Formatting CSV Files

Following is a field-value template for adding locations:

+, Location, <location-name>, <ip>, State, Country, Time Zone, Auth-Enable, XFF-Enable, Firewall-Enable, Bandwidth-Enable, Upload(Mbps), Download(Mbps), SurrogateIP-Enable, Digit-TimeUnit, vpn-type, vpn-username, Dedicated port,, <VirtualServiceEdgeName>, <VirtualServiceEdgeClusterName>, SurrogateIP-Enforced-KnownBrowsers, SurrogateIP Refresh Time, GRE-Enable, AUP-Enable, AUP Refresh Time, ManagedBy, Group Name, aupBlockInternetAccess-Enable, aupForceSSLInspection-Enable, Caution-Enable, IPS-Enable, Exclude-Manual-Group, Exclude-Dynamic-Group, Kerberos-Enable, Digest-Auth-Enable, Location-Type, Description, Basic-Auth-Enable, IoT-Discovery-Enable, City-GeoId, Geo-Override-Enable, Latitude, Longitude, CookiesAndProxy-Enable, IoT-Policy-Enable

The fields required for adding or deleting locations are:

• Add/Delete (Required): Enter + or - to indicate whether you want to add or delete a location. This field is required.
• Location (Required): Enter the word Location.
• Location name (Required): Enter the name of your location.
• IP (Required unless you enter a value for Dedicated Port, VPN-Type/VPN-userName, VirtualServiceEdgeCluster, or VirtualServiceEdgeClusterName): Enter the public IP address of the location. If you are not entering an IP address, leave the field blank. If you want to add multiple IP addresses to a location, you must enter a new row for each IP address. See example.

  For example, to add three different IP addresses for a location:

  +, Location, locationName1, 10.10.100.242, California, United States, America/San Francisco, Auth-Enable, XFF-Enable, Firewall-Enable, Bandwidth-Enable, 10, 100, SurrogateIP-Enable, 8Hours, FQDN, qwe@gsolanki1.com, Dedicated port,, vse1, vse2, SurrogateIP-Enforced-KnownBrowsers, 4Hours, GRE-Enable, AUP-Enable, 12Hours, ManagedBy, Group Name, aupBlockInternetAccess-Enable, aupForceSSLInspection-Enable, Caution-Enable, IPS-Enable, Exclude-Manual-Group, Exclude-Dynamic-Group, Kerberos-Enable, Digest-Auth-Enable, CORPORATE, This is a sample description for the location, Basic-Auth-Enable, IoT-Discovery-Enable, 5332748,,,, CookiesAndProxy-Enable, IoT-Policy-Enable
  +, IP, locationName1, 10.10.100.241
  +, IP, locationName1, 10.10.100.243
  +, IP, locationName1, 10.10.100.244

