deploy to extend Zscaler’s cloud architecture to
the customer’s organizational premises using virtual machines (recommended only for
organizations with specific regulatory or connectivity requirements).
•
Packaging Options: Choose from multiple service packages to best address unique business
requirements.
•
Support: Receive expert management and monitoring of all deployed security policies.
Zscaler Cloud-Based Architecture
Zscaler operates the world’s largest security-as-a-service cloud platform to provide the industry’s
only 100% cloud-delivered web and mobile security solution. The Zscaler platform processes more
than 40 billion transactions daily from more than 15 million users in 190 countries, across more than
100 data centers located at strategic inter-connection points across the Internet. All hub data
centers are certified as ISO 27001 or SAS70 (or a similar local certification) as applicable and are
Tier III facilities with redundant connectivity into multiple backbones and dual power feeds with UPS
and backup generators. They also possess fire detection and suppression equipment. Failover from
one data center to another is seamless.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
11
/ Zscaler Internet Access Platform Services Document
Zscaler has a highly scalable, global multi-cloud infrastructure. An organization is provisioned on
one cloud and its traffic is processed by that cloud only. The name of the cloud on which an
organization is provisioned is specified in the administrative URL that the customer admin uses to
log in to Zscaler. For example, if an organization logs into https://admin.zscaler.net, then the
organization is provisioned on the zscaler.net cloud.
Each Zscaler cloud has three key components—the Central Authority, ZIA Public Service Edges
and Nanolog clusters. The Central Authority (CA) is the brain and nervous system of a Zscaler
cloud. It monitors the cloud and provides a central location for software and database updates,
policy and configuration settings, and threat intelligence. The CA consists of one active server and
two servers in passive standby mode. The active CA replicates data in real time to the two standby
CAs, so any of them can become active at any time. Each server is hosted in a separate location to
ensure fault tolerance.
ZIA Public Service Edges are full-featured inline Internet security gateways that inspect all Internet
traffic bi-directionally for malware and enforce security and compliance policies. An organization
can forward its traffic to any ZIA Public Service Edge in the world or use the advanced geo-IP
resolution capability of Zscaler to direct its users’ traffic to the nearest ZIA Public Service Edge.
When the user moves to a different location, the policy follows the user, with the ZIA Public Service
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
12
/ Zscaler Internet Access Platform Services Document
Edge downloading the appropriate policy. Each ZIA Public Service Edge can handle hundreds of
thousands of concurrent users with millions of concurrent sessions. Except for sandboxing, all
inspection engines run within the ZIA Public Service Edge. Customer traffic is not passed to any
other component within the Zscaler infrastructure. The TCP stack on the ZIA Public Service Edge
runs in user mode and is specially crafted to ensure multitenancy and data security.
ZIA Public Service Edges never store any data to disk. Packet data is held in memory for inspection
and then, based on policy, is either forwarded or dropped. Log data generated for every transaction
is compressed, tokenized, and exported over secure TLS connections to Log Routers that direct the
logs to the Nanolog cluster, hosted in the appropriate geographical region, for each organization.
ZIA Public Service Edges are always deployed in active-active load balancing mode all over the
world, and the CA monitors the health of ZIA Public Service Edges to ensure availability.
Nanolog clusters store transaction logs and provide reports. Each cluster consists of one active
server and two servers in passive standby mode. The active Nanolog immediately replicates data to
the other two servers, so any of them can become active at any time, with no data loss. Each
Nanolog server is hosted in a separate location to ensure fault tolerance. Every second, a Nanolog
cluster receives logs from all over the world, correlates them to a specific customer organization,
and writes them to disk for high-speed retrieval of reporting and analytics. A Nanolog cluster
processes over 12 billion logs per day. Additionally, Zscaler offers a Nanolog Streaming Service
(NSS), which uses a virtual appliance to stream web and firewall traffic logs in real time from the
Zscaler Nanolog to the customer’s security information and event management (SIEM) system.
Additionally, each cloud has various support systems and servers, including:
•
Sandbox servers, where files selected for BA are sent for analysis and reports are stored.
•
PAC file servers, which host Zscaler PAC files and custom PAC files uploaded to Zscaler.
Configuring browsers to use PAC files is one of the traffic forwarding methods that Zscaler
supports.
•
Administrative interface servers, which provide an intuitive, multi-tenant interface for policy
management and reporting.
•
Log Routers, which ensure logs for each organization are stored in the appropriate Nanolog
cluster. All components communicate with each other over an encrypted SSL tunnel.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
13
/ Zscaler Internet Access Platform Services Document
Finally, Zscaler Feed Central is a separate Zscaler cloud used solely for the centralized distribution
of various feeds to the Zscaler clouds. Zscaler has a number of partnerships—with Microsoft,
Google, RSA, Verisign, and others—for getting data feeds, including feeds for URL filtering, antivirus definitions, and IP reputation. Zscaler Feed Central distributes its threat intelligence and other
feeds to the CA, which then sends updates to the ZIA Public Service Edges, ensuring that every
ZIA Public Service Edge has the latest version of the URL database and the latest malware and
threat information.
SLA for High Availability and Latency
With Zscaler’s high-performance architecture, customers can enable all features and provide full
security to users without compromising performance. Zscaler provides Service Legal Agreements
(SLA) for high availability and latency (see http://www.zscaler.com/legal/end-user-subscriptionagreement.php). Customers can validate that SLAs are met by going to https://trust.zscaler.com,
where they can find updated information about each cloud's status, maintenance, and incident
events.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
14
/ Zscaler Internet Access Platform Services Document
Traffic Forwarding: GRE Tunnels, IPSec Tunnels, PAC Files,
and Proxy Chaining
Overview
Customer organizations must forward all Internet traffic to Zscaler to allow Zscaler to scan web and
mobile traffic bi-directionally. Zscaler supports several methods for forwarding Internet traffic,
including GRE tunnels, IPSec tunnels, PAC files, and proxy chaining.
Zscaler recommends that customers use a combination of tunneling and PAC files to forward traffic
to Zscaler. If the customer has an internal router, switch, or firewall that supports GRE, and the
egress port has a static address, Zscaler recommends that the customer configure a GRE tunnel to
forward all outbound traffic from the customer’s location to
Zscaler. If the customer’s router or firewall does not support GRE or if the customer uses dynamic
IP addresses, the customer can use an IPSec VPN tunnel instead. Note that IPSec tunnels have
additional processing overhead on the customer’s equipment, compared to GRE tunnels. Zscaler
also recommends that the customer deploy mechanisms such as IP SLA to monitor tunnel health
and enable fast failover. In addition to the GRE or IPSec VPN tunnel, Zscaler recommends that
customers install a PAC file for each user to ensure coverage outside the corporate network.
Description
Zscaler supports the following forwarding methods.
GRE Tunnel
•
If the customer has an internal router, switch, or firewall that supports GRE, and the
egress port has a static address, Zscaler recommends that the customer configure a GRE
tunnel to forward all outbound traffic from the customer’s location to Zscaler.
•
Zscaler recommends that the customer also install a PAC file for each user to ensure
coverage outside the corporate network.
•
Zscaler recommends the following deployments. They provide visibility into the internal IP
addresses, which can be used for Zscaler security policies and logging. They also ensure
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
15
/ Zscaler Internet Access Platform Services Document
high availability. If the primary GRE tunnel or an intermediate connection goes down, all
traffic is then rerouted through the backup GRE tunnel to the secondary data center.
o
GRE tunnels from the internal router to the ZIA Public Service Edges: Configure
two GRE tunnels from an internal router behind the firewall to the ZIA Public
Service Edges—a primary tunnel from the router to a ZIA Public Service Edge in
one data center, and a secondary tunnel from the router to a ZIA Public Service
Edge in another data center.
o
GRE tunnels from the corporate firewall to the ZIA Public Service Edges: Configure
two GRE tunnels from the firewall to the ZIA Public Service Edges—a primary
tunnel from the firewall to a ZIA Public Service Edge in one data center, and a
secondary tunnel from the firewall to a ZIA Public Service Edge in another data
center.
The customer must ensure that if the primary tunnel goes down, the router detects it and
changes the routing table or routing instance so that the secondary tunnel is used for
traffic forwarding and vice versa, with mechanisms like IP SLA that are native to the
router.
IPSec VPN Tunnel
•
If the customer’s router or firewall does not support GRE, or if the customer uses
dynamic IP addresses, the customer can use an IPSec VPN tunnel to forward traffic to
Zscaler.
•
Zscaler recommends that the customer also install a PAC file for each user to ensure
coverage outside the corporate network.
•
Zscaler recommends the following deployments. They provide visibility into the internal
IP addresses, which can be used for Zscaler security policies and logging. They also
ensure high availability. If the primary tunnel or an intermediate connection goes down,
all traffic is then rerouted through the backup tunnel to the secondary data center.
•
IPSec tunnels from the internal router to the ZIA Public Service Edges: Configure two
IPSec tunnels from an internal router to the ZIA Public Service Edges—a primary tunnel
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
16
/ Zscaler Internet Access Platform Services Document
from the router to a ZIA Public Service Edge in one data center and a secondary tunnel
from the router to a ZIA Public Service Edge in another data center.
•
IPSec tunnels from the corporate firewall to the ZIA Public Service Edges: Configure
two IPSec tunnels from the firewall to the ZIA Public Service Edges—a primary tunnel
from the firewall to a ZIA Public Service Edge in one data center, and a secondary
tunnel from the firewall to a ZIA Public Service Edge in another data center. On the
firewall, the customer defines one rule to send HTTP and HTTPS traffic through the
IPSec tunnel to ZIA Public Service Edges.
•
The customer must ensure that if the primary tunnel goes down, that the router detects
it and changes the routing table or routing instance so that the secondary tunnel is used
for traffic forwarding and vice versa, with mechanisms like IP SLAs that are native to the
router.
•
IPSec VPN tunnels offer the following benefits:
o
They support failover if the primary ZIA Public Service Edge becomes unavailable.
o
No configuration is required on computers or laptops.
o
Users on the customer’s corporate network cannot bypass Zscaler.
PAC Files
•
The customer can use either a default PAC file or a custom PAC file hosted by Zscaler.
•
The default PAC file uses Geo-location technology to find the ZIA Public Service Edges
that are closest to the user and instructs the browser to forward its internet traffic to the
nearest ZIA Public Service Edge. Because it is the browser itself that is configured to
retrieve the PAC file and forwards traffic accordingly, traffic is forwarded to Zscaler
regardless of the user’s network.
•
The customer must ensure that users do not have admin rights so they cannot
circumvent Zscaler by installing a nonstandard browser.
•
Users can have local admin rights but require network admin rights to change the PAC
file.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
17
/ Zscaler Internet Access Platform Services Document
•
Zscaler recommends that the customer either use the Zscaler default PAC file or copy
and paste it into a new PAC file, and then add any necessary arguments and
exceptions.
•
Zscaler recommends that the customer use the variables $(GATEWAY) and
$(SECONDARY_GATEWAY) to define the primary and secondary ZIA Public Service
Edges and to ensure the device always connects to the nearest ZIA Public Service
Edge regardless of the location of the device.
•
PAC files offer the following benefits:
o
They direct the browser to forward traffic to Zscaler whether the user is onsite or
offsite.
o
All major browsers support PAC files.
o
Microsoft Internet Explorer PAC settings can be enforced organization-wide
using Microsoft Active Directory Group Policies (GPO).
Proxy Chaining
•
This is a quick and easy way to forward the customer’s traffic to Zscaler for evaluation
purposes, but Zscaler does not recommend proxy chaining as a long-term solution
because proxy servers that support failover support only manual failover, which is not
recommended for production environments.
•
The customer’s organization can configure the proxy server to forward traffic to a ZIA
Public Service Edge. This method leverages the customer’s existing proxy servers, with
no additional changes to the network.
•
The latency of the proxy server will affect the traffic forwarding latency.
•
If the proxy server also performs caching, downstream authentication could be an issue.
•
If the local proxy has a cache, it could affect policy enforcement and reporting.
•
Zscaler recommends that the customer also install a PAC file for each user to ensure
coverage outside the corporate network.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
18
/ Zscaler Internet Access Platform Services Document
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
19
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities
•
The customer must ensure the organization has been provisioned on Zscaler.
•
The customer must use one of the supported methods to forward its internet traffic to
Zscaler and ensure their traffic is forwarded to Zscaler. Customer must ensure redundancy.
