5.6 Release Service Upgrade Summary


5.6 Release Service Upgrade Summary

Watch a video about Zscaler 5.6

This release includes a new Company Risk Score report, an enhanced Admin Portal UI, location groups, support for IKEv2, SCIM, and NSS on Azure, DLP EDM, new Audit Logs, a new Security Policy Audit Report, DNS resolution optimization, DNS tunnel detection, and many other great features.

Zscaler will be upgrading clouds with the 5.6 release starting in June 2018. Zscaler will email a notification to your organization’s registered support contacts approximately one week before your cloud is upgraded. To see scheduled maintenance updates for your cloud, visit the trust portal.

UI Redesign

The Admin Portal UI design is updated for easier navigation. We consolidated the menus into a single navigation bar on the left of the screen. All workflows remain the same.

Reporting

Four new reports are available: Audit Logs, Security Policy Audit, Company Risk Score, and Quarterly Business Review. We also added several other enhancements.

Audit Logs Enhancements

Audit logs now have new fields for better insight. To learn more, see About Audit Logs.
See image.

Security Policy Audit Report

The new Security Policy Audit Report allows you to view your Security Policy settings and improve them by following best practices guidelines. To learn more, see Security Policy Audit Report.
See image.

Company Risk Score Report

The new Company Risk Score Report allows organizations to monitor and assess their organizational, departmental, location, and user-level risk exposure. To learn more, see Company Risk Score Report.

This feature is in limited availability and will be fully enabled as we finish deploying the upgrades to all clouds.

Quarterly Business Review Report

The new Quarterly Business Review (QBR) Report provides a comprehensive overview of how Zscaler helped your organization over the last quarter. You can download the report from the Admin Portal under Analytics > Quarterly Business Review Reports. If you do not see the QBR, you can reach out to your account team or open a support ticket to have it enabled. To learn more, see Quarterly Business Review Report.

Cipher Suites Now Logged

There are 7 new SSL Cipher Web Insights filters (Analytics > Web Insights > Logs):

  • Certificate Chain Validity
  • Certificate Expiry
  • Client Connection Ciphers
  • Client Connection TLS Version
  • OCSP Result
  • Server Connection Ciphers
  • Server Connection TLS Version

To learn more, see Web Insights Filters.

New Web Action Filter Options

There are two new Web Action filters (Analytics > Web Insights > Logs):
See image.

  • Allowed - No Active Content
  • Allowed and No Scan

To learn more, see Web Insights Filters.

HTTP v HTTPS Interactive Report Renamed with Additional Protocols

The interactive report HTTP v HTTPS is now the Distribution of Traffic by Protocol report. The new report will continue to support the protocols HTTP, HTTPS, and Other SSL, along with the additional protocols, FTP and Tunnel. To learn more about interactive reports, see About Interactive Reports.

Cloud Configuration

Following are the new cloud configuration features.

NSS Over Azure

You can now deploy NSS over Azure. To learn more about NSS, see About Nanolog Streaming Service (NSS). To learn how to deploy NSS over Azure, see NSS Deployment Guide for Azure.

New Web Log Fields (SSL Ciphers) for NSS Feed Output

The following web log fields are now added to NSS Feeds:

  • %s{srvsslcipher}
  • %s{srvtlsversion}
  • %s{srvocspresult}
  • %s{srvcertchainvalpass}
  • %s{srvwildcardcert}
  • %s{serversslsessreuse}
  • %s{srvcertvalidationtype}
  • %s{srvcertvalidityperiod}
  • %s{clientsslcipher}
  • %s{clienttlsversion}
  • %s{clientsslsessreuse}

To learn more, see NSS Feed Output Format: Web Logs.

MCAS NSS Feed

You can now add an Microsoft Cloud App Security (MCAS) NSS Feed. To learn more, see Configuring MCAS Feed.
See image.

Sandbox

We made the following enhancements to the sandbox.

New Patient 0 Alert

If your Sandbox policy is configured to allow and scan files for the first-time action, the Zscaler service allows users to download unknown files and then sends the files to the Sandbox for behavioral analysis. If a file is found to be malicious, this becomes a patient 0 event.

On the Alerts page (Administration > Alerts), you now can configure the Patient 0 alert and receive emails about these events.
See image.

To learn more, see Configuring the Patient 0 Alert.

New File Type Supported

Sandbox now supports ZIP archive with suspicious script file (.js, .vbs, .svg, .ps1, .hta, .cmd, .lnk). You can select this file type when adding a Sandbox rule. To learn more, see Configuring the Sandbox Policy.
See image.