  Close
• State: Enter the state for the location. If you do not want to enter a state, or if the location is in a country outside the United States, leave the field blank.
• Country (Required): Enter the country for the location.
• Time Zone (Required): Enter the location time zone. When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 AM and 5 PM, and the rule is applied to locations in Spain and California, users at each location are blocked during their respective daytime hours.
• Auth-Enable (Required if entering a value in Dedicated Port or if enabling Surrogate IP): If you want to require users from this location to authenticate to the Zscaler service, enter Auth-Enable. If you do not want to enable authentication (or if you want to disable it for an existing location), leave the field blank.
• XFF-Enable: If this location uses proxy chaining to forward traffic to the service, and you want the service to discover the client RFC 1918 IP address from the XFF headers in HTTP requests and apply appropriate sublocation or user policies, enter XFF-Enable. If you do not want to enable this feature (or if you want to disable it for an existing location), leave the field blank.
• Firewall-Enable: If you want to enable firewall controls at the location, enter Firewall-Enable. If you do not want to enable firewall controls (or if you want to disable it for an existing location), leave the field blank.
• Bandwidth-Enable: If you want to enable bandwidth control for the location, enter Bandwidth-Enable. If you do not want to enable bandwidth control (or if you want to disable it for an existing location), leave the field blank.
  • Upload (Mbps) (Required if enabling bandwidth control): Enter the maximum upload bandwidth limit for the location. If you have not enabled bandwidth control, leave the field blank.
  • Download (Mbps) (Required if enabling bandwidth control): Enter the maximum upload bandwidth limit for the location. If you have not enabled bandwidth control, leave the field blank.
• SurrogateIP-Enable (If you enable this feature, Auth must be enabled): Enter SurrogateIP-Enable to enable Surrogate IP and map users to IP addresses for devices. If you do not want to enable Surrogate IP (or if you want to disable it for an existing location), leave the field blank. To learn more, see About Surrogate IP.
  • Digit-TimeUnit (Required if enabling Surrogate IP): If you're enabling Surrogate IP, specify how long after a completed transaction the service retains the IP-address-to-user mapping (e.g., 8Hours). If you have not enabled Surrogate IP, leave the field blank.
• VPN-type (Required unless you enter a value for IP, Dedicated port, VirtualServiceEdgeName, or VirtualServiceEdgeClusterName): If this location uses an IPSec VPN tunnel to forward traffic to the Zscaler service, enter the VPN type for the location (IP or FQDN). If you are not entering a VPN type, leave the field blank.
• VPN-userName (Required if you enter a VPN-type): For IP addresses, enter the gateway IP address given to Zscaler beforehand. For Fully Qualified Domain Name (FQDN), enter the FQDN that was given to Zscaler beforehand. If you did not enter a VPN type, leave the field blank.
• Dedicated Port (Required unless you enter a value for IP or VPN-type/VPN-userName, VirtualServiceEdgeName, or VirtualServiceEdgeClusterName): If you are entering a value here, you must also enable Auth. If the location is associated with a dedicated proxy port, enter the port number. If you are not adding a dedicated port, leave the field blank.
• VirtualServiceEdgeName (Required unless you enter a value for IP, Dedicated Port, VPN-type/VPN-userName, or VirtualServiceEdgeClusterName): If the location sends traffic to a Virtual Service Edge, enter a comma [,], then the name of the Virtual Service Edge. The comma is required because this is the place where the service expects to see the parent name for sublocations. You must add the comma to indicate there is no parent location here because this entry is not a sublocation. (A single Virtual Service Edge is used for testing purposes only, and in production environments, Virtual Service Edge clusters must be used.) If you are not adding a Virtual Service Edge, leave the field blank.
• VirtualServiceEdgeClusterName (Required unless you enter a value for IP, Dedicated Port, VPN-type/VPN-userName, or VirtualServiceEdgeName): If the location sends traffic to a Virtual Service Edge cluster, enter the name of the Virtual Service Edge cluster. If you are not adding a Virtual Service Edge cluster, leave the field blank.
• SurrogateIP-Enforced-KnownBrowsers (If you enable this feature, Surrogate IP must be enabled): To enable the Zscaler service to use the existing IP-address-to-user mapping to identify users sending traffic from known browsers, enter SurrogateIP-Enforced-KnownBrowsers. If you are not enabling surrogate IP for known browsers (or if you want to disable it for an existing location), leave the field blank.

  • SurrogateIP-Refresh Time (Required if you enable SurrogateIP-Enforced-KnownBrowsers): Specify the length of time that the Zscaler service can use IP-address-to-user mapping for authenticating users sending traffic from known browsers (e.g., 4Hours). After the defined period of time elapses, the service refreshes and revalidates the existing IP-address-to-user mapping so that it can continue to use the mapping for authenticating users on browsers. If you have not enabled surrogate IP for known browsers, leave the field blank.

    The refresh time for the revalidation of IP surrogacy must be shorter than the Dynamic Host Configuration Protocol (DHCP) lease time. Otherwise, the wrong user policies might be applied. Also, Zscaler recommends setting the SurrogateIP-Refresh Time to a time period shorter than what you specified for SurrogateIP-Idle Time.

• GRE-Enable: If you enabled Generic Routing Encapsulation (GRE) tunneling for this location, enter the information of the tunnel connected to the ZIA Public Service Edge. GRE tunnels are bound to locations only, not sublocations.
• AUP-Enable (If you enable this feature, Auth must be disabled): If you want to display an Acceptable Use Policy (AUP) for unauthenticated traffic, and require users to accept it at this location, enter AUP-Enable. If you do not want to enable AUP (or if you want to disable it for an existing location), leave the field blank.
  • AUP Refresh Time (Required if enabling AUP): Specify how frequently, in days, the AUP is displayed to users.

• Managed By: Enter the name of the partner that is managing the location. The valid partner names are:

  • Cisco Viptela
  • Citrix SD-WAN
  • CloudGenix
  • HPE Aruba
  • ngena
  • Riverbed SteelConnect
  • Silver Peak
  • VMware VeloCloud

  If the location is not being managed by a partner, leave the field blank.