•
The customer must ensure that firewall configurations and network settings allow the types
of traffic necessary. See https://ips.<zscaler-cloud-name>/addresses. For example,
customers on the zscalerone cloud should go to https://ips.zscalerone.net/addresses.
•
The customer is responsible for ensuring that internal traffic (to the corporate intranet) is not
directed to Zscaler.
•
For GRE and IPSec tunnels and proxy chaining, the customer must use hardware that is
interoperable and supported by Zscaler. The customer must ensure that hardware is
installed and operated according to applicable third-party vendor specifications and
recommendations, and ensure that hardware has the capacity required for forwarding traffic
to Zscaler.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
20
/ Zscaler Internet Access Platform Services Document
Dedicated Proxy Port
Overview
The customer can subscribe to one or more dedicated proxy ports, associate them with a location,
and then forward the organization’s remote user traffic to those ports.
Description
Forwarding remote users to the customer’s subscribed ports enables Zscaler to do the following:
•
When SSL inspection is enabled at the location, apply all the SSL settings to remote user
traffic, including the ability to exclude URL categories and custom domains from decryption.
This also allows remote users to automatically authenticate using the customer’s Security
Assertion Markup Language (SAML) ID provider.
•
Apply the location’s policies, instead of the default policy, to remote user traffic that cannot
be authenticated, such as transactions that use unknown agents or non-HTTP protocols.
•
Support FTP over HTTP for remote users, enabling Zscaler’s anti-virus engine to scan
content for viruses and spyware when a remote user’s browser connects to FTP sites and
downloads files.
•
Identify a remote user’s organization and display its logo on the login page. In addition, if
SAML authentication is used, remote users are not prompted to enter their login name.
•
Customer can indicate a port preference between 10001 to 60000. If the port is available, it
will be allocated to the customer. Otherwise, a random unused port is allocated.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to the subscribed
proxy port.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
•
The customer must ensure that the first transaction is a transaction that can be
authenticated by Zscaler. The first transaction may be an HTTPS transaction from a browser
if Zscaler is permitted to temporarily intercept it.
•
The customer is responsible for loading SSL certificates as trusted certificates on the
browser to ensure SSL interception does not trigger warnings from the browser.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
21
/ Zscaler Internet Access Platform Services Document
Authentication: SAML, LDAP, Passwords, Kerberos, ZAB,
SCIM, and Surrogate IP
Overview
Authentication enables Zscaler to identify the traffic that it receives so it can enforce configured
department, group, and user policies, and provide user and department logging and reporting.
Though Zscaler supports various mechanisms, it recommends deploying Identity Federation using
SAML for provisioning and authentication.
Description
Zscaler supports the following methods for authentication.
Security Assertion Markup Language (SAML)
Description
•
Zscaler supports SAML 2.0 with POST Binding and above for authentication.
•
This is the method Zscaler recommends for authentication.
•
Using SAML for authentication enables Single Sign-On (SSO), so users can authenticate
once to an identity provider (IdP) and then access various services.
•
SAML requires no changes to the existing firewall, but remote users who are trying to
authenticate will require access to the SAML IdP from the internet.
•
First-time Zscaler authentication may be made transparent to the user.
•
SAML can be obtained for free through some Zscaler partners.
Requirements
•
Obtain the SAML service and implement it.
•
If the customer wants to use a cloud-based IdP, the customer must check its availability in
their region.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
22
/ Zscaler Internet Access Platform Services Document
Secure Lightweight Directory Access Protocol (LDAP)
Description
•
If the customer’s organization uses a directory server like an Active Directory (AD) or an
LDAP server to manage user information, Zscaler can synchronize user information from
the directory server to the Zscaler database and perform an LDAP query to the directory
server to authenticate those users.
•
With LDAP, the customer’s organization can use the customer’s existing authentication
infrastructure, and no software or hardware installation is required on site.
•
Zscaler synchronizes only the email address, the name, and the user’s group and
department. Passwords are not synchronized or saved in the Zscaler cloud.
Requirements
•
The customer must configure the firewall to allow the Zscaler service, as described in
https://ips.<zscaler- cloud-name>/addresses. For example, customers on the zscalerone
cloud should go to https://ips.zscalerone.net/addresses.
•
Zscaler must have read-only access to the directory.
•
The directory server must allow Zscaler to perform an LDAP BIND.
Passwords (Used with Hosted User Database only)
Description
•
When users are added directly to the Zscaler database (through adding information
manually on the ZIA Admin Portal, importing information from a CSV file, or ZAB), Zscaler
can perform password-based authentication.
•
The passwords are uploaded to the Zscaler database with the username, group, and
department information. Passwords are stored in the database in a salted hashed format.
•
Valid email addresses are not required if the customer administrator can manage
password changes. With one-time token enabled, valid email addresses are required, but
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
23
/ Zscaler Internet Access Platform Services Document
users will manage their own password changes; the customer administrator need not
manage password changes.
•
The customer can define the complexity of passwords and configure expiry periods. For
additional security, the customer can require users to enter a password different from their
corporate password.
•
No software or hardware installation is required on site.
Requirements
•
Administrators need to manage passwords if valid email addresses are not used.
Kerberos
Description
•
This is a ticket-based authentication protocol that does not use cookies for authentication,
so Zscaler can authenticate users for applications that do not use cookies, like Office 365.
•
Kerberos enables SSO authentication. Users authenticate themselves once with their
domain controller, when they log in to their corporate domain. They do not have to log in
and authenticate to Zscaler.
•
The customer’s organization can use Kerberos as its sole authentication method or
combine it with another method, such as SAML or LDAP.
•
Kerberos is a secure open standard protocol that most operating systems support,
including Windows 7, Windows 8, OS X, Linux, and FreeBSD. Additionally, most browsers
support Kerberos authentication, including Internet Explorer, Firefox, and Safari.
•
It can be used to authenticate remote users (DirectAccess or a third-party VPN solution
that can provide connectivity to the Domain Controller is required).
•
Zscaler can enforce granular user, group, and department policies on browser-based FTP
transactions as well as HTTPS transactions, without having to decrypt the HTTPS
transactions.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
24
/ Zscaler Internet Access Platform Services Document
•
The customer’s organization does not need to configure its firewall to allow incoming
connections from the ZIA Public Service Edges.
•
Zscaler does not support Kerberos on Windows XP, Apple iOS, or Android devices.
Requirements
•
The customer must use a PAC file to forward traffic to Zscaler. Zscaler supports Kerberos
authentication only for traffic forwarded in explicit mode. Therefore, even if a location is
forwarding traffic to Zscaler through a GRE or IPSec tunnel, the customer must use a
PAC file to forward traffic in order to use Kerberos for authentication.
•
Users must be provisioned on Zscaler before they can use Kerberos for authentication.
The login name that is used for provisioning must be identical to the name in the Kerberos
token.
•
Ensure that the DNS server on site can resolve Zscaler host names (Zscaler PAC
servers; Central Authority (CA), which hosts the Zscaler Key Distribution Center (KDC);
and ZIA Public Service Edges). If this is not possible from the location, then the
customer’s organization must conditionally forward Zscaler cloud domain resolution to the
Zscaler DNS servers.
•
Zscaler KDC must be reachable from the users’ computers.
•
Domain controller must be reachable from the users’ computers.
•
Additionally, the following are required in a Windows environment:
o
A domain controller that runs Windows Server 2003 or higher.
o
Client devices must run Windows Vista or higher.
Zscaler Authentication Bridge (ZAB)
Description
•
ZAB is a virtual appliance that enables the customer’s organization to provision users by
automatically importing user information from an AD or LDAP server to the Zscaler
database, without requiring inbound connections to the customer’s directory server.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
25
/ Zscaler Internet Access Platform Services Document
•
ZAB can be used solely as a provisioning tool in conjunction with another authentication
mechanism, such as SAML or Kerberos. Alternatively, it can be used for authentication as
well, using LDAP with SSL client certificates.
•
The virtual appliance is managed and maintained by the customer’s organization.
•
ZAB requires minimal administration. After the customer deploys it, the customer can
configure settings to automatically synchronize users on demand or daily, weekly, or
monthly.
•
User data can be synchronized periodically or on demand.
•
ZAB does not synchronize passwords. Passwords are always stored and maintained on
the customer’s directory server.
Requirements
•
The customer must download and install the virtual appliance.
•
The customer must adhere to the resource requirements of the virtual appliance and
Hypervisor. ZAB requires outbound connections to Zscaler. The customer must ensure
that their outbound firewall is configured to allow the necessary connections, as described
in the following:
https://ips.<zscaler-cloud-name>/addresses/zab.html. For example, customers on the
zscalerone cloud should go to https://ips.zscalerone.net/addresses/zab.html.
Customer Responsibilities
•
The customer must forward its internet traffic to Zscaler.
•
The customer must use one of the supported methods to authenticate users.
•
The customer must use third party software and hardware that are interoperable and
supported by Zscaler. The customer must ensure that the software and hardware are
installed and operated according to applicable third-party vendor specifications and
recommendations, and ensure that they have the necessary capacity.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
26
/ Zscaler Internet Access Platform Services Document
Surrogate IP
Description
•
The customer can enable the Zscaler service to map a user to a device IP address so it
applies the user’s policies, instead of the location’s policies, to traffic it receives from
unknown user agents, and optionally, from known browsers.
•
If the customer enables Surrogate IP for known browsers, the service will leverage IP-touser mapping to authenticate users and apply user policies even if users browse to sites
that support cookies. This enables the service to authenticate without requiring the
browser to complete HTTP redirects for every transaction, ensuring performance even for
users who connect, for example, over high-latency satellite links.
•
If the user browses the internet from multiple IP addresses, the service maps all the IP
addresses to the user and associates the transactions with the user in the logs.
•
If the customer enables this feature on a location with at least one subscribed port, the
service maps the external IP address and not the internal or device IP address to the
user, so it can apply user-level policies to remote user traffic that it cannot authenticate.
Requirements
•
The customer’s organization must forward traffic to Zscaler with one of the following
methods:
o
A GRE or IPSec tunnel without NAT.
o
Proxy chaining with the XFF Forwarding option enabled on the location.
o
A dedicated proxy port.
•
The customer must enable authentication for the location in the Admin Portal.
•
The customer must enable this feature in the Admin Portal.
NOTE: There can be scenarios in which the service does not authenticate traffic (for example,
traffic to URLs or cloud apps that were selected under the Authentication Bypass setting within
the ZIA Admin Portal, or traffic to applications that do not support cookie authentication). For
policies in which users and departments can be specified in the criteria, the customer has control
over which rules the service applies to such unauthenticated traffic. This is useful for customers
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
27
/ Zscaler Internet Access Platform Services Document
who currently place a default block on internet traffic (i.e., a URL filtering rule that blocks all traffic
which is not explicitly allowed through the URL filtering policy).
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
28
/ Zscaler Internet Access Platform Services Document
Logging and Reporting
Overview
Zscaler gives the customer instant, detailed visibility into globally correlated user transaction logs
across devices, locations, applications, and platforms. Zscaler’s dashboards provide real-time
visibility into the customer’s internet traffic so that
Internet usage can be tracked, and action quickly taken upon anomalous trends or security threats.
Zscaler’s Analytics lets the customer interactively mine billions of transaction logs for reports that
provide insight on specific queries.
Description
•
Zscaler automatically logs all user transactions and stores them in the Zscaler cloud.
Transactions are stored for six months. To comply with local laws and regulations, the
customer can specify in which geographical region logs are stored. For example, a German
organization may have its logs stored in Europe.
•
Zscaler only logs traffic metadata, user and company binary identifiers, and other
transaction information. There is no actual content in the logs. For example, if a user sends
email through Gmail or a similar service, Zscaler only logs information about the transaction;
it does not log the content.
•
Zscaler does not keep any data relevant to PCI/HIPAA compliance in its cloud.
•
Multiple dashboards provide different views and present data in interactive charts, so the
customer can instantly jump from a chart to individual transactions.
•
The customer can generate real-time reports that give specific insights into web and mobile
activity by user, department, or location. Zscaler offers a wide range of standard reports or
the customer can create custom reports.
•
Zscaler also provides an HTML-based Executive Report designed for sharing by email or in
print with an organization’s executive audiences. The report provides a snapshot of an
organization’s security posture and highlights the value derived from the Zscaler platform.
