Migrate Zscaler Configurations to Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. Select ConfigurationOnboarding.
3. In the Migration Catalog, locate Zscaler and then Start Migration.
4. On the Import Configuration screen, select how to import your Zscaler data to the migration engine.

   API Method

   Select Use API to import your configuration programmatically by connecting to the Zscaler API. For information on how to retrieve the required parameters, see Prepare Your Zscaler Data for Migration.

   1. Both ZIA and ZPA are selected by default. To import only one of the configurations, clear the appropriate option.
   2. For ZIA, enter your Cloud URL, Username, Password, and API Key.
   3. For ZPA, enter your Cloud URL, Client ID, Client Secret, and Customer ID.
   4. Authorize Palo Alto Networks to use the Zscaler API credentials and then Fetch Configuration.

   Configuration File Method

   Select Upload configuration from files to manually upload your Zscaler configuration. For information on creating the ZIP file, see Prepare Your Zscaler Data for Migration.

   1. Browse or drag and drop the prepared ZIP file containing your Zscaler configuration. The ZIP file must contain separate directories for zia and/or zpa with JSON files.

   The system validates your inputs and begins the upload process, generating a unique migration_id for your task.

   You can click the Hide Steps (

   ) icon in the left navigation bar to expand the main configuration area.
5. Click Next: Analyze and Convert.

   During the analyze step, the tool parses, analyzes, and converts your Zscaler configuration to a Prisma Access-compatible format.

   • Section 1 identifies the policy types (for example, Firewall, URL Filtering, CASB, ZPA policies) and configuration objects. Click Proceed after you review this section.
   • Section 2 verifies the licenses available and displays configurations corresponding to these licenses. By default, all policies and configurations for the detected licenses are selected for migration. You can skip a policy migration by clearing the relevant checkbox.
     If any licenses are missing, you have two options:
     • Re-run Job: Enable the required licenses (ZTNA Connector, PRA, RBI) and re-initiate the analysis.
     • Do not migrate the above configurations: Proceed with the migration, but the configurations dependent on missing licenses will be skipped.
     Click Proceed after you review this section.
   • Section 3 is the Translation and Optimize section, which displays a summary of the conversion. Zscaler configurations do not contain profiles, so the migration engine maps policy types to rule sections and objects to Strata Cloud Manager profiles. The numbers in parentheses show the total number of rules or objects being migrated.
     This section also provides statistics on how many original Zscaler rules and objects were optimized (for example, merged or deduplicated) to a more concise set of Strata Cloud Manager policy rules and objects by applying Palo Alto Networks best practices in your environment.
     The following Zscaler rules are split into two rules:
     • Rules that include address groups with combinations of full FQDNs and wildcard FQDNs.
     • Rules where protocols are mapped to AppIDs and URL categories.
     The first rule uses the address group or AppIDs to define trusted or restricted destinations at the network level and the second rule maps specific protocols to AppIDs for application-level visibility and URL categories for content-based filtering. After the split, the primary rule handles identity and destination, while the secondary rule provides granular content control via URL categorization.

6. Click Next: Review Converted Migration.

   The Review Converted Configuration screen displays the translated policies and objects. Each tab displays the number of objects that were translated. The tabs are determined by the licenses and features selected for migration. Example tabs include:

   • Security Policy: Displays Zscaler rules translated into Strata Cloud Manager security policies.
   • Authentication Policy: Shows migrated authentication rules.
   • Decryption Policy: Displays translated decryption policies and profiles.
   • Configuration Objects: Lists all migrated configuration objects and applications.
   • Profile: Shows migrated Profile Groups, Security Profiles, and Decryption Profiles.

   Within each tab, the migration status for each rule is displayed:

   • Full Migration indicates that the rule is ready for import.
   • Partial Migration indicates that the rule requires manual review due to missing information.
   • Skip Migration refers to invalid, duplicate, or conflicting rules that will not be migrated.

   You can perform the following actions to review the data:

   • To filter a column, click the icon next to the column name and select the criteria.
   • To view the details for a row, click the icon in the Actions column.
   • To view the mapping tab for the selected objects in the rule, click the icon in the Actions column.

7. Click Next: Generate Strata Cloud Manager Config.
8. Review the reports.

   This report provides detailed statistics on rule and object optimization, including original counts, merged counts, conflict counts, and optimization percentages. Click View Details to view policy details.

9. Enter a descriptive Snippet Name (for example, zscaler-migration-prod).

   This name identifies the configuration snippet in Strata Cloud Manager. If you do not specify a name, the system creates a local snippet in the format zscaler-{migration_id}.
10. Click I Understand to acknowledge that ZTNA Connector, Privileged Remote Access, and Data Loss Prevention configurations are applied immediately and do not require an explicit commit.

    There is no revert option for ZTNA Connector, Privileged Remote Access, and Data Loss Prevention configurations after import.
11. Select Import to Strata Cloud Manager.

    The system validates the imported configuration and saves it as a snippet. These snippets can be applied directly to your Prisma Access policy in Strata Cloud Manager at any point in your deployment process — whether before or after you complete infrastructure setup such as onboarding users and private apps. This flexibility ensures you have full control to deploy your optimized security whenever it best fits your migration plan.
12. On the Generate Strata Cloud Manager Config screen, monitor the progress and review any errors displayed under Show the detail.

    This provides logs of any issues during object or policy creation, including API error codes, allowing you to identify and address unmigrated elements in your environment. The import status is displayed after the processing is completed.
13. Click Next: Finish and Infrastructure Setup.

    This page displays the import status for the snippet and potential next steps:

    • Edit the migration snippet.
    • Assign the generated snippet to an NGFW or Prisma Access folder.
    • Push the config.
14. (Optional) Click Download Report to save a comprehensive Migration Report (PDF summary) or a Detailed Report (JSON format) for audit, compliance, and future reference.

    These reports detail what was migrated, optimized, or skipped.
15. Click Close to exit the migration wizard.