• Group Name: Enter the location group name. Any sublocations inherit the group membership from their parent location. If you do not want to add this location to a group, leave the field blank.
• aupBlockInternetAccess-Enable (If you enable this feature, AUP-Enable must be enabled): If you want the Zscaler service to disable all access to the internet, including non-HTTP traffic, until the user accepts the AUP that is displayed to them, enter aupBlockInternetAccess-Enable.
• aupForceSSLInspection-Enable (If you enable this feature, AUP-Enable must be enabled): If you want to make SSL Inspection enforce an AUP for HTTPS traffic, enter aupForceSSLInspection-Enable.
• Caution-Enable (If you enable this feature, Auth must be disabled): If you want to display a caution notification to unauthenticated users, enter Caution-Enable. If you enable this feature, you must use one of the following methods to forward traffic to the service:
  • A GRE or IPSec tunnel without NAT
  • Forward proxy chaining with the XFF-Enable option turned on for the location
• IPS-Enable (If you enable this feature, firewall controls must be enabled): If you want to enable Intrusion Prevention System (IPS) controls at the location, enter IPS-Enable. If you do not want to enable IPS controls (or if you want to disable it for an existing location), leave the field blank.
• Exclude-Manual-Group: To prevent the location from being added to manual location groups, enter Exclude-Manual-Group. If you want to allow this location to be added to manual groups, leave the field blank.
• Exclude-Dynamic-Group: To prevent the location from being assigned to dynamic location groups, enter Exclude-Dynamic-Group. If you want to allow this location to be assigned to dynamic groups, leave the field blank.
• Kerberos-Enable (If you enable this feature, Auth must be enabled): If you want to enforce Kerberos authentication on all web traffic explicitly forwarded from the location and its associated dedicated ports, enter Kerberos-Enable. If you do not want to enable Kerberos authentication (or if you want to disable it for an existing location), leave the field blank.
• Digest-Auth-Enable: To enforce digest authentication on all web traffic explicitly forwarded from this location and its associated dedicated ports, enter Digest-Auth-Enable. If you do not want to enable digest authentication (or if you want to disable it for an existing location), leave the field blank.

• Location-Type: Enter any of the following location types to set it as the primary web traffic for the location:

  • CORPORATE
  • GUESTWIFI
  • IOT
  • SERVER

  This field is required.

• Description: (Optional) Enter additional notes or information. The description cannot exceed 1,024 characters.

• Basic-Auth-Enable: To enforce basic authentication on all web traffic explicitly forwarded from this location and its associated dedicated ports, enter Basic-Auth-Enable. If you do not want to enable basic authentication (or if you want to disable it for an existing location), leave the field blank.

  The following caveats apply to Basic Authentication:

  • The Cloud Service API Security feature must be enabled for your organization.
  • The Hosted DB user repository type with the Form-Based authentication type is supported.
  • The hosted users/passwords must be created or imported using a CSV file.
  • The users must be enrolled for basic authentication using the following APIs:
    • https://admin.<cloud>.net/api/v1/authenticatedSession
    • https://admin.<cloud>.net/api/v1/users/<userid>/enroll

  For the authenticatedSession API endpoint, admin user credentials and an API key are required. For the users API endpoint, you can get the user IDs using the browser developer tool on the User Management page.

  After the user enrollment, their credentials are used for the basic proxy authentication.

  Here is an example of basic proxy authentication:

  curl -ivk -x gateway.<cloud>.net:<port> -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0" -U "<username>@<domain.com>:<passwd>" example.com

  The user credentials are transferred in clear text when using basic authentication. So, you must use an IPSec tunnel from a router or firewall or an encrypted tunnel from cloud or branch connectors if you are forwarding the authenticated traffic over public internet.

• IoT-Discovery-Enable: To discover Internet of Things (IoT)/Operational Technology (OT) devices, servers, and unmanaged devices (e.g., personal user devices) at this location, enter IoT-Discovery-Enable. If you do not want to enable IoT discovery (or if you want to disable it for an existing location), leave the field blank.

  This field is available only if IoT discovery is enabled for your organization.

• City-GeoId: Enter the city geolocation ID. This field is required if you enable IoT discovery. If you want to use the latitude and longitude to derive the city geolocation ID, you can leave the field blank and enable the Geo-Override-Enable option and enter latitude and longitude.

