Configuring Shift Policies


Configuring Shift Policies

Watch a video about how to add a single policy to a location
Watch a video about how to add multiple policies to a location

Shift offers multiple layers of security for your organization, including content filtering, threat security, Safe Search, and SSL inspection. In the Admin Portal, you can configure policies and specify how you want to implement these security features for your organization.

You can also choose to configure a single policy for your location or configure up to four policies for each location in your organization. This enables you to enforce different policies for different groups of users at the location.

Policy Configuration

To configure policies for single or multiple locations:

  1. From the Administration menu, select Policies.
  2. In the upper-right corner, click Add New Policy to open the New Policy window.
  3. Enter a Policy Name. The Policy Name field cannot be empty and cannot contain special characters, with the exception of periods, hyphens and underscores.
  4. Select a Content Filter Type. You can also see which categories are included in each type, by clicking Show Categories for Selected Policy Level. The categories blocked by that Content Filter Type appears in red, while the allowed categories appear in green. For a complete list of content filters, see Content Filters.
  5. Enable Threat Security to enable forwarding traffic to the Zscaler Shift service for inline inspection and protection against advanced security threats. The feature is enabled by default. If you want to enable Threat Security for HTTPS sites, you must enable SSL Inspection. If you do not enable SSL inspection, Shift does not enforce Threat Security on HTTPS sites.
  6. Enable Safe Search to ensure user browsers block all inappropriate or explicit images from search engine results. The feature is enabled by default. If you want to enforce Safe Search for Yahoo or YouTube, you must enable SSL Inspection. If you do not enable SSL Inspection, Shift does not enforce Safe Search for search engine results on these sites.
  7. Enable SSL Inspection to enable HTTPS inspection on any HTTPS site deemed suspicious, with the exception of sites in the Healthcare, Finance, and Banking categories. The feature is disabled by default.

    You can only enable SSL Inspection if Threat Security or Safe Search are enabled.

    If you enable SSL Inspection you also need to install a root certificate or users will receive a warning when visiting HTTPS websites. To learn more, see About Shift SSL Inspection.
    To install a root certificate: 
    1. Download the SSL Inspection Root Certificate from the link provided in the dialog that appears when you enable SSL Inspection. See image.
    2. After completing your policy configuration, install the certificate. You can do this either manually on user devices or using Active Directory. If your organization uses Active Directory, you can use the Active Directory Group Policy Object (GPO) feature to distribute the certificate. Different operating systems and browsers handle SSL Inspection Root Certificates in different ways. For example, Firefox (including version, 42.0) uses its own certificate store rather than the certificate store of the device operating system. You must install the root certificate manually in the Firefox browser. Refer to the documentation for the browsers your organization uses to ensure that you correctly install the Zscaler root certificate.

      SSL inspection is not recommended for Shift deployments where devices are unmanaged or installing a certificate on user devices is not feasible.

  8. Select the custom categories you want to blacklist in Always Block Categories 
  9. Select the custom categories you want to whitelist in Always Allow Categories
  10. Select the Zscaler DNS Service IP Binding. If you are configuring this policy for a location that has one policy for all users, leave the selection as anycast-main.
    If the policy you are configuring will be one of multiple policies for a location select the DNS IP address that you want to be affiliated with this policy from the drop-down menu. The options in the drop-down menu correspond to the following four Shift DNS IP addresses to which you can send your users' traffic. 
    To ensure you select the correct DNS IP address for the policy, read the Multiple Policies per Location overview below. As explained there, tying the DNS IP address to the policy is just one step in enabling multiple policies for a location. You must also add the multiple policies to the appropriate location in the Admin Portal. In addition, configure the routers in your network so that different groups of users at the location (each of whom will have a different policy) send traffic from different VLANs and make sure that each VLAN sends DNS requests to the DNS IP address that you have tied to the appropriate policy.
  11. Click Save

Multiple Policies per Location

You can create up to four different policies for a given location and apply them to different groups of users at the location. For example, if you are an admin in a retail business setting, you may want to create one policy for your Point-of-Sale (POS) network, one policy for employee network, and another policy for your guest Wi-Fi network. Below is a diagram that illustrates how Shift can enable multiple policies for such a location, followed by an explanation.

Diagram showing how to configure Shift for multiple locations

Shift provides you with four different DNS IP addresses to which your organization's edge device can forward traffic:

  • 8.34.34.34 (primary) / 8.35.35.35 (secondary)
  • 8.34.34.101 (primary) / 8.35.35.101 (secondary)
  • 8.34.34.102 (primary) / 8.35.35.102 (secondary)
  • 8.34.34.103 (primary) / 8.35.35.103 (secondary)

You can utilize these addresses to create multiple policies for each location.

To create multiple policies for a single location:

    1. In the Admin Portal, create a separate policy for each group of users at the location
    2. Tie each policy to one of the IP addresses above (step-by-step instructions are given in step 10 of Policy Configuration). For example, in the retail setting above, you can create one policy for your POS network, one for employees, and one for the guest Wi-Fi network.
    3. In the Admin Portal, add the policies you created to the appropriate location. To learn more, see Adding Locations. In the retail setting illustrated above, the admin would add the three policies they created to the location, "New York."
    4. Configure your network so that: 
      1. Different groups of users at the location (each of whom will have a different policy) send traffic from different VLANs. In the example above:
        • The POS network sends traffic from VLAN 10.
        • The employee network sends traffic from VLAN 20.
        • The guest Wi-Fi network sends traffic from VLAN 30.
      2.  Each VLAN sends DNS requests to the DNS IP address that you have tied to the appropriate policy in Step 1. In the example above:
        • VLAN 10 sends DNS requests to 8.34.34.101
        • VLAN 20 sends DNS requests to 8.34.34.102
        • VLAN 30 sends DNS requests to 8.34.34.103

    Once you’ve completed these tasks, when Shift receives traffic from one of your users at one of its four DNS IP addresses, it will know which policy to apply to the traffic by looking at the source IP address of the traffic. In the example above, if Shift receives traffic from the address 1.1.1.1 at its 8.34.34.102 DNS IP address, it knows that the traffic is coming from one of the employees at the location and applies the employee policy.

    Screenshot of the SSL Inspection Dialog Box