Configuring Fail-Open Settings for the Zscaler App


Configuring Fail-Open Settings for the Zscaler App

There can be situations in which the Zscaler App must automatically disable its Web Security service and allow users to bypass the app and access the Internet directly, for example:

  • Your users might try to access the Internet from an airport or a cafe where a captive portal configured on the network requires users to pay or accept an acceptable use policy before connecting. You can configure your app fail-open settings so that when the Zscaler App detects a captive portal, it automatically disables its services for a specified period of time, allowing users first to complete the steps necessary to access the network.
  • The Zscaler App might run into issues reaching Zscaler Enforcement Nodes (ZEN). If so, you can choose to allow users to bypass the app and access the Internet directly, or if you prefer, disable users' access to the Internet altogether.  
  • The Zscaler App might run into issues properly setting up its Z-tunnel (i.e., the lightweight tunnel it uses to forward traffic to ZENs). If so, you can choose to allow users to bypass the app and access the Internet directly, or if you prefer, disable users' access to the Internet altogether.  

Configuring Fail-Open Settings

  1. In the Zscaler App portal, go to Administration.
  2. From the left menu, go to Zscaler App Support.
  3. In the App Fail Open tab, do the following:
    • Under If Captive Portal detected, then disable Web Security for: 
      • To enable captive portal detection:
        • Enter the number of minutes the app must keep its services disabled upon detection of a captive portal. You can enter any value from 1 to 60 minutes. After the specified period of time, the app will enable its services automatically and traffic will be forwarded to the Zscaler service.
      • To disable the captive portal detection: 
        • Enter the value 0. The app will not perform captive portal detection and will not fail open direct.
    • Under If Zscaler Proxy Node (ZEN) is not reachable, then, select one of the following options:
      • Fail Open to Bypass: Users are allowed to bypass the app and access the Internet directly
      • Disable Internet Access: Users are blocked from accessing the Internet 

The app will continue to attempt reaching the ZEN in the background and automatically re-enable itself once it successfully reaches the ZEN.

  • Under If Zscaler App Tunnel Setup Fails, select one of the following options:
    • Fail Open to Bypass: Users are allowed to bypass the app and access the Internet directly
    • Disable Internet Access: Users are blocked from accessing the Internet

The app will continue to attempt establishing the tunnel in the background and automatically re-enable itself once it's successful.

  1. Click Save.

Screenshot of the App Fail Open tab in the Zscaler App Support page of the Zscaler App Portal