About Acceptable Use Policy and End User Notifications


About Acceptable Use Policy and End User Notifications

On the End User Notification page of the Zscaler admin portal, you can configure an Acceptable Use Policy (AUP) and different types of end user notifications (EUNs):

The Zscaler service supports multiple languages for these notifications. You can also customize the appearance of the AUP and EUNs with CSS styles, HTML tags, and JavaScript. See Customizing the AUP and EUNs with CSS Styles.

Note: The following fields also affect the caution notification: Display Reason, Display Company Name, and Display Company Logo.

Block Official

AUP Official

Note: The general settings for the caution notification also affect the block notifications.

Caution Official

The Zscaler service displays a notification page to users whenever it blocks access to certain sites, files, or Internet applications. Additionally, the service displays a notification when it blocks access to a site due to a bad certificate (that is, if the certificate issuer is unknown, if the certificate has expired, or if the Common Name in the certificate does not match). For example, if a user browses to a site that is in a URL category that was blocked, the service blocks access to the site and displays a block notification. See image.

The service displays the block notification any time there is a policy violation. For example, if a user attempts to upload or download an infected file attachment, the service blocks the file and displays a notification in the user’s browser stating that a virus-infected file was blocked. Similarly, if a user exceeds a daily quota for how much time he or she can browse social networking sites (as set by an administrator), the attempt to log onto one of their servers is blocked and the service displays a page in the user’s browser stating that access has been denied because the daily quota was reached.

The service provides a default notification which you can customize, or you can redirect users to an external site that hosts the notification page.

To configure the block notifications:

  1. Go to Administration > Resources > End User Notifications.
  2. Under Configure Notifications, choose the Notification Type, and configure accordingly:
  3. You can configure up to three types of block notifications:
  4. Under IT Support, enter one or more of the following contact information so users can seek additional information about why access to pages, files, or web applications is restricted.
    • Email: You can provide an email address for a contact who can explain your company's use of the Zscaler service to protect your network.
    • Phone: You can provide a phone number for a contact who can explain your company's use of the Zscaler service to protect your network. Following are examples of valid formats: 123-456-7890, +91-1234567890, 1234567890, +911234567890.
    • Policy Link: You can provide a URL pointing to a page you created on your company intranet that describes your current policy about using corporate network and Internet resource.

NOTE: This information appears on all notifications.

  1. Click Preview Template(s) to see what the block notifications look like after making changes. You can preview the notifications as many times as you want.
  2. Click Save and activate the change.

 

Choose Default to display the system-generated message. See image.

  • Display ReasonEnable to display why access to a site, file, or application was blocked or restricted in the end user notifications. This setting will affect the caution notification.
  • Display Company NameEnable to display the name of your organization in the end user notifications. This setting will affect the caution notification.
  • Display Company LogoEnable to display the logo of your organization in the end user notification. You can upload your company logo on the Company Profile page. This setting will affect the caution notification.
  • Notification Message: Optionally, enter text to customize the notification message. This message appears when the service blocks access due to your organization's policies. Any changes in this field affects the URL Categorization NotificationsSecurity Violation Notifications, and Web DLP Violation Notifications at the same time.
    See image.

NOTE: You cannot change the other text in the block notifications because it is generated when users are blocked for policy violations. However, you can customize the appearance of the text or hide it with CSS styles.

 

Choose Custom to redirect to an external site.

When the user's browser is redirected, the URL includes query parameters, which administrators can use to customize the page that is served or for logging purposes. During the redirection, all query parameters are sent to the external site. For Web DLP Violation policy requests, the query parameters enable the administrator to find the Web Post DLP transaction. These query parameters are:

