Dianne Dunlap ([email protected], 919-248-8439)
Gonz Guzman ([email protected], 919-248-1842)
Client Network Engineering
Summer 2016 Webinar Series Zscaler – Tips, no tricks
Webinar Links: www.mcnc.org/cne-webinars
Agenda
Zscaler features you may not be aware of
Common Zscaler configuration mistakes
Known Zscaler issues
Log dissecting tips
2 10/3/12
Zscaler Features - Bypass SSL Inspection for Cloud Applications
Policy -> SSL Inspection
6 6/15/2016
Common Mistakes – Custom Categories
Custom Category errors…do you need custom
categories?
10 6/15/2016
Common Mistakes – Custom Categories
11 6/15/2016
Avoid duplication where wild-cards can be used, for
example:
.ibm.com matches:
www.ibm.com
ibm.com
ftp.ibm.com
Common Mistakes – Custom Categories
14 6/15/2016
Avoid duplication where wild-cards can be used: CUSTOM_45 .ajax.microsoft.com/ajax/
CUSTOM_02 .answers.microsoft.com/
CUSTOM_35 .apps.microsoft.com
CUSTOM_40 apps.microsoft.com
CUSTOM_40 .c2r.microsoft.com
CUSTOM_40 c2r.microsoft.com
CUSTOM_45 .cdn.playready.microsoft.com
CUSTOM_40 .c.microsoft.com
CUSTOM_40 c.microsoft.com
CUSTOM_45 .connect.microsoft.com
CUSTOM_02 .microsoft.com
CUSTOM_25 .microsoft.com
CUSTOM_38 .microsoft.com
CUSTOM_40 microsoft.com
(118 entries total)
Common Mistakes – Custom Categories
15 6/15/2016
Understand use of slashes – slash on right is wildcard:
Not ok to view the bathtub and toilet:
raleigh.craigslist.org/mat/5586213352.html
Ok to view building materials:
.craigslist.org/search/mat/
.craigslist.org/mat/
Otherwise, CL is not ok:
.craigslist.org
Common Mistakes – Custom Categories
17 6/15/2016
Understand use of slashes: CUSTOM_25,.microsoft.com
CUSTOM_02,.answers.microsoft.com/
CUSTOM_28,.support.content.office.microsoft.com/en-us/static/
CUSTOM_36,.crl.microsoft.com/pki/crl/products/
CUSTOM_36,crl.microsoft.com/pki/crl/products/
CUSTOM_36,diagnostics.support.microsoft.com/
CUSTOM_36,.microsoft.com/en-us/kinectforwindows/
CUSTOM_36,www.microsoft.com/pki/crl/products/
CUSTOM_38,.office2010.microsoft.com/download/
CUSTOM_45,.ajax.microsoft.com/ajax/
CUSTOM_45,.answers.microsoft.com/static/
CUSTOM_45,.officecdn.microsoft.com/pr/
CUSTOM_45,officecdn.microsoft.com/pr/
CUSTOM_45,.wl.dlservice.microsoft.com/download/
Common Mistakes – Custom Categories
18 6/15/2016
Adding an entry to a custom category removes it
from the default category!
Common Mistakes – Custom Categories
22 6/15/2016
Avoid listing sites in >1 custom category: CUSTOM_07 m.safebrowsing-cache.google.com
CUSTOM_07 safebrowsing-cache.google.com
CUSTOM_07 safebrowsing.google.com
CUSTOM_40 .m.safebrowsing-cache.google.com
CUSTOM_40 m.safebrowsing-cache.google.com
CUSTOM_40 .safebrowsing-cache.google.com
CUSTOM_40 safebrowsing-cache.google.com
CUSTOM_40 .safebrowsing.google.com
CUSTOM_40 safebrowsing.google.com
CUSTOM_42 m.safebrowsing-cache.google.com
CUSTOM_42 safebrowsing-cache.google.com
CUSTOM_42 safebrowsing.google.com
Common Mistakes – Custom Categories
23 6/15/2016
Viewing all custom categories:
https://admin.zscalerone.net/zsapi/v1/urlCategories
Common Mistakes – Custom Categories
24 6/15/2016
parsecustom.sh script
Macbook or Linux
Outputs to csv
Need screen-scrape file of
https://admin.zscalerone.net/zsapi/v1/urlCategories
Common Mistakes – PAC file logic
On premise traffic reported as Road Warrior
SSL and Authentication bypass not applied
GRE bypass not applied
Why?
TCP/9443 not routed across GRE
Location aware logic dictates behavior
29 6/15/2016
Internet
GRE Tunnel Tcp 80/443
NCREN router Inside LEA Zscaler Zen
Everything but tcp 80/443
firewall
Tcp 9443
Common Mistakes – PAC file logic
Router Configuration:
ip access-list extended ZscalerRedirect
deny ip any object-group DENIED_NETWORKS
permit object-group WEB_TRAFFIC any any
object-group service WEB_TRAFFIC
tcp eq www
tcp eq 443
object-group network DENIED_NETWORKS
group-object CERTIPORT
group-object CLASSSCAPE
group-object BRITANNICA
group-object RENAISSANCE_LEARNING
Common Mistakes – PAC file logic
Internet
GRE Tunnel Tcp 80/443
NCREN router Inside LEA Zscaler Zen
Everything but tcp 80/443
firewall
Tcp 9443
Common Mistakes – PAC file logic
Tcp 9443 Pac file + Zscaler certificate
Platform Pac-Storage DNS-test ip-network-test
Dedicated
Node
Android Cloud yes yes no
Chromebook Cloud yes no no
iPad, etc.
(iOS) Cloud yes (but not host.local) yes yes
Macbook Disk yes yes no
Microsoft Cloud yes yes no
Common Mistakes - Pac files logic by platform
Common Mistakes – Auth / SSL Bypass
Authentication
Bypass required?
Bypass unexpected (unknown user-agent)?
SSL bypass required?
Transparent and explicit proxy?
Service bypass required?
34 6/15/2016
Common Mistakes – Auth / SSL Bypass
Why SSL inspection?
Safe Search Enforcement
Anti-Virus / Anti-Malware scans. Not able to
scan encrypted content.
Authenticated connections and user/group
policy enforcement.
35 6/15/2016
Known Issues – odd ports
Zscaler only filters ports 80/443 not odd ports for:
Viruses
Proxy browsers (Ultrasurf, Tor)
BitTorrent
39 6/15/2016
Video port Owner
Anchorman: The Legend of Ron
Burgundy 45037
Paramount Pictures Corporation
(Paramount)
Batman v Superman: Dawn of
Justice 50321 Warner Bros. Entertainment Inc.
SPY (2015) 43615
Twentieth Century FOX Film
Corporation
The Hobbit: The Battle of the Five
Armies 9663 Warner Bros. Entertainment Inc.
The Man from U.N.C.L.E. 53036 Warner Bros. Entertainment Inc.
Known Issues – Zscaler - BitTorrent
Log dissecting tips
Zscaler log data dissecting
Analytics -> Web Insight
Select “Logs” button before crafting filters
42 6/15/2016
Dianne Dunlap ([email protected], 919-248-8439)
Gonz Guzman ([email protected], 919-248-1842)
Client Network Engineering
Summer 2016 Webinar Series Zscaler – Tips, no tricks
Webinar Links: www.mcnc.org/cne-webinars