•
Interactive CIO and CISO reports that provide detailed information in graphical widgets and
allow readers to drill down into the logs and analytics behind the information.
•
The customer can schedule reports for regular delivery to specified recipients.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
29
/ Zscaler Internet Access Platform Services Document
•
The customer can exclude locations from all user-related reports in the dashboard,
Interactive Reports, and the Executive Report.
•
The customer can seamlessly drill down from any dashboard or report to the logs, where
they can view details like the specific URLs that users requested, risk score of each URL,
and much more. The customer can also annotate any dashboard or report with notes.
•
As the customer works with data for reporting, the tool records the workflow in the History
bar below the chart. Every time the customer makes a change to the chart, such as adding a
filter or changing the chart type, the ZIA Admin Portal adds the previous version to the
History bar. The customer can then click any chart in the History bar to see it again.
•
The customer can also implement role-based reporting, allowing the customer to define
different roles for different users, and specify what reports and dashboards those users can
access.
•
Admins can customize their dashboards if their role includes full dashboard access.
•
CIO, CTO, and CISO Insights reports provide monthly summaries of the organization’s IT
and security posture.
•
An Industry Peer Comparison report compares the customer’s organizations performance to
that of both peer organizations and all organizations using the Zscaler service.
•
A Company Risk Score report allows organizations to monitor and assess their
organizational, departmental, location, and user-level risk exposure.
•
A Security Policy Audit report allows you to view your Security Policy settings and improve
them by following best practices guidelines.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
Authentication is required for user and department logging and reporting.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
30
/ Zscaler Internet Access Platform Services Document
Zscaler Nanolog Streaming Service (NSS) for Web Logs
Overview
Zscaler’s NSS is a virtual machine (VM) the customer can use to stream web traffic logs in real time
from the Zscaler Nanolog to the customer’s on-premises security information and event
management (SIEM) system. NSS helps the customer comply with regulatory mandates on local
log archival, correlate logs from multiple devices, and conduct historical web log analysis.
Description
•
When an organization deploys NSS, NSS opens a secure tunnel to the Nanolog in the
Zscaler cloud. The Nanolog then streams copies of the logs to NSS in a highly compressed
format to reduce bandwidth footprint; the original logs are retained on the Nanolog.
•
When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured
filters to exclude unwanted logs, converts the filtered logs to the configured output format so
they can be parsed by the customer’s SIEM, and then streams the logs to the SIEM over a
raw TCP connection.
•
For full site redundancy, each organization can subscribe to up to two NSS systems for web
logs in an active-active configuration. Each NSS supports up to eight parallel SIEM
connections called feeds. Each feed can have a different list of fields, a different format, and
different filters.
•
NSS can be deployed via VMWare, AWS, or Azure.
•
NSS requires minimal administration. After the customer deploys it, NSS automatically polls
Zscaler for updates and installs them.
•
For monitoring purposes, the customer can configure a separate alert feed. Zscaler will send
the alerts in an RFC- compliant syslog format to the specified IP address and port.
•
The customer can open a Sandbox report based on the MD5 parameter retrieved from the
logs in the SIEM.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
31
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities
•
The customer must use a SIEM that is interoperable and supported by Zscaler.
•
The customer must ensure that all the requirements to run NSS as a virtual machine are
met.
•
The customer must adhere to the Hypervisor, VM specifications, and internet bandwidth
requirements.
•
Ensure that all firewall requirements are met as detailed in https://ips.<zscaler-cloudname>/addresses/nss.html. For example, customers on the zscalerone cloud should go to
https://ips.zscalerone.net/addresses/nss.html. NSS requires only outbound connections to
the Zscaler cloud.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
32
/ Zscaler Internet Access Platform Services Document
Zscaler Nanolog Streaming Service (NSS) for Firewall and DNS
Logs
Overview
Zscaler’s NSS Firewall is a virtual machine (VM) the customer can use to stream firewall and DNS
logs in real time from the Zscaler Nanolog to the customer’s on-premises security information and
event management (SIEM) system. NSS helps the customer comply with regulatory mandates on
local log archival, correlate logs from multiple devices, and conduct historical web log analysis.
Description
•
When an organization deploys NSS, NSS opens a secure tunnel to the Nanolog in the
Zscaler cloud. The Nanolog then streams copies of the firewall and DNS logs to NSS in a
highly compressed format to reduce bandwidth footprint; the original logs are retained on the
Nanolog.
•
For firewall logs, the customer can stream full session logs (all sessions of firewall rules are
logged individually, except HTTPS), aggregate logs (individual sessions are grouped
together based on {user, rule, network service, network application} and recorded
periodically), or both full session and aggregate logs. For DNS logs, the customer can
stream logs for each request.
•
When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured
filters to exclude unwanted logs, converts the filtered logs to the configured output format so
they can be parsed by the customer’s SIEM, and then streams the logs to the SIEM over a
raw TCP connection.
•
For full site redundancy, each organization can subscribe to up to two NSS systems (for
firewall and DNS logs) in an active-active configuration. Each NSS supports up to eight
parallel SIEM connections called feeds. Each feed can have a different list of fields, a
different format, and different filters.
•
NSS can be deployed via VMWare, AWS or Azure.
•
NSS requires minimal administration. After the customer deploys it, NSS automatically polls
Zscaler for updates and installs them.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
33
/ Zscaler Internet Access Platform Services Document
•
For monitoring purposes, the customer can configure a separate alert feed. Zscaler will send
the alerts in an RFC- compliant syslog format to the specified IP address and port.
Customer Responsibilities
•
The customer must use a SIEM that is interoperable and supported by Zscaler.
•
The customer must ensure that all the requirements to run NSS as a virtual machine are
met.
•
The customer must adhere to the Hypervisor, VM specifications, and internet bandwidth
requirements.
•
Ensure that all firewall requirements are met as detailed in https://ips.<zscaler-cloudname>/addresses/nss.html. For example, customers on the zscalerone cloud should go to
https://ips.zscalerone.net/addresses/nss.html. NSS requires only outbound connections to
the Zscaler cloud.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
34
/ Zscaler Internet Access Platform Services Document
Malware Protection
Overview
Zscaler provides inline signature-based anti-malware protection, detecting and blocking all known
viruses, spyware, and other kinds of malware.
Description
•
Zscaler scans inbound and outbound HTTP (and HTTPS traffic if SSL Inspection is enabled)
in real-time with near-zero latency. Zscaler scans files with up to five layers of recursive
compression.
•
Zscaler uses a real-time signature database of objects on the internet known to be unsafe
and runs the customer’s traffic through multiple anti-virus engines.
•
Zscaler runs the customer’s traffic through multiple engines and leverages malware feeds
from more than 20 threat- sharing partners like Microsoft, Adobe, and Google.
•
Zscaler has a recommended default malware protection policy to ensure the security of the
customer’s traffic. While the customer can modify this default policy, Zscaler recommends
that the customer not change the default settings.
•
By default, Zscaler allows users to upload and download password-protected archive files,
but the customer can change these settings to suit business needs.
•
By default, Zscaler allows users to upload and download files that are not scannable
because they are in an unrecognized file format, excessive in size, or recursively
compressed, but the customer can change these settings to suit business needs.
•
Zscaler displays end user notifications when users are blocked. The customer can create
custom end user notifications, configured in different languages with images and links to
sources that further educate users on compliance policies. The customer can also redirect
users to a URL that hosts the customer’s own end user notifications and use JavaScript to
display content in other languages.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
35
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
36
/ Zscaler Internet Access Platform Services Document
Advanced Threats Protection
Overview
Zscaler’s Advanced Threats Protection provides a variety of advanced security features.
Description
•
Zscaler identifies suspicious content within a page (injected scripts, vulnerable ActiveX,
zero-pixel iFrames, and much more) as well as domain information to calculate a Zscaler
PageRisk™ score. This score is evaluated against a PageRisk™ tolerance value that the
customer sets, and Zscaler will allow or block the page depending on the value.
•
Zscaler leverages malware feeds from more than 20 threat-sharing partners like Microsoft,
Adobe, and Google to protect against the latest threats.
•
Zscaler’s Advanced Threats Protection policy provides access to the following features:
o
Botnet Protection: Zscaler can protect against botnets that could be secretly installed
on user devices to perform malicious tasks at the instruction of Command & Control
servers.
o
Malicious Active Content Protection: Zscaler can protect against websites that
attempt to download dangerous content to user browsers.
o
Fraud Protection: Zscaler can protect against phishing sites that mimic legitimate
sites (such as banking and financial sites) in order to collect confidential information.
o
Cross-Site Scripting (XSS) Protection: Zscaler can protect against XSS, in which
malicious code injected into websites are downloaded to user browsers from
compromised web servers.
o
Suspicious Destinations Protection: Zscaler can block requests to any country based
on ISO3166 mapping of countries to their IP address space. Websites are blocked
based on the location of the web server.
o
Unauthorized Communication Protection: Zscaler can protect against
communications like IRC tunneling applications and "anonymizer" sites that are used
to bypass firewalls and proxies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
37
/ Zscaler Internet Access Platform Services Document
o
Peer-to-Peer (P2P) File Sharing Protection: Zscaler can block BitTorrent, an
application that could enable users to illegally share copyrighted or protected
content.
o
P2P Anonymizer Protection: Zscaler can block Tor, an application that could enable
users to bypass policies controlling what websites they might visit or internet
resources they might access.
o
P2P VoIP Protection: Zscaler can block applications like Google Talk and Skype to
protect against the high bandwidth utilization associated with such applications.
•
Zscaler displays end user notifications when users are blocked. The customer can create
custom end user notifications, configured in different languages with images and links to
sources that further educate users on compliance policies. The customer can also redirect
users to a URL that hosts the customer’s own end user notifications and use JavaScript to
display content in other languages.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
38
/ Zscaler Internet Access Platform Services Document
Sandbox
Overview
Zscaler provides an additional layer of security against zero-day threats and Advanced Persistent
Threats (APTs) with integrated file sandboxing analysis. Zscaler offers two versions: Standard and
Cloud Sandbox.
Description
Standard Sandbox
•
Zscaler conducts sandboxing analysis on suspicious Windows executables and Windows
libraries downloaded from suspicious URLs. A portion of the Windows executables and
libraries are collected and run in a virtual environment to detect and block threats.
•
If a user attempts to download a file that was found to be malicious by the Sandbox, Zscaler
displays an end user notification. The customer can create custom end user notifications,
configured in different languages with images and links to sources that further educate users
on compliance policies. The customer can also redirect users to a URL that hosts the
customer’s own end user notifications and use JavaScript to display content in other
languages.
•
Zscaler logs transactions in real time and provides behavioral analysis data. The logs show
the threat name listing the exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just
the malware category, based on the behavior recognized by Zscaler, whenever possible.
•
The logs also contain an MD5 column that displays a hash of all files analyzed. With basic
Sandbox, the customer cannot view the behavioral analysis report that provides further
information about a file and its behavior.
•
The transaction logs list the malicious files that were detected by Cloud Sandbox—files that
fell outside the scope of suspicious executables/libraries from suspicious URLs. These files
are not blocked (because no policy exists to enforce the blocks), but they are detected and
displayed as malicious in the customer’s transaction logs.
•
If your Sandbox policy is configured to allow and scan files for the first-time action, the
Zscaler service allows users to download unknown files and then sends the files to the
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
39
/ Zscaler Internet Access Platform Services Document
Sandbox for behavioral analysis. If a file is found to be malicious, this becomes a patient 0
event.
•
If any executables fail to run properly on the original VM or OS, Sandbox now supports
executing them on multiple VMs or OSs to see the behavior.
•
Once Zscaler detects malicious files, it propagates fingerprints of malicious files to all ZIA
Public Service Edges throughout the cloud, effectively maintaining a real time blacklist to
prevent users anywhere in the world from downloading malicious files.
Cloud Sandbox
•
With Cloud Sandbox, the customer can create multiple policy rules. For each rule, the
customer can specify:
o
o
Criteria:
▪
File types
▪
URL Categories
▪
Users, Groups, Departments, and Locations
▪
Sandbox Categories (Adware, Malware/Botnet, P2P/Anonymizer)
Action:
▪
Allow or Block
▪
Action that Zscaler takes when a user downloads a file for the first time: Allow
and do not scan, Allow and scan, Quarantine during analysis and allow
download only after analysis.