  • action: Specifies the action that triggered the redirect.
  • cat: Specifies the URL category of the URL (if available).
  • kind: Specifies the policy that triggered the URL redirection. See a list of possible values for kind and their mapping to policies.
  • reason: Specifies the string that contains additional information about the URL.
  • reasoncode: Specifies the reason that this notification or redirect triggered. See a list of possible values for reasoncode and their explanation.
  • referer: Specifies the referer URL in URL-encoded format.
  • rule: Specifies the internal rule-id that triggered the block (if available).
  • timebound: Specifies whether this notification or redirect is triggered by a policy that includes time interval as a criteria.
  • url: Specifies the original URL that caused this redirect or notification.
  • user: Specifies the user-id (the login name) of the user (if available).
  • zsq: This parameter is used by the Zscaler service. 
Kind Policy
access Malware Protection Policy (Security Exceptions) 
antivirus Malware Protection Policy
bandwidth_control Bandwidth Control Policy
blocked_ftp_access FTP Control Policy
category URL Filtering Policy
data_leakage DLP Policy
file_type File Type Policy
p2p Advanced Threat Protection Policy
social_networking Cloud App Control Policy (Social Networking & Blogging)
social_networking_upload Cloud App Control Policy (Social Networking & Blogging > Posting)
streamed_media Cloud App Control Policy (Streaming Media & File Sharing)
streamed_media_upload Cloud App Control Policy (Streaming Media & File Sharing > Uploading)
wac Browser Control
webim Cloud App Control Policy (Instant Messaging)
webim_attachment Cloud App Control Policy (Instant Messaging > File Transfers)
webmail Cloud App Control Policy (Webmail >Viewing Mail)
webmail_attachment Cloud App Control Policy (Webmail > Sending Attachments)
webmail_data_leakage DLP Policy
webmail_quota Cloud App Control Policy (Webmail > Time Quota)    
Reasoncode Explanation
DENIED                Denied access
CATEGORY_DENIED Not allowed to browse this category
BEYOND_TQUOTA Time quota exceeded daily limit
BEYOND_SQUOTA Volume quota exceeded daily limit
BEYOND_INTERVAL Not allowed during this time of day
AV_SIZE_BLOCK Not allowed to upload/download files of size greater than configured limit 
AV_TYPE_BLOCK Not allowed to upload/download files of this type
AV_BROWSER_TYPE_BLOCK Not allowed to use this browser 
AV_ENCRYPTED_BLOCK Not allowed to upload/download encrypted or password-protected archive files
AV_UNSCANNABLE_BLOCK Not allowed to upload/download unscannable file formats
BLACKLISTED Not allowed because URL is blacklisted
UNCATEGORIZED Not allowed because URL is uncategorized
SN_WEBUSE_DENIED Not allowed the use of this Social Network / Blogging site
SN_POSTING_DENIED Not allowed to post message to this site
STM_VIEW_LISTEN_DENIED Not allowed to use this Streaming Media/File Share site
STM_UPLOAD_DENIED Not allowed to upload media files to this site
STM_TYPE_BLOCK Not allowed to upload/download media files of this type
WM_WEBUSE_DENIED Not allowed to use this Webmail site 
WM_ATTACH_DENIED File Attachment not allowed 
TIME_BOUND_BLOCK Time bound block 
AV_AUTHENTIUM_VIRUS_SW_MW_BLOCK Malicious file Blocked 
DLP_DENIED Violates Compliance Category
AT_REQ_MALWARE_DENIED Not allowed to browse this Malicious URL
AT_REQ_PHISHING_DENIED Not allowed to browse this Phishing site
AT_REQ_BOTNETS_DENIED Not allowed to browse this Botnet site
BWCTL_SESSION_DENIED Maximum sessions reached for this Bandwidth class
