Zscaler Zero Trust Device Segmentation offers several solutions tailored to meet the unique security and isolation requirements of highly sensitive or regulated organizations. The three solutions, Airgap, Airgap-Lite, and Airgap+, address varying levels of network isolation and functionality needs.

When you add or edit an asset, you can choose one of these solutions in the Protection drop-down menu. To learn more, see Managing Your Assets.

• Airgap
  • Behavior: Assigns a /32 network mask to endpoints, effectively creating a secure "network of one." Each device is treated as an isolated entity, preventing direct communication between devices on the same subnet.
  • Use Case: Ideal for environments that require complete isolation between endpoints, ensuring all traffic routes through the Device Segmentation gateway for inspection and enforcement.
  • Challenge: Some systems might not support /32 masks due to hardware or software limitations.
• Airgap-Lite
  • Behavior: Uses the same subnet mask as the one the DHCP server provides, which simplifies integration in environments where endpoints need to communicate directly without routing all traffic through the gateway.
  • Use Case: Suitable for systems or networks where /32 masks are not supported, and full isolation is not a strict requirement.
  • Trade-Off: Reduces isolation compared to Airgap.
• Airgap+
  • Behavior: Implements micro-subnets by supporting subnet masks between /27 and /30. Devices within the same micro-subnet can communicate directly without routing through the Device Segmentation gateway. Traffic between different micro-subnets or external destinations is routed through the gateway for inspection and enforcement.
  • Use Case: Provides a balance between complete isolation and full subnet communication, which is ideal for environments needing some level of local communication while still enforcing Device Segmentation policies for external traffic.
  • Trade-Off: Increased complexity compared to Airgap-Lite.
  • Requirements:
    • Device Segmentation gateway must operate in server mode for the associated VLAN(s).
    • Available starting with Airgap OS 7.7.6.