•
Zscaler provides a default rule. The customer cannot delete the default rule but can modify
the Sandbox Categories (in Criteria) and whether the rule allows or blocks (in Action). The
customer can also add rules. Rules are applied in the rule order list from first to last. The
default rule is always the last rule checked.
•
Zscaler conducts sandboxing analysis for all supported file types:
o
o
Archives:
▪
RAR
▪
ZIP
Scripts inside ZIP archives:
▪
.js
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
40
/ Zscaler Internet Access Platform Services Document
o
o
o
▪
.vbs
▪
.svg
▪
.ps1
▪
.hta
▪
.wsf
▪
.cmd
▪
.lnkRAR
Executables:
▪
Windows Executables
▪
Windows Library
Microsoft Office:
▪
Microsoft Word
▪
Microsoft Excel
▪
Microsoft PowerPoint
▪
Microsoft RTF
Mobile:
▪
o
o
Web Content:
▪
Adobe Flash
▪
Java Applet
Other:
▪
•
Android Application Package
Adobe PDF
If a user attempts to download a file that was found to be malicious by the sandbox, Zscaler
displays an end user notification. The customer can create custom end user notifications,
configured in different languages with images and links to sources that further educate users
on compliance policies. The customer can also redirect users to a URL that hosts the
customer’s own end user notifications and use JavaScript to display content in other
languages.
•
Zscaler logs transactions in real time and provides behavioral analysis data. The logs show
the threat name listing the exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just
the malware category, based on the behavior recognized by Zscaler, whenever possible.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
41
/ Zscaler Internet Access Platform Services Document
•
The logs also contain an MD5 column that displays a hash of all files analyzed. With Cloud
Sandbox, the customer can click a value in this column to view the Sandbox report.
Sandbox reports provide information about a file and its behavior as well other types of
information, including forensic details like which registry keys were changed, which network
connections were initiated, and which files were read.
•
Once Zscaler detects malicious files, it propagates fingerprints of malicious files to all ZIA
Public Service Edges throughout the cloud, effectively maintaining a real time blacklist to
prevent users anywhere in the world from downloading malicious files.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
42
/ Zscaler Internet Access Platform Services Document
Browser Control
Overview
Zscaler can warn or block users from connecting to the internet when they are using outdated or
vulnerable browsers, plugins, and applications.
Description
•
Zscaler examines and assesses all applications that are used to access the internet to
ensure that they are not outdated or unsafe. Zscaler examines browser versions and
patches (as well as beta browsers), Internet applications (for example, Adobe Flash, Java,
Apple QuickTime), and media download applications (for example, Windows Media Player).
•
The customer can choose to block specific browser versions.
•
Zscaler displays end user notifications when users are blocked. The customer also can
create custom end user notifications.
•
Zscaler displays end user notifications when users are warned or blocked. The customer
can create custom end user notifications, configured in different languages with images and
links to sources that further educate users on compliance policies. The customer can also
redirect users to a URL that hosts the customer’s own end user notifications and use
JavaScript to display content in other languages.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
43
/ Zscaler Internet Access Platform Services Document
URL Filtering
Overview
Zscaler’s URL Filtering Policy protects the customer’s organization from inappropriate or harmful
web content.
Description
•
The customer can create policy rules specifying the following criteria: URL categories, HTTP
Request, Users, Groups, Departments, Locations, and Time. The rule also allows the
customer to set daily quotas by bandwidth or time, and specify whether Zscaler allows,
cautions against, or blocks access. Zscaler scans every HTTP request and response to
enforce the URL filtering policy the customer defines, irrespective of location or device.
•
To enable granular access control, Zscaler organizes URLs into a hierarchy of categories.
The customer can choose from six predefined classes, which are each divided into
predefined super-categories (30 in total), and then further into predefined categories. The
six predefined classes are Bandwidth Loss, Business Use, General Surfing, Legal Liability,
Productivity Loss, and Security Risk. The customer can limit access at the class level or drill
down further into super- categories and categories, depending on business needs. In
addition to the predefined categories, the customer can create custom categories based on
URLs or on keywords within the URLs or page content.
•
Zscaler leverages multiple global databases that are updated daily with feeds from various
partners. When any given URL is not already covered by the database, Zscaler uses its
Dynamic Content Classification (DCC) engine to scan the page for any content that would
place it in the predefined Legal Liability class. The URL is then classified and the original
request for the page is handled according to the customer’s policy for URLs in that class.
•
Zscaler displays end user notifications when users are cautioned or blocked. The customer
can create custom end user notifications, configured in different languages with images and
links to sources that further educate users on compliance policies. The customer can also
redirect users to a URL that hosts the customer’s own end user notifications.
•
In certain cases, the customer can allow some users or groups to override a block. For
example, in an educational setting, the customer can block students from access to
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
44
/ Zscaler Internet Access Platform Services Document
YouTube, but allow the teachers. Users will be prompted to enter their override password,
and they will be able to access the blocked page during their current browser session.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
SSL inspection may be required for applying granular policy to encrypted sites. Otherwise,
companywide policy will apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
45
/ Zscaler Internet Access Platform Services Document
Firewall Policy
Overview
Zscaler protects users connecting to the internet and provides application visibility and user accesslevel controls for all ports and protocols, including applications that are difficult to manage and
maintain, like port hopping applications (e.g., Skype, BitTorrent, Tor) and cloud-based business
applications with changing IP addresses (e.g., MS Office365, Google Apps, Salesforce.com).
Zscaler offers two versions: Standard and Cloud Firewall.
Description
Standard Firewall
•
Zscaler’s Standard Firewall supports all ports and protocols.
•
The Standard Firewall functions on 5-tuple policy (Source IP, Destination IP, Source Port,
Destination Port, and Protocol).
•
By default, the firewall has a default filtering rule that allows all internet traffic. Rules are
applied in the rule order list from first to last. The default rule is always the last rule checked.
The customer cannot delete the default rule but can modify its action and logging option.
•
For each new firewall filtering rule, the customer can specify:
o
Criteria:
▪
Where and When: Locations and Time interval.
▪
Network Services: The customer can choose from a list of predefined network
services and add custom network services. The customer can also create
and add network service groups.
▪
Source IPs: IP addresses and source IP groups created by the customer.
▪
Destination IPs: IP addresses, destination IP groups created by the customer,
IP-based countries, IP categories.
o
Action: For each rule, the customer can specify one of four actions: Allow,
Block/Drop, Block with ICMP error message, Block with TCP reset.
•
The Standard Firewall dashboard provides network service visibility.
•
Full Logging is available with an additional license.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
46
/ Zscaler Internet Access Platform Services Document
o
Hourly (default mode for rules that allow traffic): Individual sessions are grouped
together based on {user, rule, network service, network application}.
o
Full (default mode for rules that block traffic): Logs all sessions of the rule
individually, except HTTP(S).
•
The customer can subscribe to Zscaler’s Nanolog Streaming Service (NSS) to stream
firewall logs to an on-premises security information and event management (SIEM) system.
•
If a web policy and firewall policy are configured for a web application, web policy is applied
first, then firewall policy is enforced.
•
NAT Control: The standard firewall can perform destination NAT.
o
The customer can create NAT control rules using the same criteria as firewall filtering
rules (except for network applications which NAT control does not support), as well
as users and groups, which requires cloud firewall.
o
For each rule, the customer can choose to redirect traffic either to specific IP
addresses or ports.
Cloud Firewall
•
The Cloud Firewall supports all ports and protocols.
•
The Cloud Firewall redirects outbound HTTP, HTTPS, FTP and DNS traffic that is destined
to a non-standard port and that does not match any predefined network service to the web
engine for inspection. For example, if HTTP traffic is destined to a server on a non-standard
port, Zscaler redirects the traffic to the web proxy engine even if the port is not configured in
an HTTP predefined services group. This option is enabled by default.
•
With Cloud Firewall, the customer has application visibility and control, as well as userbased policy control.
•
Web-based and non-web-based applications are classified by Zscaler’s advanced Deep
Packet Inspection (DPI) engine.
•
User-level support: To enforce firewall policy at the user level, authentication and surrogate
IP must be enabled. Otherwise, the firewall applies organization and location policies.
•
With Cloud Firewall, full logging and reporting is included.
•
The Cloud Firewall dashboard provides network applications visibility.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
47
/ Zscaler Internet Access Platform Services Document
•
By default, the firewall has a default filtering rule which allows all internet traffic. Rules are
applied in the rule order list from first to last. The default rule is always the last rule checked.
The customer cannot delete the default rule but can modify its action and logging option.
•
For each new firewall filtering rule, the customer can specify:
o
Criteria:
▪
Who, Where, and When: Users, Groups, Departments, Locations, and Time
Interval.
▪
Network services: The customer can choose from a list of predefined network
services and add custom network services. The customer can create network
services with overlapping ports for the same protocols and add these network
services to the firewall control policy. For example, FTP on port 21 is a
standard network service. A custom network service that includes port 21 can
be defined. The customer can also create and add network service groups.
▪
Network applications: The customer can choose from a list of predefined
network applications. The customer can also create and add network
application groups.
▪
Source IPs: IP addresses and source IP groups created by the customer.
▪
Destination IPs: IP addresses, destination IP groups created by the customer,
IP-based countries, IP categories.
o
Action: For each rule, the customer can specify one of four actions: Allow,
Block/Drop, Block with ICMP error message, Block with TCP reset.
o
Logging option:
▪
Hourly (default mode for rules that allow traffic): Individual sessions are
grouped together based on user, rule, network service, and network
application.
▪
Full (default mode for rules that block traffic): Logs all sessions of the rule
individually, except HTTP/HTTPS.
•
If a web policy and firewall policy are configured for a web application, web policy is applied
first, then firewall policy is enforced.
•
NAT Control: The Cloud Firewall can perform destination NAT.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
48
/ Zscaler Internet Access Platform Services Document
o
The customer can create NAT control rules using the same criteria as firewall filtering
rules, except for network applications which NAT control does not support.
o
For each rule, the customer can choose to redirect traffic either to specific IP
addresses and ports, or to support domains with multiple destination IP addresses or
with destination IP addresses that may change, customers can enter FQDNs as well
as IP addresses in the destination field for each rule.
•
DNS Control: With Cloud Firewall, the customer can control DNS requests and responses.
o
The DNS Control policy has default rules that allow all DNS traffic. Rules are applied
in the rule order list from first to last. The default rule is always the last rule checked.
The customer cannot delete the default rules but can modify their actions.
o
For each new DNS transaction rule, the customer can specify:
▪
Criteria:
•
Who, Where, and When: Users, Groups, Departments, Locations, and
Time Interval.
•
Who, Where, and When: Users, Groups, Departments, Locations, and
Time Interval.
•
Source IPs: IP addresses and source IP groups created by customer.
•
Destination/Resolved IPs: DNS Server IP addresses, DNS Server IP
groups, Resolved IP-based Countries, Requested Domain/Resolved
IP Categories.
▪
Action: For each rule, the customer can specify one of four actions: Allow,
Block, Redirect request, and Redirect response.
o
Zscaler logs all sessions of the rule individually, except HTTP(S). This option cannot
be changed.
o
DNS Tunneling can be used to circumvent traditional security measures and has the
potential to introduce a variety of hazards into networks. To counteract this threat,
Zscaler has introduced the ability to detect, control, and analyze tunneling traffic.
o
The DNS dashboard give the customer visibility into applications running in the
customer’s networks.
o
An Advanced Settings option to enable ZIA Public Service Edges to optimize DNS
resolution is also available. If this is used, the Zscaler proxy will intercept the HTTP
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
49
/ Zscaler Internet Access Platform Services Document
or HTTPS request and perform its own DNS resolution. It then overrides the
destination IP if the answers are different. This can minimize the geographical
distance a query travels and reduce latency.
o
•
Zscaler supports DNS queries sent over UDP and TCP.
The customer can subscribe to Zscaler’s Nanolog Streaming Service (NSS) to stream
firewall and DNS logs to an on-premises security information and event management
(SIEM) system.
Customer Responsibilities
•
The customer is responsible for ensuring that IP traffic is forwarded to Zscaler from a known
location via a GRE or IPSec tunnel.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
To enforce firewall policies at the user level, authentication and surrogate IP must be
enabled. Otherwise, the firewall applies organization and location policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
50
/ Zscaler Internet Access Platform Services Document
FTP Control
Overview
Zscaler by default does not allow users from a location to upload or download files from FTP sites,
but the customer can configure the policy to allow access to specific sites.
