icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Ranges & Limitations

This article lists the ranges and limitations of rules, policies, fields, and other features. All values are per organization unless noted otherwise.

Active Directory & OpenLDAP Synchronization

Following are the Active Directory (AD) and OpenLDAP synchronization ranges and limitations:

FeatureLimit
Primary/Secondary Directory Name255 characters
Authentication Agent URL1,023 characters
Directory Server Address1,023 characters
Port0–65,535 ports
Bind DN255 characters
Bind Password255 characters
Base DN1,023 characters
User Login255 characters
User Full Name255 characters
User Search Filter1,023 bytes
Department Membership255 characters
Group Name255 characters
Group Membership (AD only)255 characters
Group Search Filter1,023 bytes
Group Base DN (OpenLDAP only)255 characters
User Attribute (OpenLDAP only)255 characters
User Membership (OpenLDAP only)255 characters
User Entry1,023 characters
Users/Groups/Departments Search (Synchronization Results)255 characters
User Authentication Filter1,023 bytes
Test User Login255 characters
Test User Password255 characters

Advanced Threat Protection

Following is the blocked malicious URLs limitation:

FeatureLimit
Blocked Malicious URLs25K FQDNs, domains, or URLs

Data Loss Prevention

Following are the Data Loss Prevention (DLP) ranges and limitations:

FeatureLimit
Custom DLP Dictionaries
Custom DLP Engines

Departments

Following are the department ranges and limitations:

FeatureLimit
Departments per Organization140K departments
Departments per admin with Department Scope2,048 departments
Department Name128 characters
Comments10,240 KB
Imported Departments per CSV file3,000 entries

EUNs

Following are the EUN ranges and limitations:

FeatureLimit
Custom Messages for Zscaler Client Connector-Based EUNs64 custom messages
Custom Redirect URL1,023 characters
Notification Message15K bytes
AUP Message30K bytes
URL Categorization Notification15K bytes
Security Violation Notification15K bytes
DLP Violation Notification15K bytes
Caution Notification Text15K bytes
Support Phone Number20 characters
Policy Link1,023 characters
IT Support Email254 characters

Extranet

Following are the extranet ranges and limitations:

FeatureLimit
Extranet resources1,000 extranets
Extranet locations5,000 extranet locations
Traffic selectors per extranet16 traffic selectors
DNS servers per extranet16 DNS servers

Groups

Following are the group ranges and limitations:

FeatureLimit
Group Name128 characters or 127 bytes
Comments10,240 bytes
Imported Groups per CSV file3,000 entries
Network Services Groups121 groups
Network Applications Groups126 groups
Source IP Address Groups4,000 groups
Destination Groups (Destination IP or FQDN Groups)4,000 groups
FQDNs or IP Address Entries per Group

8,000 IP address entries

The total number of IP entries across groups must adhere to the overall base IP limit, as noted in the Other section.

Locations

Following are the location ranges and limitations:

FeatureLimit
Locations and Sublocations per Organization

32K locations

Contact Zscaler Support for a possible increase in this limit from 32K locations to 64K locations.

Sublocations per Location2,000 sublocations
IP Address Ranges per Sublocation2,000 IP address ranges
Location Name128 characters
Location State128 characters
Location Groups per Organization256 groups
Locations and Sublocations per Group

32K locations

Contact Zscaler Support for a possible increase in this limit from 32K locations to 64K locations.

Imported Locations per CSV file1,000 entries

NSS

Following are the Nanolog Streaming Service (NSS) ranges and limitations:

FeatureLimitComments
Number of Users per NSS Feed Filter1,024 users
Number of Departments per NSS Feed Filter1,024 departments
Number of Locations per NSS Feed Filter1,024 locations
Number of Clients per NSS Feed Filter1,024 clients
Number of Threat Names per NSS Feed Filter1,024 threat names
Number of Web Transactions per Nanolog Cluster1 billion web transactionsIf your organization surpasses more than 1 billion web transactions, additional Nanolog clusters are required.
Number of Nanolog Clusters per NSS Virtual Machine (VM) Server1 Nanolog clusterIf additional Nanolog clusters are required, your organization must support an adequate number of NSS VM servers.

