Zscaler ZIA

Details

  • Support: Level 3

  • Support Versions: Advance Cloud FW

  • Usage mapping notes:

    • Zscaler utilizes two types of Nanolog Streaming Services (NSS) to send out Syslog usage data.

      • (A) is called "Web" and is primarily used for end-user Web browsing traffic over TCP 80, 443. URL & Cloud Control policy appears to be where majority of these logs are tied back to.

      • (B) is called "Firewall" these are the logs related to Access Control Policy as well as a few of the other policies we don't currently normalize against.

    • Usage messages are only supported over TCP.

    • By default Zscaler NSS log streaming servers pull down the Zscaler logs from the Zscaler cloud to then forward to SIEM orSIP directly, are only supported from Zscaler via TCP based syslog.

    • A SIP data collector can be enabled to listen for TCP based syslog.

  • Normalization: Currently normalization exists for the Firewall Control and URL Filtering Policies. We also normalize any Applications/Application Groups that are defined in Firewall Control rules.

    • Cloud App Control Policy is not currently normalized.

To add a Zscaler ZIA management station, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Log in to your Zscaler Cloud Portal.

  2. On the left toolbar, go to Administration.

  3. In the Authentication section, click Administration Management.

  4. Click Add Administrator.

    1. Login ID is an email address.

    The Login ID will be uses for credentials in SIP.

  1. Email is the email address of the user.

  1. Name is the name of the user.

  1. For Role, select ReadOnly-adminRole from the list.

    The permission settings for the ReadOnly-adminRole (a Standard Admin Type) are in Authentication > Role Management.

  1. For Scope, select Organization.

  1. There is not a need to enable any Update settings.

  1. Enter a Password for the account.

  1. Click Save.

  1. In the Resources section, click Location Management. This is where you'll set discovery of managed devices (child devices). Managed devices will be listed as a sub-location.

  2. Click Add Location.

    1. Enter the server Location information.

      • Exclude from Manual Location Groups and Exclude from Dynamic Location Groups should be disabled.

    2. For Addressing, select the Static IP Addresses and any VPN Credentials.

    3. For Gateway Options, enable (click the red X to turn the toggle green) the following:

      • Enforce Authentication

      • Enable SSL Inspection

      • Enforce Zscaler Client Connector SSL Setting

      • Enforce FIrewall Control

    4. Enforce Bandwidth Control should remain disabled.

    5. Click Save.

Role Management Permission Settings

If you want to add a role specifically for SIP, these are the recommended permission settings for the ReadOnly-adminRole account that will be used.

  1. Click Administration > Role Management.

  2. Click Add Administrator Role.

  3. Enter a Name for this role (example: FM-readonly).

  4. Enable Permissions for Executive Insights should remain disabled.

  5. Permissions settings to select:

    • Logs Limit (Days): Unrestricted

    • Dashboard Access: View Only

    • Reporting Access: Full

    • Insights Access: View Only

    • Policy Access: View Only

    • Administrative Access: None

    • User Names: Visible

  6. Functional Scope settings to select:

    • All options should be enabled.

  7. Click Save.

API URL and KEY

You will need the API URL and Key when adding Zscaler to SIP. To locate the API URL and Key, go to Administration > API Key Management.

Policy Normalization

You can view the policies that will be normalized by Security Manager.

  1. On the left toolbar, go to Policy.

  2. Click Firewall Control and/or URL & Cloud App Control.

In Security Manager, in the Policy View of the Security Rules, Firewall Control policy rules will be listed as Policy and URL & Cloud App Control policy rules will be listed as URL-filtering.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Management Stations.
  1. Click Create, and then click Zscaler > ZIA.
  1. General Properties section.

Caution! To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. The Management IP Address box can be left blank.

A Management IP Address is not needed, however assigning an arbitrary, but unique IP is suggested. For example, 0.0.0.0 or 1.1.1.1 with an incremental increase for each similar vendor management station used (0.0.0.0, 0.0.0.1, 0.0.0.2, etc.). If you don't enter an IP address, logs about the device are sent to a specific directory that is named after the device ID. If you have the IP address in the system it will be used to name the directory, which makes it easier for support to find. For example, a non-IP address device would have a directory with domain_deviceID (example: 1_61).

  1. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  2. In the Central Syslog Server box, select the syslog server from the list (optional).

      A syslog server must be created before assigning to a device.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. Device Settings section.
  • API URL—this is the URL of the API version.
  • API Key— this is the API key that was generated for API access.
  • In the Re-enter API Key box, re-type the key entered above.

The API URL and Key are found in Zscaler Cloud Portal in Administration > API Key Management.

  • In the User Name box, type the Login ID used for the ReadOnly-adminRole account.
  • In the Password box, type the password used for the ReadOnly-adminRole account.
  • In the Re-enter Password box, re-type the password entered above.
  1. Change Monitoring section.
    • By default, the Enable Scheduled Retrieval check box is selected. Clear the check box to disable.

      • The default Check for Change Interval time is 1440.

      • Set an optional time in the Check for Change Start Time field.
  2. Advanced section.

    • File Retrieval Options: Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device via your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.

    • SSH Key Options: Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.

  3. Click Save.
    Devices being managed will be listed in the Discovered Devices section.

When viewing in Security Manager, a Security Profile with a label of CUSTOM_## is an object type connected to an TLD Category in Zscaler that does not have exposed APIs, therefore when Security Manager performs a retrieval, those display as “custom.”