Sandbox Dynamic Chaining Support

If any executables fail to run properly on the original VM or OS, Sandbox now supports executing them on multiple VMs or OSs to see the behavior.

Firewall

We made the following enhancements to the firewall.

DNS Tunneling Detection

DNS Tunneling can be used to circumvent traditional security measures and has the potential to introduce a variety of hazards into networks. To counteract this threat, Zscaler has introduced the ability to detect, control, and analyze tunneling traffic.

The new DNS Tunnels & Network Apps option available when adding a DNS filtering rule allows you to create rules controlling which tunnels are allowed on your network. It also allows specific network services and websites, and search engines to be blocked at the DNS level. To learn more, see Configuring the DNS Control Policy and About DNS Tunnel Detection.

To gain greater control, you can also create a DNS Application Group combining these tunnels and applications. To learn more about these, see About DNS Application Groups and Adding DNS Application Groups.

DNS Tunnels & Network Apps and DNS Tunnel & Network App Categories have also been added as data types and filters that can be utilized in DNS Insights. Through the addition of the Top DNS Tunnels & Network Apps and DNS Tunnel & Network App Categories widgets, you can also visualize the tunnels and network applications detected. To learn more about visualizing and analyzing tunneling traffic, see About Dashboards and  DNS Data Types and Filters.

DNS Optimization

An option has been added to the Advanced Settings to enable Zscaler Enforcement Nodes (ZENs) to optimize DNS resolution. If this is used, the Zscaler proxy will intercept the HTTP or HTTPS request, and perform its own DNS resolution. It then overrides the destination IP if the answers are different. This can minimize the geographical distance a query travels and reduce latency. To learn more, see About Advanced Settings.
See image.

New Tabular Data Stream (TDS) Network Application 

The Tabular Data Stream (TDS) protocol (which is used for communication between clients and database servers) has been added as a new Network Application. This will provide you with the ability to create firewall filtering rules for all detected TDS traffic. 

This feature also enables the creation of a custom URL category based on a specific database address (URL). This custom category can be used when creating firewall filtering rules and allows database servers to be whitelisted or blacklisted as desired.

Firewall Control Logging Option Name Change

In Policy > Firewall Control, when adding or editing a Firewall filtering rule, the Logging option Hourly Stats is now named Aggregate. To learn more, see Configuring the Firewall Filtering Policy.
See image.

New Default Network Traffic Option for the Default Firewall Filtering Rule

In Policy > Firewall Control, the default Network Traffic option for the default firewall filtering rule is now Block/Drop. This does not impact existing configurations. To learn more, see Editing the Default Firewall Filtering Rule.
See image.

Data Loss Prevention (DLP)

We added the following features to DLP.

New DLP Dictionaries

The following predefined dictionaries were added to DLP:

  • Citizen Service Numbers (Netherlands): Detects leakage of Citizen Service Numbers (BSN) from the Netherlands
  • Medicare Numbers (Australia): Detects leakage of Australian Medicare Numbers
  • Tax File Numbers (Australia): Detects leakage of Australian Tax File Numbers

You can modify these predefined dictionaries, create custom dictionaries, or add them to a DLP Engine. To learn more, see About DLP Dictionaries.

New Index Tool and Index Templates

You can now create Exact Data Match (EDM) index templates and apply them to custom DLP dictionaries and engines. EDM templates allow the Zscaler service to identify a record from a structured data source that matches predefined criteria.
See image.

In order to create and modify an index template, you must download and configure an Index Tool for your organization.
See image. 

To learn more, see About the Index Tool, About Index Templates, and Creating an Exact Data Match Template

This feature is in limited availability and will be fully enabled as we finish deploying the upgrades to all clouds.

Recommended DLP Policy Rule Removed

Recommended Policy was removed from the Data Loss Prevention page. There is no recommended global policy for DLP. Make sure that your DLP policies are tailored to your organization. To learn more, see About Data Loss Prevention (DLP).

Updated DLP Notification Template Macro

When you use the ${DICTIONARIES} macro within a DLP notification template it now displays the list of dictionaries as well as the number of times each dictionary was triggered. To learn more, see Configuring DLP Notification Templates.

Partner Integration

We added the following partner integration features.

Microsoft Cloud App Security (MCAS) Integration Support

You can now set up an MCAS integration within the Admin Portal to allow the Zscaler service to discover and sync Cloud Apps. Integrating with MCAS allows you to utilize the Zscaler service's policy management functionality (i.e., URL filtering, custom category and Cloud App control, etc.) for blocking non-sanctioned applications. Your policies within the Zscaler service will include the list of applications to be blocked as provided by MCAS.
See image.

To learn more, see About Partner Integrations and Configuring an MCAS Integration.