AT_RES_ACTIVEXBLOCK_DENIED Not allowed because this page contains known dangerous ActiveX controls
AT_REQ_XSSATTPATT_DENIED Block site vulnerable to XSS attacks 
AT_REQ_COOKIESTEAL_DENIED Possible browser cookie theft
AT_REQ_IRC_TUNNELING_DENIED IRC use/tunneling not allowed (request) 
AT_REQ_ANONYMIZER_DENIED Use of anonymizing sites is not allowed (request) 
AT_REQ_BOTNET_CNC_DENIED Detected possible botnet command and control traffic
WAC_DENIED Secure Browsing blocked an outdated/disallowed component 
WAC_WARNED Secure Browsing warned about an outdated/disallowed component
AT_P2P_DENIED Not allowed to browse this P2P site 
AT_COUNTRY_DENIED Not allowed to access sites in country 
AT_RES_WRI_DENIED This page is unsafe (high PageRisk index) 
AT_RES_BROWSER_EXPLOIT_DENIED Not allowed because this page contains known browser exploits (response)
FILETYPE_DENIED Not allowed to access this file type 
FTP_DENIED Not allowed to access to FTP sites
RATE_LIMITING_DENIED Rate limiting done
CLOSED_PROXY_DENIED Denied due to closed proxy
AT_UNKUA_DENIED Not allowed to browse with unknown useragent 
IM_WEBUSE_DENIED Not allowed to use this IM site 
AT_RES_IRC_TUNNELING_DENIED IRC use/tunneling not allowed (response)
AT_RES_ANONYMIZER_DENIED Use of anonymizing sites is not allowed (response) 
AT_RES_BOTNET_CNC_DENIED Detected possible botnet command and control traffic 
AT_RES_MALWARE_DENIED Destination contains potentially malicious content (response)
AT_RES_PHISHING_DENIED Destination contains potential phishing content
AT_REQ_ADSPYWARE_DENIED Detected possible adware/spyware traffic (request)
AT_RES_ADSPYWARE_DENIED Detected possible adware/spyware traffic (response)
AT_REQ_WEBSPAM_DENIED Not allowed to browse this webspam site 
AT_RES_WEBSPAM_DENIED Detected possible webspam traffic
METHOD_DENIED Request method not allowed for this category 
CATEGORY_DENIED_OVERRIDE Not allowed to browse this category, needs override 
DLP_DENIED_ARCHIVED Violates Compliance Category, archived to mailbox 
DLP_DENIED_ARCHIVE_FAILED Violates Compliance Category, archive to mailbox failed 
WM_SMAIL_DENIED Not allowed to send webmail 
MAPP_DENIED Not allowed to use mobile App 
AT_REQ_BROWSER_EXPLOIT_DENIED Not allowed because this page contains known browser exploits (request) 
BUP_WEBUSE_DENIED Not allowed the use of this business site 
ESC_WEBUSE_DENIED Not allowed the use of this enterprise site 
MAPPSTORE_WEBUSE_DENIED Not allowed the use of this Mobile App Store 
MAPP_INSECURE_COMMUNICATION_DENIED Mobile App: insecure user credentials
MAPP_GEO_LOCATION_DENIED Mobile App: location information leak 
MAPP_PII_DENIED Mobile App: personally identifiable information (PII) 
MAPP_DEVICE_INFORMATION_DENIED Mobile App: information identifying the device 
MAPP_ADWARE_DENIED Mobile App: communication with ad sites 
MAPP_3RD_PARTY_COMMUNICATION_DENIED Mobile App: communication with unknown servers
MAPP_MALWARE_DENIED Mobile App: malicious behavior 
MAPP_VULNERABLE_DENIED Mobile App: known security vulnerabilities 
CONS_WEBUSE_DENIED Not allowed the use of this consumer site 
DEV_WEBUSE_DENIED Not allowed the use of this system and development site 
SMKT_WEBUSE_DENIED Not allowed the use of this sales and marketing site 
OFW_WEBAPP_DENIED Web application is blocked by Firewall rule"
OFW_FTP_DENIED FTP access is blocked by a firewall policy 
HTTP_CONNECT_DENIED Not allowed to use HTTP tunnel 
AT_BA_QUARANTINED Quarantined 
AT_TUNNEL_DENIED Not allowed to use tunnels 
SERVER_ACCESS_DENIED Access denied due to bad server certificate 
FAKE_PROXY_AUTH_DENIED Fake Proxy Authentication 
CASB_WEBUSE_DENIED Not allowed the use of this site with personal credentials