Description
•
The FTP policy applies to traffic from the known locations of an organization.
•
Zscaler supports FTP over HTTP. The anti-virus engine will scan the content for Viruses and
Spyware. These connections are also subject to rules created under the URL Filtering Policy
in the ZIA Admin Portal.
•
Zscaler supports passive FTP only. If the destination server does not support passive FTP,
Zscaler generates an alert message to this effect in the end user's browser.
•
If a remote user uses a dedicated port, then Zscaler supports FTP over HTTP for remote
users. So, when a remote user’s browser connects to FTP sites and downloads files,
Zscaler’s anti-virus engine will be able to scan the content for viruses and spyware.
•
Zscaler does not support Anti-Virus (AV) scanning for native FTP traffic.
•
URL Filtering Policy rules take precedence over the FTP Control policy. For example, you
have a URL Filtering Policy rule that blocks access to Adult Material, Zscaler will block users
who try to transfer files from ftp://ftp.playboy.com/
•
User, department, or group-level URL filtering rules blocking access to specific sites will not
be enforced for FTP sites because FTP does not support cookies. Only rules applied to all
users will be enforced. For example, if you have a catch-all URL Filtering Policy rule that is
defined to "Block Access to Adult Material." So, anyone attempting to access
ftp://ftp.playboy.com/ will be blocked.
Customer Responsibilities
•
The customer is responsible for ensuring that traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
51
/ Zscaler Internet Access Platform Services Document
Bandwidth Control
Overview
Zscaler provides built-in web bandwidth control and traffic shaping capabilities for web applications
and URL categories to ensure that business critical applications are prioritized, and that recreational
or non-business critical applications do not affect productivity.
Description
•
Zscaler provides bandwidth control at two levels. At the first level, Zscaler provides
bandwidth control by location. The customer can configure maximum upload and download
bandwidth limits for each location in the organization. These limits apply to all internet traffic
for the location, irrespective of the web application traffic flowing through the network. At the
second level, for each location, the customer can define bandwidth control policy based on
application classes.
•
Zscaler defines the following bandwidth classes: Business & Economy, Financial Apps,
General Surfing, Large Files, Productivity, Sales/Support Apps, Streaming Media/File Share,
VoIP, and Web Conferencing. The customer must add URL categories and cloud
applications (or cloud application categories) to the predefined bandwidth classes. The
customer can also add custom application classes that the customer defines.
•
In the bandwidth control policy, the customer can set bandwidth control rules to prioritize
business-critical applications and define how bandwidth is allocated when contention
occurs. Each rule defines a maximum and minimum guaranteed percentage of bandwidth
for the application classes in the rule along with other parameters like maximum concurrent
connections, location, and time of day.
•
The Zscaler bandwidth algorithm allows an application class full bandwidth utilization until
there is contention for the bandwidth by a traffic class with a higher priority. When
application classes compete for bandwidth, Zscaler takes action based on rules that the
customer configures in the bandwidth control policy.
•
Zscaler rebalances the bandwidth in real time and buffers packets for application classes
that hit the bandwidth quota limit. This behavior ensures that business critical applications
get priority, with no deterioration in quality.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
52
/ Zscaler Internet Access Platform Services Document
•
Zscaler applies the policy to all HTTP and HTTPS traffic from the location. The customer
does not need to enable SSL interception because it works at the TCP level.
•
The Bandwidth Control dashboard provides real-time visibility into your organization’s
bandwidth usage. All customers can view the Total Bandwidth Consumption graph, even if
their organization does not have a Bandwidth Control subscription. This graph displays the
95th percentile trend line, which is based on the 95th percentile of inbound or outbound
traffic, whichever is higher. Customers can view bandwidth usage in 30-day time intervals,
with the ability to drill down incrementally to 5-minute intervals.
All other widgets on the Bandwidth Control dashboard require a subscription. In addition to
the dashboard, administrators for organizations subscribed to Bandwidth Control can access
interactive Bandwidth Control reports and in Web Insights, use the bandwidth control data
type and filters to analyze bandwidth usage.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
The customer is responsible for adding URL categories and cloud applications or cloud
application categories to the predefined bandwidth classes before defining bandwidth
control rules.
•
The customer is responsible for ensuring that the bandwidth values set for each location are
correct.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
53
/ Zscaler Internet Access Platform Services Document
SSL Inspection
Overview
Zscaler can perform SSL inspection and decrypt HTTPS traffic to protect the customer’s
organization against dangerous content hidden in incoming or outgoing HTTPS traffic.
Description
•
Zscaler decrypts and inspects HTTPS traffic to and from the user’s browser and to and from
the destination server, blocking any malicious content.
•
When performing SSL inspection, Zscaler terminates the SSL connection on the proxy to
inspect content, and then reestablishes the connection to the destination server. Zscaler
does the same with the HTTPS traffic from the destination server to the user’s browser.
•
Zscaler provides the following features when an organization enables SSL Inspection:
o
Granular URL and cloud app control policies: Zscaler can enforce granular user,
group, and location policies, as well as read-only controls.
o
Globally bypass URLS and URL categories: The customer can prevent Zscaler from
decrypting transactions to specific URLs or URL categories, as well as to specific
cloud applications or cloud application categories.
o
Content filtering: The customer can configure Zscaler to enforce SafeSearch,
enabling it to block malicious or inappropriate content in a page, such as during a
Google search.
o
Block unscannable transactions: The customer can enable Zscaler to block the
transactions of applications that Zscaler cannot decrypt because they use nonstandard encryption methods and algorithms.
•
Zscaler supports the OCSP protocol to verify the validity of server certificates and block
access to sites with server certificates that are unknown or have a revoked status. Further,
Zscaler displays an end user notification when it blocks access to a site due to a bad
certificate (if the certificate issuer is unknown, if the certificate has expired, or if the Common
Name in the certificate does not match) and logs these transactions with “bad server cert” in
the policy field.
•
Zscaler supports TLS version 1.2.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
54
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
The customer must ensure that Zscaler’s root certificate or customer’s root certificate is
configured in the browser.
•
When the customer enables SSL inspection, the customer is responsible for creating a list of
URL categories that are exempt from SSL inspection (for example, the list can include URLs
in the Finance or Health category). The customer must configure this list carefully because it
is applied globally throughout an organization and takes precedence over per-location SSL
inspection.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
55
/ Zscaler Internet Access Platform Services Document
SSL Inspection with Customer Root Certificate
Overview
For SSL inspection, Zscaler gives the customer the option of using an intermediate certificate
signed by the customer’s own trusted Certificate Authority (CA), rather than the default Zscaler
intermediate certificate.
Description
•
The customer can use an intermediate root certificate signed by the customer’s own root
CA.
•
The customer can upload a certificate chain in addition to the intermediate root certificate,
allowing the Zscaler service to send the intermediate root certificate along with the key chain
to a user’s device during SSL inspection.
•
After the signed intermediate root certificate has been uploaded to Zscaler, Zscaler can start
using the intermediate certificate immediately. Zscaler presents the site certificate generated
using the customer’s intermediate certificate to the user’s browser, and the browser can
then validate the intermediate certificate through the root certificate in its certificate store.
•
The customer can control the validity period of the intermediate certificate or revoke it on the
ZIA Admin Portal.
•
The customer uses AES as the key signing algorithm for both the Zscaler root CA as well as
for signing the private key of self-signed certificates.
•
If necessary, the customer can locate Certificate Revocation Lists (CRLs) that provide the
serial numbers of revoked certificate issuers. The Zscaler service provides a CRL
distribution point (CDP) for every certificate if generates.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
The customer must ensure that the customer’s root certificate is configured in the browser.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
56
/ Zscaler Internet Access Platform Services Document
•
The customer is responsible for ensuring that the customer’s root certificate is valid in the
ZIA Admin Portal.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
57
/ Zscaler Internet Access Platform Services Document
Data Loss Prevention (DLP)
Overview
Zscaler protects users across devices and networks, scanning internet traffic, including SSLencrypted traffic, to monitor or block any unauthorized or sensitive data leaving the customer’s
organization, in accordance with configured policies.
Description
•
The customer can configure a DLP policy by adding rules referencing DLP engines which
contain one or more DLP dictionaries.
•
DLP dictionaries contain algorithms designed to detect valid number data like credit card
and social security numbers or other kinds of information relevant to the organization’s
compliance policies. Zscaler provides multiple predefined dictionaries. The customer can
also create custom dictionaries of the following types:
o
Patterns: Write regular expressions to match on important patterns
o
Phrases: Write single or multi-word keywords to match on important phrases
o
Exact Data Match (EDM): With an additional license, use indexed data templates to
match on tabular data records
•
DLP engines are collections of DLP dictionaries that enable the identification of sensitive
information across multiple dictionaries. Zscaler provides multiple predefined DLP engines,
and the customer can create custom engines as well.
•
You can define granular policy rules that reference one or more DLP engines for the type of
data you want to identify. In addition, for each rule you can choose to allow or block specific
data that meet one or more of the following criteria: URL category, cloud application, file
type, minimum data size, users, groups, departments, location, and time Interval.
•
For each rule, the customer can specify whether to send a notification to auditors when a
violation occurs. The customer has the option to include attachments of the violating
content.
•
You can create Exact Data Match (EDM) index templates and apply them to custom DLP
dictionaries and engines. EDM templates allow the Zscaler service to identify a record from
a structured data source that matches predefined criteria.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
58
/ Zscaler Internet Access Platform Services Document
•
Zscaler displays end user notifications when users are blocked. The customer can create
custom end user notifications, configured with images and links to sources that further
educate users on compliance policies. The customer can also redirect users to a URL that
hosts the customer’s own end user notifications.
•
If the customer’s organization has its own on-premises DLP solution, the customer can
configure Zscaler DLP rules to forward information via secure Internet Content Adaption
Protocol (ICAP) to the DLP server. There are two main options when forwarding content.
One option includes using Zscaler DLP engines, and the other, bypassing Zscaler DLP
engines.
o
If Zscaler DLP engines are used, the Zscaler service uses its DLP engines to detect,
and allow or block, specified data. It then forwards information to the customer’s DLP
server.
o
If Zscaler DLP engines are bypassed, the Zscaler DLP engines do not scan for any
specific data. The service only filters, and allows or blocks content, based on
specified criteria before forwarding the content to the customer’s DLP server.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
•
The customer is responsible for setting up and maintaining the Index Tool virtual machine
for Exact Data Match-based rules.
•
The customer is responsible for indexing data for Exact Data Match-based rules.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
59
/ Zscaler Internet Access Platform Services Document
API-based CASB
Overview
Zscaler API-based CASB provides cloud-based security within SaaS applications (e.g., Box, Office
365, etc.). The service continuously monitors corporate sanctioned SaaS applications via
application API, scans the files stored in the SaaS applications in accordance with rules and
policies determined by the customer, monitors these SaaS applications for unauthorized or
inappropriate sharing, and automatically remediates data exposure issues and malware activity.
Description
•
The customer can configure a CASB policy to protect their sensitive data and prevent
malware related threats.
•
CASB DLP policies will look for DLP violations based on content match and sharing context.
Content matching can be done based on keywords, patterns, regular expressions,
predefined and custom DLP dictionaries, predefined and custom DLP engines, and Exact
Data Match (EDM). Data exposure is detected based on public, external, and internal
sharing.
•
When a violation is detected based on DLP policies, customers are able to take action, such
as removing sharing permissions and quarantining known or unknown threats.
Customer Responsibilities
•
The customer is responsible for connecting their sanctioned SaaS applications with
Zscaler’s API-based CASB service.
•
The customer must ensure proper time interval settings for historical data scanning.
•
The customer is responsible for setting up and maintaining DLP and malware policies for
API-based data scanning.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
60
/ Zscaler Internet Access Platform Services Document
Cloud Application Control
Overview
In addition to URLs, Zscaler enables the customer to manage user access to cloud applications
(e.g., Facebook, Gmail, etc.).
Description
•
The customer can create a rule and specify the following criteria: Cloud Applications, Users,
Groups, Departments, Locations, and Time. The rule also allows the customer to set daily
quotas by bandwidth or time, and specify whether Zscaler allows, cautions against, or
blocks access.