SD-WAN Partner Support

You can now create and manage Software-Defined Wide Area Networking (SD-WAN) partner keys that enable cloud service API access to your locations and VPN credential information.
See image.

An SD-WAN partner key enables partner access to the following resources within the cloud service API:

  • Locations: An SD-WAN partner can export all attributes of a Zscaler service-defined location as a request. Partners can also make resource requests to add, update, and delete locations instead of manually adding them or importing them via CSV file to the Zscaler Admin Portal.
  • VPN Credentials: An SD-WAN partner can configure IPSec/GRE tunnel parameters including pre-shared keys, fully qualified domain names (FQDNs), and their associated location names as a request.

Zscaler supports the following SD-WAN vendors:

  • Cisco Viptela
  • HPE Aruba
  • Riverbed SteelConnect
  • Silver Peak
  • VMware VeloCloud

To learn more, see About Partner IntegrationsManaging SD-WAN Partner Keys, and Solution Briefs.

New Partner Administrators and Partner Administrator Roles

Before you can create and share a key with an SD-WAN partner, you must create a partner admin role and admin credentials for them. The Administrator Management and Role Management pages were updated to allow you to add, modify, and remove partner admins and roles.
See image.

To learn more, see Adding Partner Admin Roles and Adding Partner Admins.

New "Managed By" Field for Locations and VPN Credentials

A new field, Managed By, was added to Locations and VPN Credentials. After you've configured partner admins and partner keys for SD-WAN, you can select which partners should have access to view and modify each of your locations as well as VPN credentials that use FQDN as the authentication type. 
See image.

To learn more, see About Locations and About VPN Credentials.

Traffic Forwarding

We added the following features for traffic forwarding.

Location Group Support

You can now create location groups. Adding groups allows you to easily organize your locations and their associated sub-locations, as well as search and sort for them, within the Admin Portal.
See image.

To learn more, see About Location Groups and Adding Locations to a Group.

Bandwidth Control for Sub-Locations

You can now enable bandwidth control for a sub-location. If you enabled bandwidth control on a location, all sub-locations will share the bandwidth limits assigned to that location. However, you can override this behavior in order to assign a fixed bandwidth to a sub-location.
See image.

To learn more, see About Bandwidth Control and About Sub-Locations.

Enable AUP for Unauthenticated Locations

If you disabled Enforce Authentication on a location or sub-location, you can now Enable AUP for unauthenticated traffic in order to display an Acceptable Use Policy (AUP) notification and require users to accept it.
See image.

To learn more, see Configuring Locations and About Acceptable Use Policy and End User Notifications.

IKEv2 Support for IPSec VPN Tunnels

Zscaler now supports the Internet Key Exchange version 2 (IKEv2) protocol to negotiate IPSec VPN Tunnels. IKEv2 is a fast, less complicated control protocol. It improves on IKEv1 vulnerabilities and simplifies the Security Association (SA) negotiation process.

You can see IKEv2 configurations in the the following IPSec VPN Tunnel configuration examples:

To learn more about IKEv2 and the Zscaler supported parameters, see About IPSec VPNs.

Zscaler Splunk App

The new Zscaler Splunk App provides detailed dashboards and reporting for all Zscaler products using ZIA Nanolog Streaming and ZPA Log Streaming services. The Zscaler App for Splunk can also ingest DLP incident information, bringing full context for DLP incidents directly into Splunk. To learn more, see NSS Configuration Example: Splunk.

Provisioning and Authentication

We added the following provisioning and authentication features.

SCIM Based Provisioning

SCIM-based provisioning has been introduced. This protocol provides the benefit of automatically deprovisioning users and updating their information when they authenticate. To learn more, see About SCIM and Choosing Provisioning and Authentication Methods.

This feature is in limited availability and will be fully enabled as we finish deploying the upgrades to all clouds.

New Special User

The new Special User type Unauthenticated Proxy Port User allows customers to apply rules to traffic coming from port 9480. To learn more, see How do I configure the policy for unauthenticated traffic?

URL Categories

We made the following changes to the URL categories:

  • Web Banners has been renamed to Advertising.
  • CDN (Content Delivery Networks) has been added for use on sites that set up content delivery networks to deliver content to end users.
  • Newly Registered Domains has been added for use on sites whose domain was created in the last 30 days but are currently not categorized by Zscaler. This category can only be used in URL Filtering rules.
  • Non Categorizable has been added for sites that Zscaler has been unable to categorize for reasons such as it no longer existing or consisting solely of a login page.

To learn more, see About URL Categories.

Cloud Apps

We made the following changes to the cloud apps.

