Zscaler Web Security

Zscaler Web Security is a secure Internet and web gateway service that stops malware, advanced threats, phishing, browser exploits, malicious URLs, botnets, and more.

This adapter is compatible with Zscaler Internet Access (ZIA).

Asset Types Fetched

This adapter fetches the following types of assets:

• Devices, Users, SaaS Applications, Network/Firewall Rules

Before You Begin

Authentication Methods

You can authenticate this adapter using either of the following methods:

• API Key
• OAuth 2.0 authentication (ZIdentity)

❗️

Note

This adapter won't be able to fetch Devices when using OAuth 2.0 authentication.

See Connecting the Adapter in Axonius for the connection parameters required for each authentication.

Required Permissions

General

• Dashboard Access: View Only
• User Names: Visible
• Reporting Access: Full
• Device Information: Visible
• Auditor Logs: Read-only
• Users: Read-only
• Client Connector Portal: Read-only

Reporting Data

• Security: View Only
• Web Data: View Only
• Firewall: View Only
• URL Categories: View Only

Specific Permissions for fetching SaaS Applications data

For detailed instructions, see the Zscaler documentation about Adding Admin Roles for Internet & SaaS Access. Click See image under each permission section to see how they look in the Zscaler portal.

Specific Permissions for fetching Devices

1. In Zscaler, navigate to Administration > Role Management > Roles.
2. Select the Traffic Forwarding tab and add the permissions listed in the following image:

Setting Up ZScaler Web Security to Work with Axonius

To authorize using the API Key, follow these steps:

Create a Local Admin Account

1. Log into the ZScaler Admin Portal.
2. Navigate to Administration > Role Management > Administrator Management.
3. Create a new local administrator (must be local, not SAML/SSO-linked).
4. Set a strong password.

Assign the Role With the Required Permissions

1. Navigate to Administration > Role Management > Roles.

2. Select the Administration Controls tab.

3. Configure the permissions listed in this image:

   

4. Continue to assign the relevant permissions based on the asset types you want to fetch, as detailed in Required Permissions and the Zscaler documentation (for SaaS permissions).

Retrieve the API Key

1. Navigate to Administration > API Key Management.
2. Copy the existing API key, or generate a new one.
3. Store the key in a secure place - it is required to connect the adapter.

Connecting the Adapter in Axonius

Required Parameters - General

1. Zscaler Domain (default: admin.zscalerthree.net) - Specify the Zscaler cloud name that was provisioned for your organization. For example:

   • admin.zscalerbeta.net
   • admin.zscalerone.net
   • admin.zscalertwo.net
   • admin.zscaler.net
   • admin.zscloud.net
   • admin.zscalerdomain.net
   • mobileadmin.zscalerdomain.net
   • mobile.zscalerdomain.net

   For more details, see 'Retrieve your base URI and API key' section under Zscaler API - Getting Started.

📘

Note

Your organization may use a Zscaler domain for Single Sign On (SSO) that is different from the Base URL. This domain may need to be accounted for in firewall rule configurations to allow for a successful connection.

2. Auth Method - Select either API Key (default) or ZIdentity.

Optional Parameters

1. Company ID - Enter the Company ID. This parameter is required if the Fetch Zscaler Client Connector enrolled devicesadvanced setting is selected.
2. Verify SSL - Select to verify the SSL certificate offered by the value supplied in Zscaler Domain. For more details, see SSL Trust & CA Settings.
3. HTTPS Proxy - A proxy to use when connecting to the value supplied in Zscaler Domain.

Optional File Upload

When fetching SaaS Application, you have the option to fetch these applications based on logs listed in a remote location. To do so, select the File Source from the Upload File dropdown and provide the relevant parameters. For more information, see connection parameters for the Custom Files adapter and the list of available file sources.

📘

Note

To fetch logs from a remote location, you must enable the Enable real-time asset updates (Zscaler Nanolog Streaming Service) advanced setting.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

📘

Note

Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

Selecting Asset Types

In Advanced Settings, at the top of the Advanced Configuration, you can choose asset types that are relevant to specific advanced configurations.

1. From the dropdown, select one or more asset types.
   
2. The relevant advanced configurations are displayed.
3. Next to certain configurations, you can find a small icon. Hover over the icon to see more information.
4. The Advanced Configuration page is divided into sections, which can be collapsed to make it easier to navigate.

Data Enrichment

1. Fetch users (default: true) - Select this option to fetch users data. Each user is added as a user asset in Axonius.
2. Enrich devices service status - Select this option to enrich device information with Service Status data.
3. Add last used users information for duplicated devices (if "Avoid hostnames duplications" is enabled) - Select this option to add the last used users information for duplicated devices. This is applicable only when “Avoid hostnames duplications” is used.
4. Add Device Manufacturer Serial for Zscaler devices - Select this option to extract the device manufacturer serial number from the UDID and add it to the device.
5. Discover Application Users (default: true) - By default this adapter fetches SaaS application users. Clear this option to not fetch SaaS application users.

Fetch and Parse

6. Ignore duplicated MAC addresses - Select this option to ignore MAC addresses that are associated with more than one device fetched from Zscaler.
7. Avoid hostnames duplications - Select this option to avoid returning duplicate hostname fetches.
8. Fetch Zscaler Client Connector enrolled devices - Select this option to fetch enrolled devices from the Zscaler Client Connector.

📘

Note

When Fetch Zscaler Client Connector enrolled devices is selected, you must enter a value in the Company ID parameter.

9. Fetch Firewalls - Select this option to fetch firewall policies data.
10. Filter SaaS Applications data by timeframe - Filter the SaaS Apps report by the selected time period.
11. Ignore SaaS Applications without users - Select this option to not fetch SaaS applications not assigned to any user.
12. Ignore SaaS Applications Repository and parse all applications - Select this option to fetch all applications even if they are not in the Axonius SaaS Applications Repository.
13. Filter out applications by name - Enter a name to filter out applications.
14. Filter out applications by category - Enter a category to filter out applications.
15. SaaS Applications Source - Select the source from with to fetch SaaS Applications: Shadow IT Report, Inferred by Insight Logs, or Both.
16. Include Linux devices - Select this option to include devices that have the Linux operating system on the device fetch.
17. Device Types to be Fetched - Filter the devices you want to fetch by registration status. Select between All states except Removed, Registered (default), Removal Pending (default), Unregistered, Removed, and Quarantined.
18. Enable real-time asset updates (Zscaler Nanolog Streaming Service) - Enable this if you want to fetch Zscaler Logs from a remote location.

Advanced Configuration

16. RateLimit (requests/hour) (optional, default: 700) - Enter the maximum rate of requests per hour by Axonius to the Zscaler server.

📘

Note

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Related Enforcement Actions

Zscaler - Block URLs

Zscaler - Delete Users

Zscaler - Add or Remove URL to/from Category

Zscaler - Add or Remove Custom URLs to/from Category