configure notifications 

URL Categorization notifications display when users are blocked from accessing URLs that may have been misclassified.

  • URL Categorization: Enable to make changes to the URL Categorization notification. If you choose to disable this block notification, you will still see the modifications in the preview. However, if you save it, your users will not see these modifications.
  • Submit To: Users can request reviews when they are blocked from accessing URLs that may have been misclassified. See image. Choose whether users send their requests to the Zscaler service (Security Cloud) or to a site that you specify (Custom Location). If you choose Custom Location, the URL field will appear below.
    • URL: Enter the URL of the site to which the policy review requests are sent.
  • Notification TextEnter the policy request message that appears in the URL Categorization notification. Any custom text you enter in the Notification Text and Notification Message fields appears in the block notifications.
    See image.

NOTE: You cannot change the other text in the block notifications because it is generated when users are blocked for policy violations. However, you can customize the appearance of the text or hide it with CSS styles.

 

 

Security Violation notifications display when users are blocked from accessing URLs that were identified as being infected with malware.

  • Security Violation: Enable to make changes to the Security Violation notifications. If you choose to disable this block notification, you will still see the modifications in the preview. However, if you save it, your users will not see these modifications.
  • Submit To: Users can request policy reviews when they are blocked from accessing URLs that were identified as being infected with malware. See image. Choose whether users send their requests to the Zscaler service (Security Cloud) or to a site that you specify (Custom Location). If you choose Custom Location, the URL field will appear below.
    • URL: Enter the URL of the site to which the policy review requests are sent.
  • Notification Text: Enter the policy review request message that appears in the Security Violation notification. Any custom text you enter in the Notification Text and Notification Message fields appears in the block notifications.
    See image.

NOTE: You cannot change the other text in the block notifications because it is generated when users are blocked for policy violations. However, you can customize the appearance of the text or hide it with CSS styles.

 

 

Web DLP violation: When they are blocked from posting to certain sites due to a Web DLP policy violation.

  • Web DLP Violation: Enable to make changes to the Web DLP Violation notifications. If you choose to disable this block notification, you will still see the modifications in the preview. However, if you save it, your users will not see these modifications.
  • Submit To: Users can request policy reviews when they are blocked from accessing or posting to certain sites due to a Web DLP policy violation. See image. Users can send their requests to a site that you specify. This field cannot be modified.
  • URL: Enter the URL of the site to which the policy review requests are sent.
  • Notification Text: Enter the policy request message that appears in the Web DLP Violation notification. Any custom text you enter in the Notification Text and Notification Message fields appears in the block notifications. See image.

NOTE: You cannot change the other text in the block notifications because it is generated when users are blocked for policy violations. However, you can customize the appearance of the text or hide it with CSS styles.

 

 

You can create an Acceptable Use Policy (AUP) statement and require users to accept it before the Zscaler service allows them to browse the Internet. Before users can browse the Internet, the service will display an AUP notification. See image.

When a user accepts the AUP, the service automatically logs the acceptance with the user’s login name and location. AUP acceptance logging cannot be turned off. See image.

To configure the AUP notification:

  1. Go to Administration > Resources  > End User Notifications.
  2. Under Acceptable Use Policy (AUP), do the following:
    • Show AUP: Choose how often the service displays the AUP page, and configure accordingly. You can choose one of the predefined intervals or customize your own. The service tracks the AUP acceptance time and expiration for each user. The Zscaler service sets an AUP cookie when a user accepts the AUP. For example, if you select Weekly, the service displays the AUP page one week from when the AUP cookie was set. If the AUP cookie is not present, the service displays the AUP page the next time the user logs in.
  3. Under IT Support, enter one or more of the following contact information so users can seek additional information about why access to pages, files, or web applications is restricted
    • Email: You can provide an email address for a contact who can explain your company's use of the Zscaler service to protect your network.
    • Phone: You can provide a phone number for a contact who can explain your company's use of the Zscaler service to protect your network. Following are examples of valid formats: 123-456-7890, +91-1234567890, 1234567890, +911234567890.
    • Policy Link: You can provide a URL pointing to a page you created on your company intranet that describes your current policy about using corporate network and Internet resource.

NOTE: This information appears on all notifications.

  1. Click Preview Template(s) to see what the AUP notification looks like after making changes. You can preview the notification as many times as you want.
  2. Click Save and activate the change.

 

The service never displays the AUP statement.

The service displays the AUP statement when a browser opens.

  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays the AUP statement every day.

  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays the AUP statement every week.

  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays the AUP statement when the user logs in.

  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays the AUP statement at your custom time interval.

  • Custom AUP Frequency (days): Enter the number of days, between 1 and 180 inclusive, that the service displays the AUP statement. For example, if you enter 30, the service will display the AUP statement every 30 days.
  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays the AUP statement on a specific day of the month.

  • Select Calendar Date: Choose the calendar date on which you want the service to display the AUP to users. For example, if you select 1, the service displays the AUP when users log in on the 1st of every month. If a user does not log in on the specified date, the service displays the AUP the next day the user logs in.