•
Zscaler organizes cloud applications into nine broad categories: Consumer, Enterprise
Collaboration, Enterprise Productivity, Instant Messaging, Sales & Marketing, Social
Networking & Blogging, Streaming Media & File Sharing, System & Development, and
Webmail.
•
For four of the categories (Instant Messaging, Social Networking & Blocking, Streaming
Media & File Sharing, and Webmail), Zscaler allows the customer to provide read-only
controls. For example, the customer can set read-only controls for social networking sites so
that users can read content but not post.
•
Zscaler displays end user notifications when users are cautioned or blocked. The customer
can create custom end user notifications, configured in different languages with images and
links to sources that further educate users on compliance policies. The customer can also
redirect users to a URL that hosts the customer’s own end user notifications.
•
The cloud application policy takes precedence over the URL filtering policy by default.
•
The customer can configure Zscaler to allow users to access Google apps (including Gmail)
for specific domains only. For example, the customer can allow users to sign in to their
corporate Gmail accounts, but block them from signing in to their personal Gmail accounts.
•
The customer can send all Office 365 traffic to the Zscaler cloud and enable the Office 365
One-Click Configuration feature in the ZIA Admin Portal. The Zscaler service then
automatically performs the necessary configurations to enable Office 365.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
61
/ Zscaler Internet Access Platform Services Document
•
The Zscaler service fingerprints more than 300 applications, including Office 365
applications, so that customers do not have to worry about URL changes for Office 365
applications.
•
The Cloud Applications dashboard features a reporting widget named, Cloud Applications
Trend, which displays all the cloud apps used by the customer’s organization.
Zscaler has partnered with McAfee Skyhigh (formerly Skyhigh Networks) to provide a risk
profile for each application. The customer can point to a cloud app in the widget and view
the risk score provided by all three, as well as the aggregated score provided by Zscaler.
The customer can also download the data as a CSV file for further analysis, but this
information is available on the dashboard and as a CSV file only, not in logs.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
SSL inspection might be required for applying granular policy to encrypted sites. Otherwise,
company-wide policy will apply.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
62
/ Zscaler Internet Access Platform Services Document
Zscaler Identity Proxy
Overview
The customer can configure Zscaler as an identity provider (IdP) for the following cloud
applications: Salesforce, Box, and Google Apps. This feature enables the customer to ensure that
users can only access these applications through the Zscaler service.
Description
•
The customer can restrict users on their corporate network to accessing these applications
only through Zscaler, from their corporate accounts. Users off the corporate network can
access these applications with their corporate credentials only if they are connecting through
Zscaler.
•
In addition to configuring settings in the ZIA Admin Portal, the customer must configure
Zscaler as the identity provider (IdP) for each application, and enable single sign-on (SSO)
for each application.
•
The login process is transparent for the end user. Once Identity Proxy is configured, and
users are authenticated with the Zscaler service, users do not need to authenticate again
with the cloud applications. The Zscaler service transforms its authentication cookie to log
users in to the cloud application.
•
The customer can log user access to cloud applications from any location or device, as well
as from agent-less deployments.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure that an authentication mechanism has been installed and that
users are provisioned on the Zscaler service.
•
The customer must enable SSL inspection for locations that use Identity Proxy.
•
The customer must configure Zscaler as the identity provider (IdP) for each application.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
63
/ Zscaler Internet Access Platform Services Document
File Type Control
Overview
Zscaler enables the customer to manage users’ ability to upload or download various file types.
Description
•
The customer can create a rule in the File Type Control policy and specify the following
criteria: File Type, URL Categories, Users, Groups, Departments, Locations, and Time. The
rule allows the customer to distinguish between uploads and downloads and specify
whether the Zscaler service allows, cautions against, or blocks the upload or download.
•
Zscaler defines various file types the customer can control, including Archive (like .zip, 7-zip,
or .stuffit), Audio (like .mp3 or .wav), Executable (like .exe or .lnk), Image (like .bmp, WebP,
or .psd), Microsoft Office (like .xls or .doc), Mobile (like .apk or .ipa), Video (like .avi or .mov),
Web Content (like .jar or .js), and other file types.
•
The customer can create rules for unknown file types. Zscaler performs MIME type checks
for application types which are not well-defined.
•
The customer has the option to block unscannable files or password-protected files.
•
The Zscaler service displays end user notifications when users are cautioned or blocked.
The customer can create custom end user notifications, configured in different languages
with images and links to sources that further educate users on compliance policies. The
customer can also redirect users to a URL that hosts the customer’s own end user
notifications.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
SSL inspection might be required for applying granular policy to encrypted sites.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
64
/ Zscaler Internet Access Platform Services Document
Zscaler Client Connector
Overview
The Zscaler Client Connector is an application that can be installed on user devices to protect their
traffic, even when they are outside of the corporate network.
Description
•
By default, the Zscaler Client Connector captures web traffic from a user’s device,
establishes a lightweight tunnel to the ZIA Public Service Edge closest to the user, and
forwards the traffic through the tunnel so the ZIA Public Service Edge can apply security and
access policies as configured in the ZIA Admin Portal.
•
Zscaler Client Connector supports all authentication mechanisms supported by the Zscaler
service, including SAML with two-factor authentication.
•
Zscaler Client Connector can detect when users connect to a trusted network and disable its
web security service so that user traffic is forwarded to the Zscaler service via the network’s
configured traffic forwarding mechanism.
•
Zscaler Client Connector can detect when users connect to Wi-Fi hotspots that requires
them to pay or accept a use policy before accessing the web. The app can disable its web
security service for a specified period of time, allowing users to take steps to access the
network, before automatically re-enabling its service.
•
The Zscaler Client Connector Portal is a web-based portal dedicated to app management,
accessible directly from the ZIA Admin Portal. From the portal, the customer can configure
app settings that Zscaler Client Connector downloads when users enroll with the Zscaler
service. After enrollment, Zscaler Client Connector regularly checks for and downloads any
updates the customer makes to these settings in the portal.
•
The Zscaler Client Connector Portal provides a dashboard that provides real-time
information about enrolled devices, including the status of apps running on users’ devices
and device fingerprints.
•
The customer can modify the app’s behavior.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
65
/ Zscaler Internet Access Platform Services Document
•
The customer can add a custom PAC file when configuring settings so that the app forwards
web traffic according to its instructions, or the customer can allow a user’s browser proxy
settings to be applied.
•
The customer can configure settings to prevent users from disabling the app and bypassing
its web security service.
•
The customer can configure settings so that the app auto-updates whenever the Zscaler
service releases a new version. The customer also has the option of testing new versions
first, then pushing auto-updates from the Zscaler Client Connector Portal.
Customer Responsibilities
•
The customer must ensure an authentication mechanism has been installed and users have
been provisioned on the Zscaler service.
•
The customer must ensure appropriate security and access policies have been configured in
the ZIA Admin Portal. To enable SSL inspection for traffic forwarded by Zscaler Client
Connector, enable SSL inspection for mobile traffic in the ZIA Admin Portal.
•
The customer is responsible for deploying the Zscaler Client Connector on user devices.
•
The customer is responsible for configuring and managing app settings in the Zscaler Client
Connector Portal.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
66
/ Zscaler Internet Access Platform Services Document
Mobile Malware Protection
Overview
Zscaler provides mobile data and app security for Apple and Android mobile devices when devices
are connected to a corporate Wi-Fi network that is sending traffic to Zscaler transparently over a
GRE or IPSec tunnel.
Description
•
Zscaler scans mobile traffic and provides comprehensive protection against malware and
advanced security threats.
•
Zscaler can block apps that leak certain types of information. The customer can choose to
block apps that send:
•
o
Unencrypted user credentials
o
Location information
o
Personally Identifiable Information (PII)
o
Device identifiers
o
Communications to ad servers
o
Communications to unknown servers
Zscaler provides detailed traffic visibility and granular reporting for mobile applications and
device types.
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
SSL inspection might be required for applying granular policy. The customer is responsible
for installing the Zscaler root certificate on user devices.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
67
/ Zscaler Internet Access Platform Services Document
Mobile Applications Control
Overview
Zscaler can restrict the stores from which users download apps for their mobile devices. Devices
must be connected to a corporate Wi-Fi network that is sending traffic to Zscaler transparently over
a GRE or IPSec tunnel.
Description
•
Zscaler can enforce rules to restrict the stores from which users download apps for their
mobile devices. The customer can create rules to allow or block based on the following
criteria:
o
App Stores
o
Users
o
Groups
o
Departments
o
Locations
o
Time
Customer Responsibilities
•
The customer is responsible for ensuring that internet traffic is forwarded to Zscaler.
•
The customer must ensure proper settings are configured in the ZIA Admin Portal.
Otherwise, default settings will apply.
•
SSL inspection might be required for applying granular policy. The customer is responsible
for installing the Zscaler root certificate on user devices.
•
Authentication is required for Zscaler to enforce user, group, and department policies.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
68
/ Zscaler Internet Access Platform Services Document
Priority Categorization Service
Overview
Customers who want to reduce the percentage of Zscaler-uncategorized content traversing their
network can subscribe to the Zscaler Priority Categorization service. This service significantly
improves the end user experience for customers with strict policies that block or caution
uncategorized sites. Customers who allow uncategorized content will improve security and
acceptable use policy controls as some uncategorized sites might be sites that would have been
blocked if properly categorized.
Description
•
The Zscaler service examines and assesses the top 100 uncategorized domains (based on
transactions) on a daily basis and categorizes them
•
The Zscaler service cannot categorize all sites. For example, a site might be unreachable,
be a login site, or might have no viewable content. In such cases, the service continues
down the list of uncategorized domains until 100 domains have been categorized. A monthly
email report of sites that the service was unable to categorize is sent to the customer. The
customer can attempt to categorize the sites and send them to Zscaler, or manually add
them to a custom URL Category.
•
The Zscaler service performs this categorization every day. The top domains for weekends
(i.e., Saturday and Sunday) and major holidays are categorized on the following business
day.
•
If the uncategorized domains for the day are less than 100, the Zscaler service only
categorizes that day’s uncategorized sites.
•
Zscaler provides customers with an email alias for questions and feedback that will receive
priority responses.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
69
/ Zscaler Internet Access Platform Services Document
Server/IoT Protection
Overview
Zscaler Internet Access (ZIA) protects user (e.g., employee, contractor, etc.) traffic and does not, by
default, cover other device traffic. Some customers have requirements to send other traffic through
ZIA for policy control and threat protection. Examples of traffic not included in user traffic, and
considered device protected traffic, include server-initiated traffic (i.e., the server is the client), other
devices calling out to the internet (i.e., IoT, Point of Sale, public kiosk). An example for protecting
device traffic includes customers restricting a server to only communicating to certain IP addresses
or URLs so they can report on any unexpected server traffic.
Description
•
Allows customers to send non user traffic (such as server sourced traffic or IoT) through
Zscaler’s service.
•
All subscribed licenses (i.e., Advanced Threats Protection, Data Loss Prevention, etc.) apply
to server traffic as well.
•
Traffic is purchased by GB per month.
Customer Responsibilities
•
The customer must purchase the appropriate level of monthly traffic, based on their best
estimates. Traffic can reasonably grow over time without additional charges during the term
of the contract as defined in the End User Subscription Agreement (EUSA). If the growth
amount is exceeded, then the customer must purchase additional GB of monthly traffic.
•
The customer must ensure that traffic is directed to the Zscaler service.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
70
/ Zscaler Internet Access Platform Services Document
Inline Guest Wi-Fi Protection
Overview
Zscaler Internet Access (ZIA) protects user (employee, contractor, etc.) traffic and does not, by
default, cover non-employee devices traffic. With this service customers can provide protection for
Guest Wi-Fi devices (i.e., traffic not associated with a user seat already covered under the service).
Guest Wi-Fi protection can be used for URL filtering by domain category. The customer can select
from various filtering options to block access to legal liability sites, such as gambling, drugs,
profanity, violence, etc., sites or sites with adult material, such as nudity, pornography, etc.
Description
•
Allows customers to send Guest Wi-Fi users traffic through Zscaler’s service.
•
All subscribed licenses (i.e., Advanced Threats Protection, Data Loss Prevention, etc.) apply
to server traffic as well.
•
Traffic is purchased by GB per month.