• Geo-Override-Enable: To override the city geolocation ID with the desired latitude and longitude, enter Geo-Override-Enable. If you do not want to enable geo override, leave the field blank.

  You can add multiple locations in the same city using this option.

• Latitude: Enter the latitude of the city geolocation. This field is required if you enable geo override.
• Longitude: Enter the longitude of the city geolocation. This field is required if you enable geo override.
• CookiesAndProxy-Enable: To prevent additional authentication challenges to traffic using both cookie- and non-cookie-based authentication methods after the initial challenge, enter CookiesAndProxy-Enable.

• IoT-Policy-Enable: To enforce URL Filtering and Cloud App Control policy rules based on IoT machine learning (ML) classifications provided by the Zscaler AI/ML for this location, enter IoT-Policy-Enable.

  This field is available only if the IoT policy control is enabled for your organization.

Following is a sample field value for importing a location:

+, Location, locationName1, 10.10.100.242, California, United States, America/San Francisco, Auth-Enable, XFF-Enable, Firewall-Enable, Bandwidth-Enable, 10, 100, SurrogateIP-Enable, 8Hours, FQDN, qwe@gsolanki1.com, Dedicated port,, vse1, vse2, SurrogateIP-Enforced-KnownBrowsers, 4Hours, GRE-Enable, AUP-Enable, 12Hours, ManagedBy, Group Name, aupBlockInternetAccess-Enable, aupForceSSLInspection-Enable, Caution-Enable, IPS-Enable, Exclude-Manual-Group, Exclude-Dynamic-Group, Kerberos-Enable, Digest-Auth-Enable, CORPORATE, This is a sample description for the location, Basic-Auth-Enable, IoT-Discovery-Enable, 5332748,,,, CookiesAndProxy-Enable, IoT-Policy-Enable

Following is a field-value template for adding a sublocation to an existing location:

+, SubLocation, <subLocation-name>, <ip>, State, Country, Time Zone, Auth-Enable, XFF-Enable, Firewall-Enable, Bandwidth-Enable, Upload(Mbps), Download(Mbps), SurrogateIP-Enable, Digit-TimeUnit,,,, <parent-location-name>,,, SurrogateIP-Enforced-KnownBrowsers, SurrogateIP Refresh Time, GRE-Enable, AUP-Enable, AUP Refresh Time,,, aupBlockInternetAccess-Enable, aupForceSSLInspection-Enable, Caution-Enable, IPS-Enable, Exclude-Manual-Group, Exclude-Dynamic-Group, Kerberos-Enable, Digest-Auth-Enable, Location-Type, Description, Basic-Auth-Enable, IoT-Discovery-Enable, City-GeoId, Geo-Override-Enable, Latitude, Longitude, CookiesAndProxy-Enable, IoT-Policy-Enable

The fields required for adding or deleting sublocations are:

• Add/Delete (Required): Enter + or - to indicate whether you want to add or delete the following sublocation. This field is required.
• SubLocation (Required): Enter the word SubLocation.
• SubLocation-name (Required): Enter the name of your sublocation.
• IP (Required): Enter the internal IP address of the sublocation. If you want to add multiple IP addresses to a sublocation, you must enter a new row for each address. See example.

  For example, to add three different IP addresses for a sublocation:

  +, sublocationip, subLocationName1, 10.10.100.246, locationName1
  +, sublocationip, subLocationName1, 10.10.100.247, locationName1
  +, sublocationip, subLocationName1, 10.10.100.248, locationName1