Organization

Following are the organization ranges and limitations:

FeatureLimit
Address Line 110,240 bytes
Address Line 210,240 bytes
City/State/ZIP1,024 bytes
Name/Title/Phone/Alternate Phone1,024 bytes
Admin Users per Organization10K admins
Admin User Login ID128 characters
Admin User Email254 characters
Admin User Name256 characters
Admin User Comments10,240 bytes
Admin User Password100 characters
ADP Clients16 clients
Admin Roles64 roles
API Roles16 roles
Identity Providers64 identity providers

Outbound Email Data Loss Prevention

Following are the outbound email DLP ranges and limitations:

FeatureLimit
Domain Profiles per Organization32 profiles
Recipient Profiles per Organization32 profiles
Domain Profiles per Rule8 profiles
Recipient Profiles per Rule8 profiles
Custom Domains per Domain Profile

32 domains

Contact Zscaler Support for a possible increase in this limit from 32 domains to 1,024 domains.

Outbound Email Policies1,024 policies

PAC File

Following are the PAC file ranges and limitations:

FeatureLimit
Name255 characters
Description255 characters
File Size256 KB
PAC Files per Organization256 PAC files
Contact Zscaler Support to increase the limit of PAC files to 1,024.
Non-ASCII CharactersThe file can contain up to 12% of non-ASCII characters (binary).

Policies

Following are the policy and rule ranges and limitations:

FeatureLimitComments
Bandwidth Control Policy Rules per Organization125 rules
Cloud App Control Policy Rules per Cloud App Category127 rules
SaaS Security API Scans

Amazon S3

1,000 bucketsTo enable scanning of up to 1,000 Amazon S3 buckets, contact your Zscaler Account team.

Bitbucket

32 repositories

Google Cloud Platform

1,000 bucketsTo enable scanning of up to 1,000 Google Cloud Platform buckets, contact your Zscaler Account team.

Microsoft Azure

1,000 blob containersTo enable scanning of up to 1,000 Azure blob containers, contact your Zscaler Account team.
DNS Control Policy Rules per Organization1,000 rules
NAT Control Policy Rules per Organization1,023 rules
Firewall Filtering Policy Rules per Organization1,021 rules

Source IP/Destination Groups IP Address Entries and FQDNs per Organization

16K IP address entries

The limit for destination IP entries can be increased by using Custom URL Categories with Custom URLs and Custom IP Ranges. This applies only to the destination IP addresses. To learn more, see the URL Filtering & Cloud App Control section.

Contact Zscaler Support for a possible increase in this limit from 16K IP address entries to 64K IP address entries.

Destination Groups FQDNs per Organization

5,000 address entries

16K address entries with Advanced Firewall

Source IP Groups IP Address Entries per Rule

8,000 IP address entries

Destination Groups IP Address Entries and FQDNS per Rule

8,000 IP address entries

Source IP/Destination Groups per Rule

1,000 groups

Service Groups/Application Groups per Rule

1,000 groups

Destination Groups FQDNs per Rule

5,000 address entries

Destination Groups IP Address Entries and FQDNs per Group

8,000 IP address entries

Destination Groups FQDNs per Group

100 address entries

8,000 address entries with Advanced Firewall
URL Filtering Policy Rules1,000 rules
Forwarding Policy Rules per Organization1,000 rules

Third-Party Proxies Rules

8 rules

Gateways for Third-Party Proxies Rules

8 rules

ZPA Gateways Rules

55 gateways

Source IP Anchoring Application Segments

255 segments
SSL Inspection Policy Rules255 rules (245 custom rules and 10 predefined rules)
All Other Policy Rules (i.e., DLP Policy, File Type Control Policy, IPS Control Policy, etc.)127 rules
All Policy Rule Types:
Users per Rule4 users
Groups per Rule8 groups
Departments per Rule8 departments
Locations per Rule8 locations
Location Groups per Rule32 groups
Rule Labels1,024 labels
Times per Rule8 times
Devices per Rule64 devices
Device Groups per Rule8 device groups
Workload Groups per Rule8 workload groups
Comments10,240 bytesSome languages use multi-byte characters, so they have fewer characters than bytes.
File Type Control Policy File Size400 MB