Customer Responsibilities
•
The customer must purchase the appropriate level of monthly traffic, based on their best
estimates. Traffic can reasonably grow over time without additional charges during the term
of the contract as defined in the End User Subscription Agreement (EUSA). If the growth
amount is exceeded, then the customer must purchase additional GB of monthly traffic.
•
The customer must ensure that traffic is directed to the Zscaler service.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
71
/ Zscaler Internet Access Platform Services Document
Private ZENs (PZENs)
Overview
When the customer has certain requirements that make forwarding their traffic to ZIA Public Service
Edges less than ideal, the customer can extend the Zscaler cloud architecture to their
organization’s premises by deploying Private ZENs (PZENs).
PZENs use Zscaler hardware, shipped to the customer and hosted by the customer, to function as
full-featured ZIA Public Service Edges dedicated to an organization’s traffic. PZENs perform the
same service as the ZIA Public Service Edges in the Zscaler cloud, including support for features
such as Firewall, Sandbox, and Data Loss Prevention (DLP).
Description
•
PZENs are part of the Zscaler cloud and communicate with it for user authentication and
policy updates, as well as for logging and reporting. Logs are transmitted to and stored on
the Zscaler cloud as a central repository for integrated analytics. Customers can view and
monitor internet traffic activity on the ZIA Admin Portal dashboard and make full use of the
real-time logging and interactive reporting capabilities of the service.
•
An organization can send its internet traffic to a PZEN through a GRE tunnel, PAC file, or L2
redirect.
•
Admins define policies only once through the ZIA Admin Portal. After users are signed in
and authenticated to the Zscaler service, the service will always apply their policies, whether
they connect to an on-premises PZEN or to a ZIA Pubic Service Edge anywhere in the
world.
•
PZENs are easy to deploy and require minimal administration. Customers have some
access to the PZENs for monitoring and configuration. Zscaler requires Intelligent Platform
Management Interface (IPMI) access to the PZENs.
•
PZENs are horizontally scalable so customers can easily add more PZENs as their traffic
increases.
•
PZENs are deployed in a cluster, which features built-in load balancers to ensure availability
and redundancy. The load balancers are specifically designed to distribute user traffic
evenly across them. Zscaler does not recommend using external load balancers.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
72
/ Zscaler Internet Access Platform Services Document
•
PZENs can be deployed in standalone mode for testing purposes only. Zscaler does not
support standalone PZENs in production environments with live user traffic.
•
When a new PZEN software update is available, PZENs in a cluster will automatically
stagger their updates to ensure high availability. No administrative interaction is required.
•
If a PZEN has intermittent connectivity to the Zscaler cloud, the weblogs are queued and
sent when possible, instead of being dropped. The weblogs and their delays are shown in
transaction drilldowns in the ZIA Admin Portal. The Nanolog Streaming Service (NSS) also
has fields to distinguish between weblog generation time and weblog transmission time.
Customer Responsibilities
•
The customer must forward its internet traffic to Zscaler.
•
The customer must ensure that all requirements to deploy PZENs, and run a PZEN cluster,
are met.
•
The customer can deploy PZENs behind the firewall or in the DMZ.
•
A PZEN cluster requires outbound connections to Zscaler. The customer must ensure that
their outbound firewall is configured to allow the necessary connections, as described in:
https://ips.<zscaler-cloud- name>/pzr. For example, customers on the zscalertwo.net cloud
should go to https://ips.zscalertwo.net/pzr.
•
The customer must deploy PZENs in clusters for productions environments and have a
PZEN subscription for each PZEN instance in a cluster. A PZEN cluster must contain at
least two PZEN instances. Zscaler does not support PZEN standalones in production
environments with live user traffic.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
73
/ Zscaler Internet Access Platform Services Document
Virtual ZENs (VZENs)
Overview
When the customer has certain requirements that make forwarding their traffic to public ZIA Public
Service Edges less than ideal, the customer can extend the Zscaler cloud architecture to their
organization’s premises by deploying Virtual ZENs (VZENs), which use virtual machines (VMs) to
function as full-featured ZIA Public Service Edges dedicated to an organization’s traffic.
VZENs perform the same service as the ZIA Public Service Edges in the Zscaler cloud, including
support for features such as Firewall, Sandbox, and Data Loss Prevention (DLP).
Description
•
VZENs are part of the Zscaler cloud and communicate with it for user authentication and
policy updates, and for logging and reporting. Logs are transmitted to and stored on the
Zscaler cloud as a central repository for integrated analytics. Customers can view and
monitor internet traffic activity on the ZIA Admin Portal dashboard and make full use of the
real-time logging and interactive reporting capabilities of the service.
•
An organization can send its internet traffic to a VZEN through a GRE tunnel, PAC file, or L2
redirect.
•
Admins define policies only once through the ZIA Admin Portal. After users are signed in
and authenticated to the Zscaler service, the service will always apply their policies, whether
they connect to an on-premises VZEN or to a ZIA Public Service Edge anywhere in the
world.
•
VZENs are easy to deploy and require minimal administration. Customers have full access
to VZENs for monitoring and configuration. Zscaler does not require access to VZENs.
•
VZENs are horizontally scalable so customers can easily add more VZENs as their traffic
increases.
•
VZENs are deployed in a cluster, which features built-in load balancers to ensure availability
and redundancy. The load balancers are specifically designed to distribute user traffic
evenly across them. Zscaler does not recommend using external load balancers.
•
VZENs can be deployed in standalone mode for testing purposes only. Zscaler does not
support standalone VZENs in production environments with live user traffic.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
74
/ Zscaler Internet Access Platform Services Document
•
Zscaler offers three VZEN SKUs, targeted for different throughput and performance
requirements: small (30 Mbps), medium (up to 100 Mbps), and large (up to 600 Mbps).
•
An SSL acceleration card (sold separately) is recommended for deployments with a
throughput requirement of more than 100Mbps.
•
When a new VZEN software update is available, VZENs in a cluster automatically stagger
their updates to ensure high availability. No administrative interaction is required.
•
If a VZEN has intermittent connectivity to the Zscaler cloud, the weblogs are queued and
sent when possible instead of being dropped. The weblogs and their delays are shown in
transaction drilldowns in the ZIA Admin Portal. The Nanolog Streaming Service (NSS) also
has fields to distinguish between weblog generation time and weblog transmission time.
•
Customers can use SNMP to monitor a VZEN. Traps can be raised in case of an adverse
event that impacts traffic processing. SNMP is configured locally on the VZEN.
Customer Responsibilities
•
The customer must forward its internet traffic to Zscaler.
•
The customer must ensure that all requirements to deploy VZENs, and run a VZEN cluster
as a virtual machine, are met.
•
The customer can deploy VZENs behind the firewall or in the DMZ.
•
The customer must download and install the virtual appliance.
•
A VZEN cluster requires outbound connections to Zscaler. The customer must ensure that
their outbound firewall is configured to allow the necessary connections, as described in:
https://ips.<zscaler-cloud-name>/vzen. For example, customers on the zscalertwo.net cloud
should go to https://ips.zscalertwo.net/vzen
•
The customer must deploy VZENs in clusters for productions environments and have a
VZEN subscription for each VZEN instance in a cluster. A VZEN cluster must contain at
least two VZEN instances. Zscaler does not support VZEN standalones in production
environments with live user traffic.
•
The customer must adhere to the Hypervisor and virtual machine (VM) specifications, as
well as internet bandwidth requirements.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
75
/ Zscaler Internet Access Platform Services Document
Private Service Edge
Overview
A private deployment of Service Edge brings the scale, reliability, and security capabilities of the
Zscaler cloud as close to your users as possible—right at the edge of your network.
Private Service Edge uses Zscaler hardware, shipped to the customer and hosted by the customer,
to function as full-featured ZIA Public Service Edges dedicated to an organization’s traffic. Service
Edge performs the same service as the ZIA Public Service Edges in the Zscaler cloud, including
support for features such as Firewall, Sandbox, and Data Loss Prevention (DLP).
Description
•
Private Service Edge is part of the Zscaler cloud and communicate with it for user
authentication and policy updates, as well as for logging and reporting. Logs are transmitted
to and stored on the Zscaler cloud as a central repository for integrated analytics.
Customers can view and monitor internet traffic activity on the ZIA Admin Portal dashboard
and make full use of the real-time logging and interactive reporting capabilities of the
service.
•
An organization can send its internet traffic to a Private Service Edge through a GRE tunnel,
PAC file, or L2 redirect.
•
Admins define policies only once, through the ZIA Admin Portal. After users are signed in
and authenticated to the Zscaler service, the service will always apply their policies, whether
they connect to an on-premises private deployment of a Private Service Edge or to a ZIA
Public Service Edge anywhere in the world.
•
Private Service Edge is easy to deploy and require minimal administration. Customers have
some access to the Private Service Edge for monitoring and configuration. Zscaler requires
Intelligent Platform Management Interface (IPMI) access to a Private Service Edge.
•
Private Service Edge is horizontally scalable so customers can easily add more as their
traffic increases.
•
Private Service Edge is deployed in a cluster, which features built-in load balancers to
ensure availability and redundancy. The load balancers are specifically designed to
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
76
/ Zscaler Internet Access Platform Services Document
distribute user traffic evenly across them. Zscaler does not recommend using external load
balancers.
•
Private Service Edge can be deployed in standalone mode for testing purposes only.
Zscaler does not support standalone Service Edges in production environments with live
user traffic.
•
When a new Service Edge software update is available, the Private Service Edges in a
cluster will automatically stagger their updates to ensure high availability. No administrative
interaction is required.
•
If a Private Service Edge has intermittent connectivity to the Zscaler cloud, the weblogs are
queued and sent when possible, instead of being dropped. The weblogs and their delays
are shown in transaction drilldowns in the ZIA Admin Portal. The Nanolog Streaming Service
(NSS) also has fields to distinguish between weblog generation time and weblog
transmission time.
Customer Responsibilities
•
The customer must forward its internet traffic to Zscaler.
•
The customer must ensure that all requirements to deploy Service Edges, and run a Service
Edge cluster, are met.
•
The customer can deploy Service Edge behind the firewall or in the DMZ.
•
A private deployment of Service Edge cluster requires outbound connections to Zscaler. The
customer must ensure that their outbound firewall is configured to allow the necessary
connections, as described in: https://ips.<zscaler-cloud- name>/zia_sedge. For example,
customers on the zscalertwo cloud should go to https://ips.zscalertwo.net/zia_sedge.
•
The customer must deploy Private Services Edge in clusters for production environments
and have a Private Service Edge subscription for each instance in a cluster. A Service Edge
cluster must contain at least two instances. Zscaler does not support Service Edge
standalones in production environments with live user traffic.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
77
/ Zscaler Internet Access Platform Services Document
Virtual Service Edge
Overview
A private deployment of Virtual Service Edge is designed for locations that need the full feature set
of a ZIA Public Service Edge in a virtual form factor that is horizontally scalable and requires
minimal deployment logistics.
Virtual Service Edge uses virtual machines (VMs) to function as full-featured ZIA Public Service
Edges dedicated to an organization’s traffic. A Virtual Service Edge performs the same service as
the ZIA Public Service Edges in the Zscaler cloud, including support for features such as Firewall,
Sandbox, and Data Loss Prevention (DLP).
Description
•
Virtual Service Edge is part of the Zscaler cloud and communicates with it for user
authentication and policy updates, and for logging and reporting. Logs are transmitted to
and stored on the Zscaler cloud as a central repository for integrated analytics. Customers
can view and monitor internet traffic activity on the ZIA Admin Portal dashboard and make
full use of the real-time logging and interactive reporting capabilities of the service.
•
An organization can send its internet traffic to a Virtual Service Edge through a GRE tunnel,
PAC file, or L2 redirect.
•
Admins define policies only once through the ZIA Admin Portal. After users are signed in
and authenticated to the Zscaler service, the service will always apply their policies, whether
they connect to a private deployment of Virtual Service Edge or to a ZIA Public Service
Edge anywhere in the world.
•
Virtual Service Edge is easy to deploy and require minimal administration. Customers have
full access to Private Virtual Service Edge for monitoring and configuration. Zscaler does not
require access to the Virtual Service Edges.
•
Virtual Service Edge is horizontally scalable so customers can easily add more as their
traffic increases.