  Close
• State: Enter the state for the sublocation. If you do not want to enter a state, or if the sublocation is in a country outside the United States, leave the field blank.
• Country (Required): Enter the country for the sublocation.
• Time Zone (Required): Enter the time zone for the sublocation. When you specify the sublocation in a policy, the service applies the policy according to the time zone of the sublocation. For example, if a Cloud App Control policy blocks posting to Facebook between 8 a.m. and 5 p.m., and the rule is applied to sublocations in Spain and California, users at each sublocation are blocked during their respective daytime hours.
• Auth-Enable (Required if enabling Surrogate IP): If you want to require users from this sublocation to authenticate to the Zscaler service, enter Auth-Enable. If you do not want to enable authentication (or if you want to disable it for an existing sublocation), leave the field blank.
• XFF-Enable: If this sublocation uses proxy chaining to forward traffic to the service, and you want the service to discover the client RFC 1918 IP address from the XFF headers in HTTP requests and apply appropriate sublocation or user policies, enter XFF-Enable. If you do not want to enable this feature (or if you want to disable it for an existing sublocation), leave the field blank.
• Firewall-Enable: If you want to enable firewall controls at the sublocation, enter Firewall-Enable. If you do not want to enable firewall controls (or if you want to disable it for an existing sublocation), leave the field blank.
• Bandwidth-Enable: If you want to enable bandwidth control for the sublocation, enter Bandwidth-Enable. If you do not want to enable bandwidth control (or if you want to disable it for an existing sublocation), leave the field blank.
  • Upload (Mbps) (Required if enabling bandwidth control): Enter the maximum upload bandwidth limit for the sublocation. If you have not enabled bandwidth control, leave the field blank.
  • Download (Mbps) (Required if enabling bandwidth control): Enter the maximum download bandwidth limit for the sublocation. If you have not enabled bandwidth control, leave the field blank.
• SurrogateIP-Enable (If you enable this feature, Auth must be enabled): To enable Surrogate IP and map users to IP addresses for devices, enter SurrogateIP-Enable. If you do not want to enable Surrogate IP (or if you want to disable it for an existing sublocation), leave the field blank. To learn more, see About Surrogate IP.
  • Digit-TimeUnit (Required if you enable Surrogate IP): If you're enabling Surrogate IP, specify how long after a completed transaction the service retains the IP-address-to-user mapping (e.g., 8Hours). If you have not enabled Surrogate IP, leave the field blank.
• VPN-type: You cannot enter a value for this field. Enter a comma to indicate that this field is empty.
• VPN-username: You cannot enter a value for this field. Enter a comma to indicate that this field is empty.
• Dedicated port: You cannot enter a value for this field. Enter a comma to indicate that this field is empty.
• Parent Location Name (Required): Enter the name of the parent location to which this sublocation belongs.
• VirtualServiceEdgeName: You cannot enter a value for this field. Enter a comma to indicate that this field is empty.
• VirtualServiceEdgeClusterName: You cannot enter a value for this field. Enter a comma to indicate that this field is empty.
• SurrogateIP-Enforced-KnownBrowsers (If you enable this feature, SurrogateIP must be enabled): To enable the Zscaler service to use the existing IP-address-to-user mapping to identify users sending traffic from known browsers, enter SurrogateIP-Enforced-KnownBrowsers. If you are not enabling Surrogate IP for known browsers (or if you want to disable it for an existing sublocation), leave the field blank.

  • SurrogateIP-Refresh Time (Required if you enable SurrogateIP-Enforced-KnownBrowsers): Specify the length of time that the Zscaler service can use IP-address-to-user mapping for authenticating users sending traffic from known browsers (e.g., 4Hours). After the defined period of time elapses, the service refreshes and revalidates the existing IP-address-to-user mapping so that it can continue to use the mapping for authenticating users on browsers. If you have not enabled surrogate IP for known browsers, leave the field blank.

    The refresh time for the revalidation of IP surrogacy must be shorter than the DHCP lease time. Otherwise, the wrong user policies might be applied. Also, Zscaler recommends setting the SurrogateIP-Refresh Time to a time period shorter than what you specified for SurrogateIP-Idle Time.