NOTE: If you choose a date that is not available for a given month (for example, the 31st), the service does not display the AUP that month.

  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays the AUP statement on a specific day of the week.

  • Select Day of the Week: Select the day of the week on which you want the service to display the AUP to users. For example, if you select Monday, the service displays the AUP when users log in on Monday every week.

NOTE: If a user does not log in on the specified day, the service displays the AUP the next day the user logs in.

  • AUP Message (HTML): Enter or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can also customize the appearance of the AUP with CSS styles.

The service displays a Caution notification when a user browses to a site that is in a URL category configured with the Caution action. Users are allowed to access the site after acknowledging in this window that they are aware that doing so may conflict with normal corporate Internet Usage Policy. See image.

Note that the display of the caution page is per rule for all URL categories, except for the Miscellaneous or Unknown category. For example, if a URL filtering rule specifies a Caution action for the Travel category and the daily time quota is set to 15 minutes, the service displays the Caution notification when a user first tries to access a URL in the Travel category, but it does not display the notification for any of the other URLs in the Travel category until 15 minutes have elapsed.

For URLs in the Miscellaneous or Unknown category, the service displays the caution page per URL, as follows:

  • Every time a user browses to a URL in the Miscellaneous or Unknown category, regardless of the configured time interval.
  • Every time a user browses to a sub-domain of a URL that is in the Miscellaneous or Unknown category.

For example, when a user visits a URL in the Miscellaneous category, the service displays the Caution page. Then if the user goes to a sub-domain of that URL or another URL in the Miscellaneous category after two minutes, the service will again display the Caution page, even if the configured time interval is five minutes. Note that to use this feature, Dynamic Content Classification (configured through advanced URL policy settings) must be disabled.

NOTE: Zscaler recommends that you enable authentication on locations to allow the service to display caution notifications. To learn how to enable authentication, see How do I add a location?

To configure the caution notification:

  1. Go to Administration > Resources > End User Notifications
  2. Under Configure Notifications, you must choose Default for the Notification Type, and then complete the following fields. See image. If you choose Custom, then you cannot use the default caution notification. 
    • Display Reason: Enable this to display why access to a site, file, or application was blocked or restricted in the end user notifications. This setting will affect the block notifications.
    • Display Company Name: Enable this to display the name of your organization in the end user notifications. This setting will affect the block notifications.
    • Display Company Logo: Enable to display the logo of your organization in the end user notification. You can upload your company logo on the Company Profile page. This setting will affect the block notifications.

NOTE: If you choose to disable these settings, the changes will not be reflected in the previews of the templates, but the changes will be seen by your users after you save them.

  1. Under Caution Notification, do the following:
    • Caution IntervalChoose the time interval at which the service displays the caution notification when a user attempts to access a restricted site. The recommended setting for complex websites, like Social Networking sites, is at least 5 minutes.
    • Enable Caution Per Domain: Enable to allow the service to display a Caution notification each time a user browses to a URL that is in the Miscellaneous or Unknown URL category. If you enable this feature, Dynamic Content Categorization (in advanced URL policy settings) must be disabled.
    • Caution Text: Enter the caution text that appears in the Caution notification.
      See image.

NOTE: You cannot change the other text in the caution notifications because it is generated when users are visiting sites that may violate your organization's usage policies. However, you can customize the appearance of the text or hide it with CSS styles.

  1. Under IT Support, enter one or more of the following contact information so users can seek additional information about why access to pages, files, or web applications is restricted
    • Email: You can provide an email address for a contact who can explain your company's use of the Zscaler service to protect your network.
    • Phone: You can provide a phone number for a contact who can explain your company's use of the Zscaler service to protect your network. Following are examples of valid formats: 123-456-7890, +91-1234567890, 1234567890, +911234567890.
    • Policy Link: You can provide a URL pointing to a page you created on your company intranet that describes your current policy about using corporate network and Internet resource.

NOTE: This information appears on all notifications.

  1. Click Preview Template(s) to see what the caution notification look like after making changes. You can preview the notification as many times as you want.
  2. Click Save and activate the change

 

 

Click Preview Templates to see what the AUP, block, and caution notifications look like after making changes. You can preview the notification as many times as you want.

About AUP and EUNs