Accelerate Zscaler to Prisma SASE migration with Strata Cloud Manager, automating
ZIA and ZPA configuration transition with actionable insights.
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
|
Permissions and Credentials:
- Superuser or Network Administrator role
- Zscaler API Credentials (Cloud URL, Username, Password, API
Key for ZIA; Cloud URL, Client ID, Client Secret, Customer
ID for ZPA) or Zscaler JSON configuration files bundled in
.zip format
Licenses:
- Prisma Access license
- Enterprise Data Loss Prevention license
- ZTNA Connector license
- Privileged Remote Access (PRA) license
- Remote Browser Isolation (RBI) license
Additional Requirements:
- Strata Cloud Manager 2026.R2 release or later
- Application IP Blocks configured in Prisma Access
Infrastructure Settings
- Network connectivity to Zscaler Cloud API on port 443
- Zscaler SCIM or SCIM groups configured for Cloud Identity
Engine
|
The Zscaler to Prisma® SASE migration engine automates the transition of Zscaler
Internet Access (ZIA) and Zscaler Private Access (ZPA) configurations to Prisma
Access security policies. This tool reduces manual effort and potential errors by
automating the assessment, translation, and optimization of Zscaler configurations
into Prisma Access-compatible formats.
To begin the migration process, you upload your Zscaler configuration either
programmatically via Zscaler Cloud APIs or through a JSON file. The migration engine
parses, analyzes, and converts the configuration into a Prisma Access-compatible
format. The engine applies optimization logic to clean up duplicate and redundant
data, thereby reducing the total policy footprint. You can review and refine the
translated configuration before importing it into Prisma Access.
For general security policies and objects, the tool generates a Strata Cloud Manager
snippet — a reusable set of configuration that can be applied to a Strata Cloud
Manager folder. Snippets make it easy to deploy standard settings consistently
across your network. ZTNA, Privileged Remote Access (PRA), and Remote Browser
Isolation (RBI) configurations are applied immediately after the migration is
completed without an explicit commit. It is strongly recommended that you test the
migration on a pre-production tenant before migrating production workflows.
Migration is only supported for commercial tenants.
The following Zscaler Private Access (ZPA) policies and objects are not currently
supported for migration. These unsupported elements are excluded from the
translation process and added to your migration report:
- CLIENTLESS_SESSION_PROTECTION_POLICY (Browser Protection Policy)
- CLIENT_FORWARDING_POLICY (BYPASS_POLICY)
- Servers
- Server Groups
- Service Edge Connections
- Service Edge Connection Groups
- Isolation Profiles
Note the following caveats:
- ZTNA objects can have a maximum of 4 connector groups per FQDN or wildcard
targets.
- Only one Connector Group per Compute Region is supported.
