5.5 Service Upgrade Summary

5.5 Service Upgrade Summary

Watch a video about Zscaler 5.5

This release includes new Insights reports, new SSL and Peer Comparison reports, publicly available MIBs, additional PAC file attributes, NSS over AWS, and other great features.

Zscaler will be upgrading its production clouds with the 5.5 release in August 2017. Zscaler will email a notification to your organization’s registered support contacts approximately one week before your cloud is upgraded. To see scheduled maintenance updates for your cloud, visit the trust portal.

Logging, Reporting, & Analytics

Following are the new logging, reporting, & analytics features.

New Insights Reports

The CxO Insights Reports provide an organization’s CISO, CTO, and CISO with monthly summaries on the IT and security posture of their organization. The reports are scheduled in the Executive Contacts tab through the admin portal. To learn more about scheduling reports, read CxO Insights Report.

Industry Peer Comparison Report

The Industry Peer Comparison Report compares your organization's performance with that of both peer organizations and all companies using our cloud service. To learn more, read About Industry Peer Comparison.
See image.

New SSL Report

A new standard report, called HTTP vs. HTTPS, is now available under Secure Browsing in Analytics > Interactive Reports. The report provides visibility into overall encrypted traffic and content inside that traffic.

This reporting is only available on new data.

If your organization has enabled SSL inspection, you will gain full visibility into overall SSL traffic, application types, and threat types within that traffic. Note that if your organization does not have SSL inspection enabled, this report still provides visibility into overall SSL traffic.

The report contains 8 widgets, which compare HTTP traffic to HTTPS traffic.
See image.

Two New Fields for Transaction Logs

Two new fields are now visible in the transaction logs on the Admin Portal: Rule Name and Policy Type. The rule name is only displayed when a policy has been triggered. We only record policy names for block transactions and not for allow transactions. For a list of the policies that have rules available, see New Rule Name Field for Policies.

Logging Improvement

Before release 5.5, traffic arriving from a tunnel not associated with a configured location was processed as traffic belonging to a "default company" instead of a customer organization. All tunnels should be associated with a customer organization and location, but Zscaler has seen traffic from tunnels lacking a configured location.

Now all traffic from tunnels not associated with a specific location is logged with the appropriate organization as the user. The organization name is logged in the User field, indicating that this traffic came from a tunnel not associated with a location. To ensure that the location information is logged correctly and that location-specific policies are applied, associate every tunnel with a location.

New Web Insights Filter

The new Web Insights filter Protocol replaces the SSL Decrypted? filter. The Protocol filter will improve the visibility of protocols that traverse within Zscaler’s cloud. This enhancement will allow web logs to expose the following information:

  • HTTP: HTTP protocol
  • HTTPS: Secure HTTP protocol that has been decrypted
  • FTP: Native FTP protocol
  • FTPOVERHTTP: FTP protocol over HTTP
  • FTPS: FTP protocol over secure HTTP
  • SSL: SSL traffic not decrypted
  • TUNNEL: Clear text traffic with unknown protocol or non-SSL encrypted traffic

To learn more about this and other filters, see Viewing Web Logs and Web Insights Filters.


Following are the new authentication features.

Reauthenticating All Users

You can now force log out all users in your organization and have them reauthenticate to the Zscaler service. You can also see the status of whether the logout was successful or not as well as the last time the Zscaler service successfully completed a forced reauthentication.
See image.

To learn more, see Reauthenticate All Users in About Authentication Profile.

Adobe Flash Cookies No Longer Supported

Zscaler has discontinued its use of Adobe Flash cookies on its authentication page and pre-provisioned cookies as an authentication mechanism.

To learn more, see End of Support for Adobe Flash Cookies.

Traffic Forwarding

Following are the new traffic forwarding features.

New Country and Country Gateway Variables for PAC Files

You can now use the new ${COUNTRY} and ${COUNTRY_GATEWAY} variables when writing a PAC file. To learn more, see Zscaler-Specific Variables in Writing a PAC File.

Obfuscating the PAC File URL

When adding a PAC file, you can now obfuscate the URL for additional security.
See image.

Access Control

Following are the new access control features.

FTP Control Improvements

Following are the FTP control improvements.

New FTP Security Features

Starting with this release, the Malware Protection feature supports more protocols. You can now scan the following types of traffic in real time: HTTP traffic, HTTPS traffic (if SSL Inspection is enabled), FTP over HTTP traffic, and FTP traffic.
See image.

If your organization has the Data Loss Prevention (DLP) subscription, you can now apply DLP policies on all files extracted from these protocols.