Changes to Cloud App Categories

The following changes have been made to the Cloud App Categories:

  • Enterprise Collaboration has been renamed to Collaboration & Online Meetings
  • Enterprise Productivity has been renamed to Productivity & CRM Tools
  • File Sharing & Streaming Media has been split into two categories; one named File Sharing and the other Streaming Media
  • A new category named Hosting Providers has been created to manage hosting providers such as AWS.
  • A new category named IT Services has been created to manage identity and device management tools such as such as Okta or AirWatch.

To learn more, see Cloud App Categories.

As part of these changes, the Streaming & File Share Applications and the Streaming & File Share Users widgets in the Cloud Applications Dashboard have changed to Streaming Applications and Streaming Users.

The Streaming Media/File Share cloud application class used in custom widgets has also changed to Streaming Media. If you wish to analyze data in the File Sharing category, you can create a new widget.

Ciphercloud and CloudLock No Longer Supported

Ciphercloud and CloudLock are no longer supported and their risk scores can no longer be seen in the Cloud Applications dashboard.

SSL Inspection

We made the following enhancements to SSL inspection.

SSL Inspection for Mobile Traffic Enhancements

You can now enable SSL inspection for each of the following: SecureAgent, roaming devices, and Zscaler App. For Zscaler App, you can enable or disable SSL inspection separately for each device platform. To learn more, see Configure an SSL inspection policy (including SSL inspection policy for mobile traffic).

ECDHE Cipher Support for PFS

Zscaler now supports ECDHE cipher suites for TLS to ensure Perfect Forward Secrecy (PFS). ECDHE is faster and provides better performance than DHE. To learn more about the supported ECDHE cipher suites, see Zscaler TLS Support. To learn more about PFS, see Perfect Forward Secrecy (PFS).

Administration

We made the following enhancements to administration.

Password Expiration

In Administration > Administration Management admins can now find an option to set a password expiration time for admins logging into the Admin Portal. To learn more, see Configuring Password Expiration.
See image.

Login Changes

If an admin account makes five unsuccessful attempts to log in within one minute, the account will be locked out for five minutes, rather than one. You can view logs for the failed attempts in the Audit Logs page

Cloud Service API

Zscaler has updated the cloud service API to support the following functionality:

Also new endpoints were added to Admin Audit Logs (formerly known as Change Audit Reports), and the /users/bulkDelete endpoint was added to User Management. To learn more, see About the API and the API Reference

Finally, the Postman collection was also updated to include the new and updated resources. To learn more, see Configuring the Postman REST API Client.

Protocol Control Availability

When configuring the Sandbox, DLP, URL Filtering, File Type Control, and Bandwidth Control policies, you now can select the following protocols:

  • FTP over HTTP: FTP protocol over HTTP
  • HTTP: HTTP protocol
  • HTTPS: HTTP protocol encrypted by TLS/SSL
  • Native FTP: Native FTP protocol
  • SSL: SSL encrypted traffic that's not decrypted
  • Tunnel: Encrypted traffic using an unidentified protocol

This feature is in limited availability and will be fully enabled as we finish deploying the upgrades to all clouds.

The SSL and Tunnel protocols are only available for the URL Filtering and Bandwidth Control policies. The FTP over HTTP protocol isn't available for the DLP policy.
See image.

URL Limit Increase for Security Exceptions

When configuring security exceptions for the Malware Protection and Advanced Threat Protection (ATP) policies, you can now enter a maximum of 1,024 URLs in Do Not Scan Content from these URLs.
See image.

To learn more, see Whitelisting URLs.

Screenshot of the ZIP w/Suspicious Script File (.js, .vbs, .svg, .ps1, .hta, .wsf, .cmd, .lnk) file type option for Sandbox 

Screenshot showing the option for DNS optimization at the ZEN

Screenshot of the Password Expiration option

Add DLP Dictionary Window with Exact Data Match Dictionary Type Selected

Zscaler Index Tool Login Screen

Microsoft Cloud App Security Tab in the Partner Integrations Page

SD-WAN Tab in the Partner Integrations Page

Add Partner Administrator Window Add Partner Administrator Role Window

Add Location Window with Managed By Setting Add VPN Credential Window with Managed By Setting

Locations Page in Grouping Mode

Add Sub-Location Window with Enforce Bandwidth Control Settings

Add Location Window with Enable AUP Setting

 

 

 

 

Screesnhot of the Do Not Scan Content from These URLs field in the Security Exceptions tab 

Screenshot of the Allowed -No Active Content and Allowed and No Scan options for the Web Action filter 

Screenshot of the Block/Drop network traffic action in the Edit Firewall Filtering Rule window.