Zscaler Internet Access CloudBlade Version 1.3.1
Zscaler Internet Access requires ION devices to run software version
5.1.9-b10 or later. Versions prior to
5.1.9-b10 are not supported. This section includes new features,
caveats/limitations, and migration considerations.
New/Updated Features
Zscaler Internet Access requires ION devices to run software
version 5.1.9-b10 or later. Versions
prior to 5.1.9-b10 are not supported. This section includes
new features, caveats/limitations, and migration
considerations.
Automation of Zscaler sub-location gateway option
settings per site.
Optional custom Standard VPN endpoint
specification per site for cases where the ZIA
Service Edge hostname list needs to be manually
managed.
IPSec Profile interface level override.
Caveats/Limitations
The following are the caveats or limitations in this release:
IPSec Profile Names specified in the CloudBlade
configuration are case-sensitive.
There is a known bug on the Zscaler API side
which will be resolved by the end of July 2020,
whereby, if the specific gateway option surrogate
IP Enforced For Known Browsers is specified, it
does not show as configured on the Zscaler
location or sublocation object. The workaround is
to specify an additional gateway option or
sublocation gateway option, whichever is
applicable. This will cause an update to the
location (or sub-location) object and will make
the surrogate IP Enforced For Known Browsers
effective. You can then remove the additional
configuration if it’s not required.
Migration Considerations
Migration for a site previously tagged with AUTO-zscaler that had
gateway configuration changes done directly on the Zscaler
UI, will not have any of its gateway options modified.
However, if the AUTO-zscaler tag is updated to specify gateway
options, sub-locations, or a custom standard VPN endpoint,
either through the UI workflow or through the API, then the
CloudBlade will become the source of truth for all gateway
options and sub-location configuration for this particular
location.
When a site has the AUTO-zscaler tag removed all objects
maintained by the CloudBlade will be removed. This includes
standard VPN tunnel interfaces on the IONs, the location and
sublocation object(s) on Zscaler, and the VPN credentials
associated with the tunnels from that site.
Zscaler Location Gateway Options
The following are the gateway options supported in Zscaler
CloudBlade Version 1.3.1:
| Options | Corresponding Prisma Access
for Networks Tag |
|---|
| Use XFF from Client
Request | <True | False> |
| Enforce Zscaler App SSL
Setting | <True | False> |
| Enable SSL Inspection | <True | False> |
| Enforce Firewall
Control | <True | False> |
| Enforce Authentication | <True | False> |
| Enable IP Surrogate | <True | False>Idle time:
<val>Idle time metric: <minutes | hours |
days> |
| Enable Surrogate IP for Known
Browsers | <True | False>Refresh time:
<val>Refresh time metric: <minutes | hours |
days> |
| Enable Caution | <True | False> |
| Enable AUP | <True | False>Frequency
(days): <val>Block Internet Access: <True |
False>Force SSL Inspection: <True
False> |