Reporting

Following are the reporting ranges and limitations:

FeatureLimit
Interactive Report Name50 characters
Widget Name50 characters
Widgets20 widgets
Favorites per User50 favorites
Scheduled Report Recipient (i.e., Email Address)254 characters
Export to CSV (Web, Mobile, Firewall, DNS, and Tunnel Insights Logs)20 requests/hour

SaaS Application Tenants

Following are the SaaS application tenant ranges and limitations:

FeatureLimitComments
Number of tenants per SaaS application16 tenantsUp to 16 tenants can be added for each sanctioned SaaS application. Contact Zscaler Support for a possible increase in this limit.

URL Filtering & Cloud App Control

Following are the URL filtering and cloud app control ranges and limitations:

FeatureLimitComments
Custom Keywords (total)2,048 keywords
Custom Keywords per Category256 keywords
Keywords retaining parent category per Category2,048 keywords
Custom URLs/TLDs25K URLs/TLDs

Includes:

  • Custom URLs/TLDs in all URL Categories/TLD Categories
  • Auth Exemption URLs in Advanced settings
  • Blocked Malicious URLs in Advanced Threat Protection settings
  • Blocked URLs in SSL Inspection settings
  • Allowed URLs in FTP Control settings
  • Bandwidth Class Domains

Duplicate URLs/TLDs are counted once.

The default limit of custom URLs/TLDs is 25K. Contact Zscaler Support to subscribe to an additional limit of 50K. You can subscribe up to a maximum of 5 times.

Do Not Scan Content from these URLs1,024 URLs
Custom Categories/TLD Categories64 categoriesThe default limit of custom categories is 64. Contact Zscaler Support to increase the limit to a maximum of 1,024 categories.
Custom Cloud Applications per Organization64 applications
URLs per Custom Cloud Application128 URLs
URLs253 characters
IP Ranges2,048 IP ranges
Cloud Application Instance512 cloud application instances

Instance Identifiers

1,024 instance identifiersEach instance identifier can have up to 128 characters. There can be a maximum of 2,048 instance identifiers across all instances.
Cloud Application Tags per Organization16 tagsEach tag can have up to 127 characters.
Tenant Profiles per Rule16 tenant profilesEach Cloud App Control Policy rule can have up to 16 tenant profiles associated with it.

Amazon Web Services

256 account IDsEach account ID must have 12 digits. There can be a maximum of 2,048 account IDs across all profiles.

Dropbox Team ID

100 team IDsEach team ID can have up to 64 characters.

GitHub

One enterprise slug

Each enterprise slug can have up to 256 characters. There can be a maximum of 100 tenant profiles per organization.

You can associate only one tenant profile per rule.

Google App Domains

100 domainsEach domain name can have up to 160 characters. There can be a maximum of 2,048 domains across all profiles.

Google Cloud Platform

100 organization IDsEach organization ID can have up to 64 characters. There can be a maximum of 2,048 organization IDs across all profiles.

IBM SmartCloud

100 account IDsEach account ID can have up to 64 characters. There can be a maximum of 100 account IDs per rule and 256 account IDs across all profiles.

Microsoft Login Services (Version 1) Tenant Directory ID

One tenant directoryEach tenant directory can have up to 64 characters.

Microsoft Login Services (Version 2) Tenant Directory ID:Policy ID

One tenant directory:policy IDEach tenant directory:policy ID can have up to 256 characters.

Microsoft Login Services (Version 1) Office 365 Tenants or Tenant IDs

500 Office 365 tenantsEach Office 365 tenant or tenant ID can have up to 64 characters.

Slack Your Workspace ID

100 workspace IDsEach workspace ID can have up to 64 characters.

Slack Allowed Workspace ID

256 workspace IDsEach workspace ID can have up to 64 characters.

YouTube Channel ID

200 channel IDsEach channel ID can have up to 100 characters.

