icon-zia.svg
Secure Internet and SaaS Access (ZIA)

About SSL Inspection Policy

Watch a video about SSL Inspection Policy

SSL Inspection policies are used to perform scanning of the SSL traffic based on the source and destination of the traffic.

The SSL Inspection policies provide the following benefits and enable you to:

  • Simplify the deployment and ongoing operations of SSL inspection.
  • Address the compliance and operational environment requirements.
  • Inspect traffic for malware and data loss.
  • Allow, block, or restrict tenants.

Predefined Special Rules

Zscaler provides the following predefined special rules which you can enable or disable based on your requirements.

These rules are not editable and can only be implemented as is.

  • Zscaler-Recommended Exemptions rule: Predefined rule to automatically exempt known destinations that cannot be SSL inspected. This rule is enabled by default.
  • The Zscaler-recommended exemptions URL category contains a few dozen destinations that cannot be SSL inspected for various reasons, such as certificate pinning. This list also includes Zscaler-owned domains.
  • To discover the traffic that is not getting SSL inspected due to this rule, you can search the weblogs using the SSL Policy Reason field for the reason Not inspected because of Zscaler best practices. The percentage of traffic that matches this rule is commonly very small and less than 1%.
  • While it is recommended not to inspect these domains, you can always disable the rule with the edit option. Alternatively, you can leave the rule enabled, but create higher order Inspect rules if you want to inspect only specific domains outside the list.
  • O365 tenant restriction inspection rules: Predefined rules to enable Office 365 Tenancy Restrictions for location and remote user traffic.
  • O365 One Click rules: Predefined rule, controlled by the Microsoft-Recommended and Legacy Office 365 One Click setting.
  • UCaaS One Click rules: Predefined rule, controlled by the UCaaS One Click configuration.

About the SSL Inspection Policy Page

On the SSL Inspection Policy page (Policy > SSL Inspection), you can do the following:

  1. Add an SSL Inspection rule.
  2. View the recommended SSL Inspection policy.

  1. Select one of the following View by option to see the SSL Inspection rules accordingly:
  • Rule Order: Displays the rules based on the rule order. By default, the rules are listed in the ascending rule order.

  • Rule Label: Displays the rules based on the rule labels. The rules are grouped under the associated rule labels.

You can expand or collapse all the rule labels using the Expand All or Collapse All buttons.

  1. Search for an SSL Inspection rule.
  2. View a list of all SSL Inspection rules. For each SSL Inspection rule, you can view:
    • Rule Order: The order of the rule.
    • Admin Rank: The admin rank of the rule.
    • Rule Name: The name of the rule.
    • Criteria: The criteria defined for the rule.
    • Action: The action configured for the rule.
    • Label and Description: The label and description of the policy rule, if available.
  3. Edit or duplicate an SSL Inspection rule.
  4. Modify the table and its columns.
  5. Go to the Intermediate CA Certificates page.
SSL Inspection page
Related Articles
About Secure Sockets Layer (SSL)About SSL InspectionSupported Cipher Suites in SSL InspectionSafeguarding SSL Keys and Data Collected during SSL InspectionAdding Custom Certificate to an Application-Specific Trust StoreAbout SSL Inspection PolicyConfiguring SSL Inspection PolicyAbout Intermediate CA CertificatesChoosing the CA Certificate for SSL InspectionSigning a CSR Using the Active Directory Certificate ServicesDeploying SSL InspectionConfiguring Software Protection Intermediate CA CertificateConfiguring Cloud HSM Protection Intermediate CA CertificateDeployment Scenarios for SSL InspectionCertificate Pinning and SSL InspectionBest Practices for Testing and Rolling Out SSL Inspection