Secure Internet and SaaS Access (ZIA)
Configuring Advanced Policy Settings
To configure the advanced policy settings:
- Go to Policy > URL & Cloud App Control.
- Click the Advanced Policy Settings tab.
Configure the following:
- Enable CIPA Compliance
Enable this option to activate the predefined CIPA Compliance Rule. To learn more, see About CIPA Compliance.
CloseIf you have exceeded the URL filtering policy rules limit, the following warning message appears:
You cannot enable CIPA compliance because you have reached the maximum number of URL filtering rules and the CIPA compliance rule cannot be auto-enabled for you. To enable CIPA compliance, you have to delete one of your URL filtering rules, and then enable CIPA compliance. - Enable Suspicious New Domains Lookup
Enable this option to provide advanced protection to users against the newly registered and observed domains that are identified within hours of going live. This feature also identifies newly revived domains. These domains are often considered potentially malicious until they are well-known or categorized. Identifying them improves the overall security posture. This feature is a prerequisite for using the Newly Registered and Observed Domains and Newly Revived Domains URL categories in a policy rule.
Zscaler recommends enabling SSL inspection for these URL categories.
Close - Enable AI/ML based Content Categorization
Enable this option if you want the service to analyze the content of uncategorized websites using AI/ML tools to check if they belong to one of these URL categories:
1 to 10 of 29 Page 1 of 3If the service determines that a site belongs to one of these categories, it categorizes the site and applies the policies accordingly. When AI/ML based content categorization is enabled, the behavior of your policy is dependent on the response code.
Close
For example, if your policy is set to block the Gambling category, but if the server responds with a response code 3xx (redirect), then Zscaler allows the transaction and follows the redirect. If the response code implies a server error (5xx), then also the transaction is logged as allowed. For any other response code, the site is blocked based on your policy. - Enable Embedded Sites Categorization
Enable this option to allow the service to enforce the URL filtering policy for sites that are translated using translation service websites. For example, when this feature is enabled, if you have a policy that blocks www.gambling.com, and a user translates the page to another language using Google Translate, the service blocks the translated page.
Close - Enforce SafeSearch
Enable this if you want the service to return only safe content from searches on:
- AOL Video
- Ask
- Bing
- Dailymotion
- DuckDuckGo
- Flickr
- Friendster
- Yahoo
- YouTube
SSL Inspection must be enabled for this option.
Close - Enable Identity-based Block Override
Enable this option to allow authorized users to provide temporary access to the blocked pages by using the company provided credentials such as the single sign-on credentials.
In companies that have SAML authentication and the Enable Identity-based Block Override option activated:
- Unauthorized users (e.g. Students) are temporarily allowed to access the blocked pages if authorized users (e.g. Teachers) reauthenticate for them in the SAML reauthentication prompt.
- Authorized users (e.g. Teachers) are temporarily allowed to access the blocked pages if they reauthenticate in the SAML reauthentication prompt.
Ensure that SAML IDP force reauthentication is enabled on the IDP side for SAML reauthentication prompt to appear when you override the blocked pages. All other IDPs either support force reauthentication without any additional configuration or they don't support.
If your company uses Okta IDP, ensure to clear the Disable Force Authentication option under the Sign On tab in the Okta SAML 2.0 application to enable forced reauthentication.
See image.If you disable this option, the default block override behavior (hosted database) is applied. To learn more, see Configuring the URL Filtering Policy.
Close - Enable Microsoft-Recommended One Click Office 365 Configuration
Enabling this option allows Zscaler to enable local breakout for Office 365 traffic automatically without any manual configuration needed by customers. Enabling this option turns off SSL Interception for all Office 365 destinations as per Microsoft's recommendation. If you want to continue using existing granular controls for Office 365, disable this option and enable pre-existing configuration. To learn more, see About Microsoft One Click Options.
Close - Skype
While VoIP may be encouraged for its telephone cost savings, it may also be discouraged because of the high bandwidth utilization associated with it. The Zscaler service can block access to Skype, a popular P2P VoIP application.
Close - Unified Communications as a Service (UCaaS)
UCaaS is a cloud delivery model that offers communications and audio/video-based collaboration services. It's rapidly being adopted by enterprises of all sizes. Zscaler enables direct-to-cloud access for UCaaS applications like Zoom, GoTo, RingCentral, and Webex by enabling organizations to send traffic directly to application servers over the internet, instead of backhauling traffic over costly MPLS circuits.
Zscaler simplifies your UCaaS deployment by taking advantage of our global direct-to-cloud network, which improves user experience and application performance for your organization. If your organization uses any of the UCaaS applications, you can send all traffic from all your locations, including remote user traffic, through the Zscaler service. The Zscaler service provides a One-Click Configuration option for UCaaS apps which allows Zscaler to identify and map all IP ranges and domains, including ports and protocols for secure connectivity and better user experience. Zscaler partnered with all major UCaaS vendors (Zoom, GoTo, RingCentral, and Webex) and leverages the REST-based web services to keep this mapping up to date dynamically.
Enabling the Zoom, GoTo, RingCentral, or Webex option allows Zscaler to permit secure local breakout for their traffic automatically, without any manual configuration needed. When either option is enabled, it turns off SSL interception for all Zoom, GoTo, RingCentral, or Webex destinations. To continue using existing granular controls for Zoom, GoTo, RingCentral traffic, or Webex, disable the respective option, and enable cloud application and firewall network application policies accordingly.
Also, when either option is enabled, a UCaaS One Click Rule is automatically created in the following policies:
- Firewall Control Policy and DNS Control Policy: The rule is created to allow traffic from Firewall.
- Cloud App Control Policy: The rule is created under the Collaboration & Online Meetings category to allow traffic destined to the Zoom, GoTo, RingCentral, or Webex UCaaS applications.
The Webex Connect application is not part of the Webex option.
Close - Gen AI Prompt Configuration
Generative AI prompts are a series of instructions that are provided as input to generative AI applications to get the desired response from them. The Zscaler service categorizes and stores prompts for generative AI applications. Enabling the following options allows Zscaler to categorize and store the prompts for the respective applications:
- ChatGPT
- Google Gemini
- Perplexity
- Poe
- Meta AI
The prompts for these applications are logged on the Web Insights Logs page.
The Zscaler service stores prompts up to a maximum of 2 KB in size for these applications.
Close
- Enable CIPA Compliance
- Click Save and activate the change.
