Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439)

Gonz Guzman (gonz@mcnc.org, 919-248-1842)

Client Network Engineering

Summer 2016 Webinar Series Zscaler – Tips, no tricks

Webinar Links: www.mcnc.org/cne-webinars

Agenda

Zscaler features you may not be aware of

Common Zscaler configuration mistakes

Known Zscaler issues

Log dissecting tips

2 10/3/12

Zscaler Features

Useful Zscaler features you may have missed…

3 10/3/12

Zscaler Features - Restrict Google Domain Access

Policy -> URL & Cloud App Control ->

4 6/15/2016

Zscaler Features - Restrict Google Domain Access

Allowed domains – error message

5 6/15/2016

Zscaler Features - Bypass SSL Inspection for Cloud Applications

Policy -> SSL Inspection

6 6/15/2016

Zscaler Features – Advance Settings

Administration -> Advanced Settings

7 6/15/2016

Zscaler Features - Retain Parent Category

Administration -> URL Category

8 6/15/2016

Common Mistakes

Common mistakes we see almost everywhere…

9 6/15/2016

Common Mistakes – Custom Categories

Custom Category errors…do you need custom

categories?

10 6/15/2016

Common Mistakes – Custom Categories

11 6/15/2016

Avoid duplication where wild-cards can be used, for

example:

.ibm.com matches:

www.ibm.com

ibm.com

ftp.ibm.com

Common Mistakes – Custom Categories

12 6/15/2016

An asterisk is not a wild-card, a dot/. is!

Common Mistakes – Custom Categories

13 6/15/2016

An asterisk is not a wild-card, a dot/. is!

Common Mistakes – Custom Categories

14 6/15/2016

Avoid duplication where wild-cards can be used: CUSTOM_45 .ajax.microsoft.com/ajax/

CUSTOM_02 .answers.microsoft.com/

CUSTOM_35 .apps.microsoft.com

CUSTOM_40 apps.microsoft.com

CUSTOM_40 .c2r.microsoft.com

CUSTOM_40 c2r.microsoft.com

CUSTOM_45 .cdn.playready.microsoft.com

CUSTOM_40 .c.microsoft.com

CUSTOM_40 c.microsoft.com

CUSTOM_45 .connect.microsoft.com

CUSTOM_02 .microsoft.com

CUSTOM_25 .microsoft.com

CUSTOM_38 .microsoft.com

CUSTOM_40 microsoft.com

(118 entries total)

Common Mistakes – Custom Categories

15 6/15/2016

Understand use of slashes – slash on right is wildcard:

Not ok to view the bathtub and toilet:

raleigh.craigslist.org/mat/5586213352.html

Ok to view building materials:

.craigslist.org/search/mat/

.craigslist.org/mat/

Otherwise, CL is not ok:

.craigslist.org

Common Mistakes – Custom Categories

16 6/15/2016

Understand use of slashes:

Common Mistakes – Custom Categories

17 6/15/2016

Understand use of slashes: CUSTOM_25,.microsoft.com

CUSTOM_02,.answers.microsoft.com/

CUSTOM_28,.support.content.office.microsoft.com/en-us/static/

CUSTOM_36,.crl.microsoft.com/pki/crl/products/

CUSTOM_36,crl.microsoft.com/pki/crl/products/

CUSTOM_36,diagnostics.support.microsoft.com/

CUSTOM_36,.microsoft.com/en-us/kinectforwindows/

CUSTOM_36,www.microsoft.com/pki/crl/products/

CUSTOM_38,.office2010.microsoft.com/download/

CUSTOM_45,.ajax.microsoft.com/ajax/

CUSTOM_45,.answers.microsoft.com/static/

CUSTOM_45,.officecdn.microsoft.com/pr/

CUSTOM_45,officecdn.microsoft.com/pr/

CUSTOM_45,.wl.dlservice.microsoft.com/download/

Common Mistakes – Custom Categories

18 6/15/2016

Adding an entry to a custom category removes it

from the default category!

Common Mistakes – Custom Categories

19 6/15/2016

Common Mistakes – Custom Categories

20 6/15/2016

Common Mistakes – Custom Categories

Custom Category errors…how do you avoid

them?

