Zscaler Internet Access CloudBlade Version 1.3.1
Zscaler Internet Access requires ION
devices to run software version 5.1.9-b10 or
later. Versions prior to 5.1.9-b10 are not supported. This section
includes new features, caveats/limitations, and migration considerations.
New/Updated Features
This version of the
CloudBlade supports:
Automation of Zscaler sub-location
gateway option settings per site.
Optional custom Standard VPN endpoint specification per site
for cases where the ZIA Service Edge hostname list needs to be manually
managed.
IPSec Profile interface level override.
Caveats/Limitations
The following are
the caveats or limitations in this release:
IPSec
Profile Names specified in the CloudBlade configuration are case-sensitive.
There is a known bug on the Zscaler API side which will be
resolved by the end of July 2020, whereby, if the specific gateway
option surrogate IP Enforced For Known Browsers is specified, it
does not show as configured on the Zscaler location or sublocation
object. The workaround is to specify an additional gateway option
or sublocation gateway option, whichever is applicable. This will
cause an update to the location (or sub-location) object and will
make the surrogate IP Enforced For Known Browsers effective. You
can then remove the additional configuration if it’s not required.
Migration Considerations
When performing
an upgrade or downgrade from previous versions of the Zscaler CloudBlade,
you are required to re-enter the Partner API Key and the Partner
Admin Password.
Migration for a site previously tagged with
AUTO-zscaler that had gateway configuration changes done directly
on the Zscaler UI, will not have any of its gateway options modified.
However,
if the AUTO-zscaler tag is updated to specify gateway options, sub-locations,
or a custom standard VPN endpoint, either through the UI workflow
or through the API, then the CloudBlade will become the source of
truth for all gateway options and sub-location configuration for
this particular location.
When a site has the AUTO-zscaler
tag removed all objects maintained by the CloudBlade will be removed.
This includes standard VPN tunnel interfaces on the IONs, the location
and sublocation object(s) on Zscaler, and the VPN credentials associated
with the tunnels from that site.
Zscaler Location Gateway Options
The following
are the gateway options supported in Zscaler CloudBlade Version 1.3.1:
| Options | Corresponding Prisma Access for Networks Tag |
|---|
| Use XFF from Client Request | <True | False> |
| Enforce Zscaler App SSL Setting | <True | False> |
| Enable SSL Inspection | <True | False> |
| Enforce Firewall Control | <True | False> |
| Enforce Authentication | <True | False> |
| Enable IP Surrogate | <True | False>Idle time: <val>Idle time
metric: <minutes | hours | days> |
| Enable Surrogate IP for Known Browsers | <True | False>Refresh time: <val>Refresh
time metric: <minutes | hours | days> |
| Enable Caution | <True | False> |
| Enable AUP | <True | False>Frequency (days): <val>Block
Internet Access: <True | False>Force SSL Inspection: <True
False> |
