A key component of the Zscaler cloud, ZIA Public Service Edges are full-featured secure internet gateways that provide integrated internet security. They inspect all web traffic bi-directionally for malware and enforce security, compliance, and firewall policies. Each Public Service Edge has two main modules for inspecting traffic and applying policies: a web module and a firewall module. To learn more about how Public Service Edges apply policy, see About Policy Enforcement.

Public Service Edges are deployed in Zscaler data centers around the world and can handle hundreds of thousands of concurrent users with millions of concurrent sessions. Because of this, regardless of where your users are, they can access the internet from any device and the Public Service Edges protect their traffic and apply your corporate policies. With the exception of sandboxing, all inspection engines run within the Public Service Edge.

Public Service Edges have significant fault tolerance capabilities. They are deployed in active-active mode to ensure availability and redundancy and Zscaler monitors and maintains its Public Service Edges to ensure continuous availability.

Customer traffic is not passed to any other component within the Zscaler infrastructure and Public Service Edges never store any data to disk. Packet data is held in memory for inspection and then, based on policy, is either forwarded or dropped. Log data generated for every transaction is compressed, tokenized, and exported over secure TLS connections to Log Routers that direct the logs to the Nanolog cluster, hosted in the appropriate geographical region, for each organization. Further, Public Service Edges are all located in Zscaler data centers, which provide the highest level of data privacy and network security.

Zscaler typically recommends that organizations forward traffic to the Public Service Edges in the Zscaler cloud. However, there are occasionally times where a Public Service Edge is not the right choice. To learn more about alternatives, see Understanding Private Service Edge and About Virtual Service Edge.

Zscaler has also configured several Global (or Ghost) Public Service Edges across its clouds. These are dummy addresses known by every Public Service Edge that can be used in no default route environments. To learn more, see About Global Public Service Edges.

Public Service Edges and the Central Authority

The Zscaler Central Authority (CA) hosts all customer policy and configuration settings. It monitors the cloud and provides a central location for software and database updates, and threat intelligence. To learn more about its function in the Zscaler architecture, see About the ZIA Cloud Architecture.

Given the multi-tenant Zscaler architecture, the CA is redundant and backed up in multiple different Zscaler data centers. Public Service Edges establish a persistent connection to the CA in order to download all policy configurations. When a new user connects to a Public Service Edge, a policy request is sent to the CA through this connection. The CA then calculates the policies that apply to that user and sends the policy to the Public Service Edge as a highly compressed bitmap.

After it's downloaded, your policy is cached until a policy change is made in the ZIA Admin Portal. When this happens, all of your organization's cached policies are purged and the Public Service Edge requests the new policy when the user next makes a request. Since the Zscaler cloud “heartbeats” every second, all nodes are informed when there is a policy change. Any Public Service Edge can then pull the change in policy when it sees a new request from your organization. For your users, this means that no matter where they are, they use the new policy when they next connect to the Public Service Edge.

If there is a network failure or any other event that prevents the Public Service Edge from reaching or downloading the configuration from the CA, the Public Service Edge immediately switches to Safe mode. In Safe mode, Public Service Edges enforce all cached policies and log user access for user and location configurations (this information is already available in the cache). The node attempts to re-establish a connection to the CA every second. As soon as a healthy connection is restored, the node moves out of Safe mode.

While running in Safe mode, full security inspection is enforced. When a request is made that Zscaler cannot download the user or location policy for, a default URL policy is applied. This default policy blocks access to all URLs in the Legal Liability URL Category. To learn more about what's included in the Legal Liability category, see About URL Categories. No authentication is requested when running in this mode.