Friday, October 8, 2021

Allowing only zscaler internet access on Palo firewall

Im looking to lock down internet access on a PA firewall to only allow traffic from computers with zscaler agent installed and working.

Looking at the available app-ids, I can see zscaler-internet-access and zscaler-private-access. Great, job done..... except not really. If I create a rule allowing just these two applications, the agent never connects and no access is possible - I have to add http-proxy application to get it to connect.

Ive also noticed logs showing traffic going to zscaler IPs but the Palo is categorising the traffic based on the actual sites being accessed rather than just zscaler-internet-access.

Before I go any deeper down the rabbit hole, just wanted to check if anyone else has successfully configured their Palos to only allow internet access from zscaler agents?

I guess I can get all the potential zscaler IPs from their support and build a policy which matches on those, but it feels a bit old-school when the Palos are supposed to have the intelligence to do it with app-ids.



No comments:

Post a Comment