•
Virtual Service Edges are deployed in a cluster, which features built-in load balancers to
ensure availability and redundancy. The load balancers are specifically designed to
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
78
/ Zscaler Internet Access Platform Services Document
distribute user traffic evenly across them. Zscaler does not recommend using external load
balancers.
•
Virtual Service Edge can be deployed in standalone mode for testing purposes only. Zscaler
does not support standalone Virtual Service Edges in production environments with live user
traffic.
•
Zscaler offers one Virtual Service Edge SKU targeted for throughput of up to 600Mbps.
•
An SSL acceleration card (sold separately) is recommended for deployments with a
throughput requirement of more than 100Mbps.
•
When a new Virtual Service Edge software update is available, Virtual Service Edges in a
cluster will automatically stagger their updates to ensure high availability. No administrative
interaction is required.
•
If a Virtual Service Edge has intermittent connectivity to the Zscaler cloud, the weblogs are
queued and sent when possible instead of being dropped. The weblogs and their delays are
shown in transaction drilldowns in the ZIA Admin Portal. The Nanolog Streaming Service
(NSS) also has fields to distinguish between weblog generation time and weblog
transmission time.
•
Customers can use SNMP to monitor a Virtual Service Edge. Traps can be raised in case of
an adverse event that impacts traffic processing. SNMP is configured locally on the Virtual
Service Edge.
Customer Responsibilities
•
The customer must forward its internet traffic to Zscaler.
•
The customer must ensure that all requirements to deploy Virtual Service Edges, and run a
Virtual Service Edge cluster as a virtual machine, are met.
•
The customer can deploy Virtual Service Edge behind the firewall or in the DMZ.
•
The customer must download and install the virtual appliance.
•
A Virtual Service Edge cluster requires outbound connections to Zscaler. The customer
must ensure that their outbound firewall is configured to allow the necessary connections, as
described in: https://ips.<zscaler-cloud- name>/zia_edge. For example, customers on the
zscalertwo cloud should go to https://ips.zscalertwo.net/zia_edge.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
79
/ Zscaler Internet Access Platform Services Document
•
The customer must deploy Virtual Service Edges in clusters for production environments
and have a Virtual Service Edge subscription for each instance in a cluster. A Virtual Service
Edge cluster must contain at least two instances. Zscaler does not support Virtual Service
Edge standalones in production environments with live user traffic.
•
The customer must adhere to the Hypervisor and virtual machine (VM) specifications, as
well as internet bandwidth requirements.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
80
/ Zscaler Internet Access Platform Services Document
Private Nanolog Streaming Service (NSS) Appliance for Web
Logs
Overview
Zscaler’s private NSS is a Zscaler managed appliance the customer can use to stream web traffic
logs in real time from the Zscaler Nanolog to the customer’s on-premises security information and
event management (SIEM) system. NSS helps the customer comply with regulatory mandates on
local log archival, correlate logs from multiple devices, and conduct historical web log analysis.
Description
•
When an organization deploys NSS, NSS opens a secure tunnel to the Nanolog in the
Zscaler cloud. The Nanolog then streams copies of the logs to NSS in a highly compressed
format to reduce bandwidth footprint; the original logs are retained on the Nanolog.
•
When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured
filters to exclude unwanted logs, converts the filtered logs to the configured output format so
they can be parsed by the customer’s SIEM, and then streams the logs to the SIEM over a
raw TCP connection.
•
For full site redundancy, each organization can subscribe to up to two NSS systems for web
logs in an active-active configuration. Each NSS supports up to eight parallel SIEM
connections called feeds. Each feed can have a different list of fields, a different format, and
different filters.
•
NSS requires minimal administration. After the customer deploys it, NSS automatically polls
Zscaler for updates and installs them.
•
For monitoring purposes, the customer can configure a separate alert feed. Zscaler will send
the alerts in an RFC-compliant syslog format to the specified IP address and port.
•
The customer can open a Behavioral Analysis report based on the MD5 parameter retrieved
from the logs in the SIEM.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
81
/ Zscaler Internet Access Platform Services Document
Customer Responsibilities
•
The customer must use a SIEM that is interoperable and supported by Zscaler.
•
The customer must ensure that all the requirements to run the NSS appliance are met.
•
Ensure that all firewall requirements are met as detailed in https://ips.<zscaler-cloudname>/addresses/nss.html. For example, customers on the zscalerone cloud should go to
https://ips.zscalerone.net/addresses/nss.html. NSS requires only outbound connections to
the Zscaler cloud.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
82
/ Zscaler Internet Access Platform Services Document
Intelligent Routing (Guest Wi-Fi)
Overview
Powered by DNS, the Intelligent Routing platform can be used on any device and can be deployed
within the enterprise environment or on Guest Wi-Fi. The Intelligent Routing platform filters DNS
responses and employs the same inline proxy for inspection and malware protection as the full
proxy solution. However, the service only inspects as required based on threat detection using
Zscaler’s own heuristics.
Description
•
With Intelligent Routing, the customer can create security policies for locations using four
key features:
o
URL filtering by domain category: The customer can select from six filtering options.
Each option corresponds to a predefined group of URL categories that the customer
can block.
▪
All: All sites are blocked.
▪
Strict: Legal liability sites, including gambling, drugs, profanity, violence, etc.,
are blocked.
▪
Moderate: Sites with adult material such as nudity, pornography, etc., are
blocked.
o
▪
Minimal: Sites with pornography are blocked.
▪
None: No sites are blocked.
▪
Custom: The customer can manually select which URL categories to block.
Threat Security: This feature is equivalent to the advanced threat protection of the
Zscaler service, providing basic protection against spyware and malware (including
botnets, malicious active content, unauthorized communication, and XSS) as well as
standard Behavioral Analysis (for all Windows executable files and Dynamic Link
Libraries (DLL) of traffic from URLs in suspicious URL categories).
o
SafeSearch: This feature is a browser function that helps the customer block
inappropriate or explicit images from search engine results (Google, Yahoo!, Bing,
etc.). Enabling Safe Search in Zscaler forces all end users’ web browsers to use
Safe Search, and users cannot bypass the restriction.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
83
/ Zscaler Internet Access Platform Services Document
o
SSL Interception: Enabling SSL Inspection allows Zscaler to decrypt HTTPS traffic
and protect against dangerous content hidden in incoming or outgoing HTTPS traffic.
However, because SSL interception requires that a root certificate be first installed in
the end user’s browser, enabling SSL interception is not recommended for Guest WiFi and other deployments where the protected devices are unmanaged and/or
installing a certificate is not desirable. If you do not enable SSL inspection, you can
block URL categories that attempt to use SSL.
•
With Intelligent Routing configured, when an end user requests a website, a DNS query is
sent to one of Zscaler’s DNS anycast servers. Zscaler checks the configured policy for the
location to see which action is required (Block, Inspect, or Direct):
o
If the customer’s policy prohibits the site, the action is Block. The DNS response
redirects the client to a block page configured with standard or custom text.
o
If the site is unknown or is known to contain malware, the action is Inspect. The
platform sends the traffic to the Zscaler cloud for full inspection and returns only safe
content.
o
If the site is allowed by policy, the action is Direct. The client proceeds directly to the
site.
•
The Intelligent Routing dashboard presents information about the organization from a global
view. You can drill down into individual locations for more granular data, such as the number
of transactions allowed or blocked, traffic trend, top locations, top categories, top domains,
and top threats.
Customer Responsibilities
•
The customer must configure their firewall and ensure that all DNS queries are sent to
Zscaler’s anycast DNS servers only.
•
The customer must ensure proper settings are configured in the Zscaler Intelligent Routing
Admin Portal. Otherwise, default settings will apply.
•
If SSL inspection is enabled:
o
The customer must ensure that Zscaler’s root certificate is configured in the end
user’s browser.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
84
/ Zscaler Internet Access Platform Services Document
o
To exempt specific URL categories from SSL inspection (for example, URLs in the
Finance or Health category), the customer must request the exemption via support.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
85
/ Zscaler Internet Access Platform Services Document
Zscaler Test Tenants
Overview
The customer can subscribe to one or more Zscaler test tenants. A test tenant enables access to
50 users and mirrors the customer’s licensing from their production tenant. This allows the
customer to try new features in a safe environment that does not interfere with their production
environment.
Description
Zscaler operates the world’s largest Security-as-a-Service cloud multi-tenant platform. The Zscaler
Test Tenant feature enables customers to take advantage of the flexibility of our platform and build
a test environment with virtually no impact to their production environment.
Customers will have access to a test tenant that mirrors any licenses included in their production
tenant, but they are limited to 50 users.
Customer Responsibilities
•
The customer must ensure the test tenant was provisioned on a Zscaler cloud. The test
tenant will be provisioned on the same cloud as the customer’s production tenant, unless
otherwise requested.
•
The customer must use a supported method (e.g., GRE, IPSec, PAC files, proxy chaining,
etc.) to forward test traffic to the test tenants and ensure their traffic is forwarded to Zscaler.
•
For GRE and IPSec tunnels and proxy chaining, the customer must use hardware that is
interoperable and supported by Zscaler. The customer must ensure that hardware is
installed and operated according to applicable third-party vendor specifications and
recommendations, and ensure that hardware has the capacity required for forwarding traffic
to Zscaler.
•
The customer can only use the test tenant for testing purposes and not for any production
traffic.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
86
/ Zscaler Internet Access Platform Services Document
Cloud Browser Isolation
Overview
Cloud Browser Isolation provides an organization the capability to isolate users from potentially
harmful content on the internet. This is done by loading the accessed web page on a remote
browser in any one of the many Zscaler data centers across the globe and streaming the rendered
content as a stream of pixels to the user’s native browser.
Isolating web pages on an ephemeral remote browser ensures that the HTML files, CSS files,
JavaScript, and any other active content served by the accessed web page never reaches the end
user’s machine or the corporate network, thus ensuring an air-gap between the end user and the
web page.
Description
•
Cloud Browser Isolation allows customers to create isolation profiles on the Admin Portal
(https://admin.isolation.zscaler.com).
•
As part of the isolation profile the customer can define attributes of the ephemeral remote
browser and the security controls associated with it.
o
Allows the customer to define if the isolated browser should store the user’s cookies,
inserted by destination web pages accessed via the isolated browser across isolation
sessions.
o
Allows the customer to define what Zscaler isolation regions the isolation profile
should be available for.
o
Allow customers to define if the user using the isolated browser should be allowed to
upload files to the isolated browser from their native browser/machine.
o
Allow customers to define if the user using the isolated browser should be allowed to
download files from the isolated browser to their native browser/machine.
o
Allow customers to define if the user using the isolated browser should be allowed to
copy clipboard content from the isolated browser to their native browser/machine.
o
Allow customers to define if the user using the isolated browser should be allowed to
copy clipboard content from the native browser/machine to their isolated browser.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
87
/ Zscaler Internet Access Platform Services Document
o
Allow customers to configure the PAC file which needs to be deployed on the
isolation browser.
•
Once the isolation profile is created an associated isolation profile URL is generated.
•
Customer can create “Block and Redirect” rules, using ZIA’s URL filtering policies, to
redirect specific categories to the isolation profile URL.
Customer Responsibilities
•
The customer must ensure that traffic is directed to the ZIA service.
•
The customer must purchase the appropriate Cloud Browser Isolation SKU based on the
volume of monthly traffic that needs to be isolated in comparison with the overall ZIA traffic,
based on their best estimates. Traffic can reasonably grow over time without additional
charges during the term of the contract as defined in the End User Subscription Agreement
(EUSA). If the growth amount is exceeded, then the customer must purchase additional
gigabytes of monthly traffic.
•
Authentication must be enabled for the locations from which the user’s traffic needs to be
isolated.
•
SSL Inspection is required to isolate traffic destined to SSL destinations.
©2020 Zscaler, Inc. All rights reserved. / ZSCALER CONFIDENTIAL INFORMATION
88
Related documents
YMCA Casestudy
YMCA Casestudy
New Zscaler Portal Preso
New Zscaler Portal Preso
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for zScaler Nanolog Streaming Service
Webcast PDF
Webcast PDF
Alleged APT Intrusion Set: "1.php" Group
Alleged APT Intrusion Set: "1.php" Group
APT: The Best Defense Is a Full Spectrum Offense
APT: The Best Defense Is a Full Spectrum Offense
ELEMENTS OF WEATHER SUMMARY
ELEMENTS OF WEATHER SUMMARY
Download
advertisement