Add Zscaler Internet Access (ZIA)

ASMS supports ZIA as follows:

  • Policy Visibility for policy type: Firewall Policy Control

  • Report Generation

  • Topology including VPN tunnels

  • Change analysis and monitoring

  • Risks Calculation

  • Map Visibility (IPSec and GRE tunnels)

  • Regulatory Compliance

  • Traffic Simulation Query

  • Policy Optimization

The following sections describe how ASMS connects to ZIA public services:

Network connectivity

From AFA, we communicate with ZIA via Rest API over HTTPS protocol.

Required user role permissions

User role permissions are defined in Zscaler Cloud Portal and require the following minimal read-only permissions and functional scope:

Add a ZIA service to ASMS

Do the following:

  1. Create a user in Zscaler based on the minimal read-only permissions.

    1. Log in to the Zscaler Cloud Portal. Navigate to Administration > Role Management > Add Administrator Role based on the enabled permissions and functional scope. See Required user role permissions.

    2. Navigate back to Administration > Administrator Management > Add an Administrator.

    3. Insert the following:

      Login ID: Based on your domain

      Email Address and Name

      Role: The role you created above

      Scope: Select organization

      Enable Set Password if Needed (if required by your configured authentication method).

    4. Navigate to Activation. Click Active to save the settings

  2. Get a Zscaler Cloud Service API Security Key according to the Zscaler Cloud Portal

  3. In AFA, go to Administration
  4. Click the Devices Setup tab
  5. From New drop-down, select Devices

  6. Select Zscaler

  7. Select Zscaler Internet Access

  8. Enter:
    1. Display name: Add a meaningful name. The display name must not contain spaces.
    2. User name: The Login ID in Zscaler Administration Management page (for example, user_name@domain_name)
    3. Password
    4. Zscaler Cloud name (for example, zscalerone.net, zscaler.net)
    5. API Key: The API Security KeyZscaler Cloud Service API Security Key
  9. (optional): If the ASMS machine needs to communicate to Zscaler services through a proxy server, click Set Proxy and define the proxy server.

  10. Select the options as required:

    Real-time change monitoring

    Select this option to enable real-time change monitoring. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions to use this device in AFA
  11. Click Finish

Tip: In the onboarding stage, communication may be temporarily directed to the public services of the ZIA firewall when using a third party proxy. Wait 10-15 minutes to sync the proxy settings inside the ASMS services.

To verify that proxy setting have been synced to all nodes, on the Central Manager, run the following code:

/bin/algosec_conf --verify-proxy-configuration