YouTube School ID

100 school IDsEach school ID can have up to 127 characters.

Webex Login Services

100 Webex tenantsThere can be a maximum of 250 tenants across all profiles.

Zoho Login Services

120 Zoho IDsEach Zoho ID can have up to 127 characters. There can be a maximum of 2,048 Zoho IDs across all profiles.

Zoom

One policy labelEach policy label can have up to 64 characters.

Users

Following are the user ranges and limitations:

FeatureLimit
Users per Organization1,400K users
User Name128 characters
User Password255 characters
Groups per User127 groups by default
Comments10,240 bytes
Imported Users per CSV file3,000 entries
User Groups per Organization140K groups
User Temporary Authentication Email254 characters

VPN Credentials

Following are the VPN credentials ranges and limitations:

FeatureLimit
VPN Credentials per Organization

16K credentials

Contact Zscaler Support for a possible increase in this limit from 16K credentials to 64K IP credentials.

Imported VPN Credentials per CSV file3,000 entries
User ID (for FQDN authentication type)256 characters
Pre-Shared Key (for FQDN and IP authentication types)255 characters
Comments10,240 bytes

Static IPs & GRE Tunnels

Following are the static IP and GRE tunnel ranges and limitations:

FeatureLimit
Static IP Address Entries per Organization100 IP address entries by default
Contact Zscaler Support to increase the limit for your organization.
Imported Static IPs per CSV file3,000 entries
GRE Tunnels per Organization100 tunnels by default
Contact Zscaler Support to increase the limit for your organization.
Imported GRE Tunnels per CSV file3,000 entries
Description10,240 characters

Other

Following are other ranges and limitations:

FeatureLimit
Source IP and Destination Groups4,000 groups
IP Address Entries or FQDNs per Group

8,000 IP address entries

The total number of IP entries across groups must adhere to the overall base IP limit.

IP Address Entries per Organization

16K IP address entries

The limit for destination IP entries can be increased by using Custom URL Categories with Custom URLs and Custom IP Ranges. This applies only to the destination IP addresses. To learn more, see the URL Filtering & Cloud App Control section.

Predefined Bandwidth Classes8 classes
Custom Bandwidth Classes245 classes
Bandwidth Class Name255 characters
Time Intervals64 intervals
Virtual Service Edge Nodes per Cluster16 nodes
Exported Transactions100K entries
Admin Role Name128 characters
SAML Certificate Filename128 characters
SAML Certificate Key Name1,024 characters
Alerts128 alerts
Alert Definition Comments10,240 bytes
Alert Subscription Email254 characters
Restore Point Name128 characters
Restore Point Description10,240 bytes
ICAP Name128 characters
ICAP Receiver URL128 characters
Firewall Network Services832 services
Network Service Name255 characters
Network Service Description1,024 bytes
Custom IPS Signature Rules500 signature rules
Custom IPS Threat Categories64 threat categories
Auditor Email254 characters
Admin Audit Log1,000 entries
Workload Groups1,024 entries
SCIM Servers5 requests/second
EDNS Client Subnet (ECS) Prefix Objects per Organization128 prefixes
DNS Gateways254 DNS Gateways
Custom Path URL Length for DNS Gateway Server1,024 characters
Sub-URL length in Insight Logs display and CSV file

2,041 characters

Sub-URLs are truncated if they exceed the character limit.

Remote Assistance View-Only and Full Access90 days
Related Articles
What Is My Cloud Name for ZIA?Viewing SubscriptionsAbout Zscaler Data PrivacyManaging ZIA Use in RussiaAccepting the End User Subscription Agreement (EUSA)About the Company Profile About Notification Customizing Your Admin Account SettingsSaving and Activating Changes in the ZIA Admin PortalEditing, Deleting, or Duplicating ItemsUsing TablesSearching on the Admin PortalUsing the Zscaler Help BrowserChecking for IP Addresses on the DenylistRanges & LimitationsSupported Browsers for ZIAZscaler Service Continuity Customer Notification ProtocolAccessing and Navigating the ZIA Admin Portal