21 6/15/2016

Common Mistakes – Custom Categories

22 6/15/2016

Avoid listing sites in >1 custom category: CUSTOM_07 m.safebrowsing-cache.google.com

CUSTOM_07 safebrowsing-cache.google.com

CUSTOM_07 safebrowsing.google.com

CUSTOM_40 .m.safebrowsing-cache.google.com

CUSTOM_40 m.safebrowsing-cache.google.com

CUSTOM_40 .safebrowsing-cache.google.com

CUSTOM_40 safebrowsing-cache.google.com

CUSTOM_40 .safebrowsing.google.com

CUSTOM_40 safebrowsing.google.com

CUSTOM_42 m.safebrowsing-cache.google.com

CUSTOM_42 safebrowsing-cache.google.com

CUSTOM_42 safebrowsing.google.com

Common Mistakes – Custom Categories

23 6/15/2016

Viewing all custom categories:

https://admin.zscalerone.net/zsapi/v1/urlCategories

Common Mistakes – Custom Categories

24 6/15/2016

parsecustom.sh script

Macbook or Linux

Outputs to csv

Need screen-scrape file of

https://admin.zscalerone.net/zsapi/v1/urlCategories

Common Mistakes – Dual Categorization Allow Before Deny

25 6/15/2016

Common Mistakes – Dual Categorization Allow Before Deny

26 6/15/2016

Common Mistakes

27 6/15/2016

Common Mistakes

28 6/15/2016

Common Mistakes – PAC file logic

On premise traffic reported as Road Warrior

SSL and Authentication bypass not applied

GRE bypass not applied

Why?

TCP/9443 not routed across GRE

Location aware logic dictates behavior

29 6/15/2016

Internet

GRE Tunnel Tcp 80/443

NCREN router Inside LEA Zscaler Zen

Everything but tcp 80/443

firewall

Tcp 9443

Common Mistakes – PAC file logic

Router Configuration:

ip access-list extended ZscalerRedirect

deny ip any object-group DENIED_NETWORKS

permit object-group WEB_TRAFFIC any any

object-group service WEB_TRAFFIC

tcp eq www

tcp eq 443

object-group network DENIED_NETWORKS

group-object CERTIPORT

group-object CLASSSCAPE

group-object BRITANNICA

group-object RENAISSANCE_LEARNING

Common Mistakes – PAC file logic

Internet

GRE Tunnel Tcp 80/443

NCREN router Inside LEA Zscaler Zen

Everything but tcp 80/443

firewall

Tcp 9443

Common Mistakes – PAC file logic

Tcp 9443 Pac file + Zscaler certificate

Platform Pac-Storage DNS-test ip-network-test

Dedicated

Node

Android Cloud yes yes no

Chromebook Cloud yes no no

iPad, etc.

(iOS) Cloud yes (but not host.local) yes yes

Macbook Disk yes yes no

Microsoft Cloud yes yes no

Common Mistakes - Pac files logic by platform

Common Mistakes – Auth / SSL Bypass

Authentication

Bypass required?

Bypass unexpected (unknown user-agent)?

SSL bypass required?

Transparent and explicit proxy?

Service bypass required?

34 6/15/2016

Common Mistakes – Auth / SSL Bypass

Why SSL inspection?

Safe Search Enforcement

Anti-Virus / Anti-Malware scans. Not able to

scan encrypted content.

Authenticated connections and user/group

policy enforcement.

35 6/15/2016

Known Issues

36 6/15/2016

These are commonly known issues across most

content-filters…

Known Issues – Search – Vendor Differences

37 6/15/2016

Known Issues – Search – Vendor Differences

38 6/15/2016

Known Issues – odd ports

Zscaler only filters ports 80/443 not odd ports for:

Viruses

Proxy browsers (Ultrasurf, Tor)

BitTorrent

39 6/15/2016

Video port Owner

Anchorman: The Legend of Ron

Burgundy 45037

Paramount Pictures Corporation

(Paramount)

Batman v Superman: Dawn of

Justice 50321 Warner Bros. Entertainment Inc.

SPY (2015) 43615

Twentieth Century FOX Film

Corporation

The Hobbit: The Battle of the Five

Armies 9663 Warner Bros. Entertainment Inc.

The Man from U.N.C.L.E. 53036 Warner Bros. Entertainment Inc.

Known Issues – Zscaler - BitTorrent

Known Issues – Advanced Settings

Features that do not work in current configuration

41 6/15/2016

Log dissecting tips

Zscaler log data dissecting

Analytics -> Web Insight

Select “Logs” button before crafting filters

42 6/15/2016

Log dissecting tips

Zscaler log data dissecting

Facebook or other Cloud Application

43 6/15/2016

Log dissecting tips

Zscaler log data dissecting

URL Search URL vs Domain

44 6/15/2016

Log dissecting tips

Zscaler log data dissecting

Server IP

45 6/15/2016

Log dissecting tips

Zscaler log data dissecting

Multiple filters

46 6/15/2016

Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439)

Gonz Guzman (gonz@mcnc.org, 919-248-1842)

Client Network Engineering

Summer 2016 Webinar Series Zscaler – Tips, no tricks

Webinar Links: www.mcnc.org/cne-webinars