Zscaler Internet Access CloudBlade Version 1.3.1
Focus
Focus

Zscaler Internet Access CloudBlade Version 1.3.1

Table of Contents

Zscaler Internet Access CloudBlade Version 1.3.1

Zscaler Internet Access requires ION devices to run software version 5.1.9-b10 or later. Versions prior to 5.1.9-b10 are not supported. This section includes new features, caveats/limitations, and migration considerations.

New/Updated Features

This version of the CloudBlade supports:
  • Automation of Zscaler sub-location gateway option settings per site.
  • Optional custom Standard VPN endpoint specification per site for cases where the ZIA Service Edge hostname list needs to be manually managed.
  • IPSec Profile interface level override.

Caveats/Limitations

The following are the caveats or limitations in this release:
  • IPSec Profile Names specified in the CloudBlade configuration are case-sensitive.
  • There is a known bug on the Zscaler API side which will be resolved by the end of July 2020, whereby, if the specific gateway option surrogate IP Enforced For Known Browsers is specified, it does not show as configured on the Zscaler location or sublocation object. The workaround is to specify an additional gateway option or sublocation gateway option, whichever is applicable. This will cause an update to the location (or sub-location) object and will make the surrogate IP Enforced For Known Browsers effective. You can then remove the additional configuration if it’s not required.

Migration Considerations

When performing an upgrade or downgrade from previous versions of the Zscaler CloudBlade, you are required to re-enter the Partner API Key and the Partner Admin Password.
Migration for a site previously tagged with AUTO-zscaler that had gateway configuration changes done directly on the Zscaler UI, will not have any of its gateway options modified.
However, if the AUTO-zscaler tag is updated to specify gateway options, sub-locations, or a custom standard VPN endpoint, either through the UI workflow or through the API, then the CloudBlade will become the source of truth for all gateway options and sub-location configuration for this particular location.
When a site has the AUTO-zscaler tag removed all objects maintained by the CloudBlade will be removed. This includes standard VPN tunnel interfaces on the IONs, the location and sublocation object(s) on Zscaler, and the VPN credentials associated with the tunnels from that site.

Zscaler Location Gateway Options

The following are the gateway options supported in Zscaler CloudBlade Version 1.3.1:
OptionsCorresponding Prisma Access for Networks Tag
Use XFF from Client Request<True | False>
Enforce Zscaler App SSL Setting<True | False>
Enable SSL Inspection<True | False>
Enforce Firewall Control<True | False>
Enforce Authentication<True | False>
Enable IP Surrogate<True | False>Idle time: <val>Idle time metric: <minutes | hours | days>
Enable Surrogate IP for Known Browsers <True | False>Refresh time: <val>Refresh time metric: <minutes | hours | days>
Enable Caution<True | False>
Enable AUP<True | False>Frequency (days): <val>Block Internet Access: <True | False>Force SSL Inspection: <True False>