FTP access control and file extraction require the Cloud Firewall subscription. To configure the FTP Control policy, go to Policy > Firewall Control.
See image.

Protocol Filter

You can now filter your web log transactions by a specific type of traffic.
See image.

This filtering is only available on new data.

Microsoft Tenant Restrictions Access

Zscaler now supports Microsoft’s Tenant Restrictions. To learn more about the feature, see Support for Microsoft Tenant Restrictions.
See image.

Optimize Office 365 Support with One Click

With one click, the Zscaler service now automatically performs the necessary configurations so your users can seamlessly use all Office 365 applications. Additionally, Zscaler monitors the Office 365 IP addresses and URLs, fingerprints the apps, and adjusts the configurations accordingly, so you don't need to manage any future IP address or URL changes. To learn more, see How do I Configure Office 365 Support?.

New File Types Supported for File Type Control

File Type Control now supports the following file types when adding a File Type Control rule:

  • ZIP archive with suspicious script file (.js, .vbs, .svg, .ps1, .hta, .wsf, .cmd, .lnk)
  • Rhino 3D Model (.3dm)
  • DICOM (.dicom)
  • TIFF (.tiff, .tif)
  • Word Macro-Enabled Document (.docm)
  • Excel Macro-Enabled Workbook (.xlsm)
  • PowerPoint Macro-Enabled Presentation (.pptm)
  • Autodesk Inventor Part (.ipt)


Following are the new Sandbox features.

Support for Microsoft Office Macro-Enabled Files

Sandbox now supports the following Microsoft Office file types when adding a Sandbox rule:

  • Word Macro-Enabled Document (.docm)
  • Excel Macro-Enabled Workbook (.xlsm)
  • PowerPoint Macro-Enabled Presentation (.pptm)

Printing the Sandbox Detail Report 

You can now print the Sandbox Detail Report.
See image.

Redesigned Quarantine End User Notification (EUN)

The Sandbox quarantine EUN has been redesigned for more clarity.
See image.

To learn more, see Sandbox End User Notifications (EUNs).

Cloud Configuration

Following are the new cloud configuration features.

NSS over AWS

You can now deploy an NSS on Amazon Web Services (AWS) or on-premises on an ESX Virtual Machine. To learn more about NSS over AWS, read About Nanolog Streaming Service (NSS). To learn how to deploy NSS on AWS, read NSS Deployment Guide for AWS.

Two New Web Log Fields for NSS Feed Output

The two new web log fields %s{rulelabel} and %s{ruletype} have now been added to NSS Feeds. To learn more, read NSS Feed Output Format.

VZEN Kerberos Support

Zscaler now supports Kerberos authentication for VZENs. To learn more, read How do I deploy Kerberos for VZEN?.
See image.

Support for b64 Encoding

The following fields have been added as b64 fields:

  • b64ua                                                   
  • b64filename
  • b64threatname
  • b64mobappname
  • b64host
  • b64url
  • b64referer
  • b64login
  • b64location
  • b64dept
  • b64urlcat
  • b64rulelabel

MIBs Available

Starting with this release, you can use Zscaler Enterprise SMNP MIBs to perform health monitoring on several, different instances like NSS, ZAB, and Virtual ZENs.

To learn more, see About the SNMP MIBs.

Bandwidth Control

You can now prioritize business-impacting traffic and throttle the remaining traffic for large breakout locations.

Support for Maximum Concurrent Sessions Removed

With this upgrade, you can no longer specify the number of concurrent sessions the service allows per bandwidth class. The setting was removed from the Admin Portal.


Many fixes and improvements increased the performance and reliability of the service.

User Interface

Following are the user interface improvements.

New Rule Name Field for Policies

The following policies now have a Rule Name field in the admin portal:
See image.

  • Sandbox
  • Data Loss Prevention
  • URL & Cloud App Control
  • File Type Control
  • Bandwidth Control
  • Mobile App Store Control
  • Firewall Control
  • DNS Control


Obfuscate URL Field.png 

5.5 Release Notes Force Reauth.png 

Enable O365 Tenant Restriction 5.5.png 

Print Sandbox Detail Report ver 3.png 

Screenshot of the Sandbox quarantine end user notification (EUN) 

Location Kerberos Auth.png

Rule Name.png

Screenshot of a CISO Insights Report mockup. Contains comparative analysis through bar graphs and percentages.

Screenshot of a CTO Insights Report mockup. Contains comparative analysis through bar graphs and percentages.

Screenshot of a CISO Insights Report mockup. Contains comparative analysis through bar graphs and percentages.



Industry Peer Comparison Report.png