5.3 Service Upgrade Summary

5.3 Service Upgrade Summary

Watch a video about Zscaler 5.3

This release includes support for TLS 1.2, a name change for Behavioral Analysis, and enhancements to the admin portal, dashboards and analytics, Cloud Firewall, and other features.

Zscaler will be upgrading its production clouds with the 5.3 release between November 2016 and February 2017. Zscaler will email a notification to your organization’s registered support contacts approximately one week before your cloud is upgraded. To see scheduled maintenance updates for your cloud, visit the trust portal.

Support for TLS 1.2

Zscaler now supports TLS 1.2, in addition to TLS 1.0 and 1.1. With SSL inspection enabled, the Zscaler service inspects all TLS sessions. Some of the websites you may have exempted from SSL inspection due to the lack of TLS 1.2 support can now be removed from the exemptions list. Please contact Zscaler Support to confirm which sites can be removed. Note that with this upgrade, the service no longer supports SSLv3 connections. Customers do not need to take any other action to use this feature.

Behavioral Analysis Renamed to Sandbox

Behavioral Analysis is now called Sandbox in the Zscaler platform. In the Zscaler home page, admin portal, documentation, and elsewhere, you will now see the term Sandbox in place of the term Behavioral Analysis.

Cloud Sandbox Enhancements

The Cloud Sandbox module has also been upgraded with the following:

  • Enhanced Sandbox signature set to detect zero day malware behaviors.
  • Enhanced Sandbox evasion detection and anomalous behavior detection signatures.
  • Enhanced Sandbox threat scoring algorithm resulting in higher precision scores.
  • Enhanced Sandbox Detail Reports (formerly called Behavioral Analysis Reports). Reports now show multiple threat names if multiple threats were detected.
  • Enhanced static analysis for PDF and Microsoft Office documents.

Changes to Advanced Threat Protection in Professional Web Suites

Users of the Professional Web Suite can now control the following in the Advanced Threat Protection policy:

  • Command & Control Servers
  • Known Phishing Sites
  • Anonymizers
  • BitTorrent
  • Tor

Previously, these controls were available only with Business Web Suite.

Dashboard and Analytics Enhancements

Dashboard Customization for Individual Admins

Each admin can now customize dashboards and have sole access to those dashboards, as long as he or she is assigned a role with full dashboard access. Previously, admins that were assigned the same role shared the same dashboards and could not make individual modifications. When an admin logs in for the first time after the upgrade, the admin portal displays the dashboards as the admin last saw them and prompts the admin to customize them to their preferences.

New Threat Class Data Type

The Threat Class data type now enables you to see advanced threats, viruses and spyware, and sandbox data in one chart in Web Insights and custom dashboards.

New Threat Class Data Type

CSO Report

In addition to the CIO Report, a new CSO Report is now available under Company Summary Report in Analytics > Interactive Reports. The CSO report provides more security-related data geared toward audiences like your organization’s CSO.

Screenshot of CSO Report

Admin Portal

New Design for Login Screen

Zscaler has redesigned the login screen for the admin portal. It now features a full screen banner with links to product, security, and service updates.

Screenshot of New Design for Login Screen

Cloud Software Version Number

You can now see the Zscaler cloud software version number at the bottom left of the screen when you log in to the admin portal.

Cloud Software Version Number

Flexible Admin Portal Session Timeout

You can now specify any value from 5 minutes to 10 hours for the session timeout duration. Previously, you were required to choose from four predefined options, ranging from 30 minutes to 10 hours.

New Time Intervals for Displaying Acceptable Use Policy

You can now specify a day of the month or a day of the week on which you want the service to display the Acceptable Use Policy (AUP) to your users. For example, if you select 1 for the day of the month, the service displays the AUP when users log in on the first day of every month. If you select Monday for the day of the week, the service displays the AUP when users log in on Monday every week. Previous to this release, the time intervals for displaying AUP were limited to Never, Once Per Session, Daily, Weekly, Once Per Login, and a Custom option that allows admins to specify, in days, the interval between AUP displays.

Enhancements to Tables in Policy and Administration Pages

You can now search for items in tables using the search bar located at the top right corner. You can also resize column width, reorder columns, sort select columns, and choose the columns you want to view or hide.

Enhancements to Tables in Policy and Administration Pages

Terminology Changes in the UI

To enhance clarity, admin portal fields containing the term “bypass” have been modified as follows:

In Administration > Advanced Settings,

  • Authentication Bypass is now Authentication Exemptions
  • Bypassed URL Categories is now Exempted URL Categories
  • Bypassed URLs is now Exempted URLs
  • Bypassed Applications is now Exempted Applications

In Policy > SSL Inspection,

  • Bypassed URL Categories is now Do Not Inspect Sessions to these URL Categories
  • Bypassed URLs is now Do Not Inspect Sessions to these Hosts
  • Bypassed Applications is now Do Not Inspect these Applications

In the Security Exceptions tab under Policy > Malware Protection and Policy > Advanced Threat Protection,

  • Bypassed URLs is now Do Not Scan Content from these URLs

Other Renamed Fields:

  • Policy for Non-Decrypted Traffic is now If SSL Inspection is Disabled, Block HTTPS to these Sites

Expanded Support for Fully Qualified Domain Names (FQDNs) in Cloud Firewall

We have expanded support for applications in our firewall policy. You now have the option to create firewall policy for applications by defining destination FQDNs instead of destination IP addresses. This frees you from having to track and update the IP pools associated with applications in your policy. You can leverage this option in addition to application policies based on signatures Zscaler has defined for common applications. You can also configure the DNAT on your firewall policy action to be an FQDN. This allows easier management of your internal applications.

File Type Control

File Type Control now supports 7-Zip archives and Google WebP image files. You can select these file types when adding rules to your File Type Control policy.


You are no longer required to specify a file type when using the DLP policy to monitor or block outbound data based on size limits. You can choose to have the Zscaler service monitor or block any outbound data that exceeds the size you specify, regardless of file type.

Security Exceptions for Browser Control

To enable this feature for your organization, you must contact Zscaler Support. Once it is enabled, URLs you whitelist under Security Exceptions in Policy > Malware Protection will also be  whitelisted for the Browser Control policy. When your users send traffic to the whitelisted URLs, the Zscaler service will not apply the Browser Control, Malware Protection, Advanced Threat Protection, and Sandbox policies. This could be helpful when your users must use obsolete browsers to access legacy applications but you would still like to block access for general browsing with those obsolete browsers.