• GRE-Enable: If you enabled GRE tunneling for this location, enter the information of the tunnel connected to the ZIA Public Service Edge. GRE tunnels are bound to locations only, not sublocations.
• AUP-Enable (If you enable this feature, Auth must be disabled): If you want to display an Acceptable Use Policy (AUP) for unauthenticated traffic, and require users to accept it at this sublocation, enter AUP-Enable. If you do not want to enable AUP (or if you want to disable it for an existing sublocation), leave the field blank.
  • AUP Refresh Time (Required if enabling AUP): Specify how frequently, in days, the AUP is displayed to users.
  • aupBlockInternetAccess-Enable: If you want the Zscaler service to disable all access to the internet, including non-HTTP traffic, until the user accepts the AUP that is displayed to them, enter aupBlockInternetAccess-Enable.
  • aupForceSSLInspection-Enable: If you want to make SSL Inspection enforce an AUP for HTTPS traffic, enter aupForceSSLInspection-Enable.
• Caution-Enable (If you enable this feature, Auth must be disabled): If you want to display a caution notification to unauthenticated users, enter Caution-Enable. If you enable this feature, you must use one of the following methods to forward traffic to the service:
  • A GRE or IPSec tunnel without NAT
  • Forward proxy chaining with the XFF-Enable option turned on for the sublocation
• IPS-Enable (If you enable this feature, firewall controls must be enabled): If you want to enable IPS controls at the sublocation, enter IPS-Enable. If you do not want to enable IPS controls (or if you want to disable it for an existing sublocation), leave the field blank.
• Exclude-Manual-Group: To prevent the sublocation from being added to manual location groups, enter Exclude-Manual-Group. If you want to allow this sublocation to be added to manual groups, leave the field blank.
• Exclude-Dynamic-Group: To prevent the sublocation from being assigned to dynamic location groups, enter Exclude-Dynamic-Group. If you want to allow this sublocation to be assigned to dynamic groups, leave the field blank.
• Kerberos-Enable (If you enable this feature, Auth must be enabled): If you want to enforce Kerberos authentication on all web traffic explicitly forwarded from the sublocation and its associated dedicated ports, enter Kerberos-Enable. If you do not want to enable Kerberos authentication (or if you want to disable it for an existing sublocation), leave the field blank.
• Digest-Auth-Enable: To enforce digest authentication on all web traffic explicitly forwarded from this sublocation and its associated dedicated ports, enter Digest-Auth-Enable. If you do not want to enable digest authentication (or if you want to disable it for an existing sublocation), leave the field blank.

• Basic-Auth-Enable: To enforce basic authentication on all web traffic explicitly forwarded from this sublocation and its associated dedicated ports, enter Basic-Auth-Enable. If you do not want to enable basic authentication (or if you want to disable it for an existing sublocation), leave the field blank.

  The following caveats apply to Basic Authentication:

  • The Cloud Service API Security feature must be enabled for your organization.
  • The Hosted DB user repository type with the Form-Based authentication type is supported.
  • The hosted users/passwords must be created or imported using a CSV file.
  • The users must be enrolled for basic authentication using the following APIs:
    • https://admin.<cloud>.net/api/v1/authenticatedSession
    • https://admin.<cloud>.net/api/v1/users/<userid>/enroll

  For the authenticatedSession API endpoint, admin user credentials and an API key are required. For the users API endpoint, you can get the user IDs using the browser developer tool on the User Management page.

  After the user enrollment, their credentials are used for the basic proxy authentication.

  Here is an example of basic proxy authentication:

  curl -ivk -x gateway.<cloud>.net:<port> -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0" -U "<username>@<domain.com>:<passwd>" example.com

  The user credentials are transferred in clear text when using basic authentication. So, you must use an IPSec tunnel from a router or firewall or an encrypted tunnel from cloud or branch connectors if you are forwarding the authenticated traffic over public internet.

• Location-Type: Enter any of the following location types to set it as the primary web traffic for the sublocation:

  • CORPORATE
  • GUESTWIFI
  • IOT
  • SERVER

  This field is required.

• Description: (Optional) Enter additional notes or information. The description cannot exceed 1,024 characters.

• IoT-Discovery-Enable: To discover IoT/OT devices, servers, and unmanaged devices (e.g., personal user devices) at this sublocation, enter IoT-Discovery-Enable. If you do not want to enable IoT discovery (or if you want to disable it for an existing sublocation), leave the field blank.

  This field is available only if IoT discovery is enabled for your organization.

• City-GeoId: Enter the city geolocation ID. This field is required if you enable IoT discovery. If you want to use the latitude and longitude to derive the city geolocation ID, leave the field blank, enable the Geo-Override-Enable option and enter latitude and longitude.

• Geo-Override-Enable: To override the city geolocation ID with the desired latitude and longitude, enter Geo-Override-Enable. If you do not want to enable geo override, leave the field blank.

  You can add multiple sublocations in the same city using this option.

• Latitude: Enter the latitude of the city geolocation. This field is required if you enable geo override.
• Longitude: Enter the longitude of the city geolocation. This field is required if you enable geo override.
• CookiesAndProxy-Enable: To prevent additional authentication challenges to traffic using both cookie- and non-cookie-based authentication methods after the initial challenge, enter CookiesAndProxy-Enable.

• IoT-Policy-Enable: To enforce URL Filtering and Cloud App Control policy rules based on IoT ML classifications provided by the Zscaler AI/ML for this sublocation, enter IoT-Policy-Enable.

  This field is available only if the IoT policy control is enabled for your organization.

Following is a sample field value for adding a sublocation to an existing location:

+, SubLocation, subLocationName1, 10.10.100.245, California, United States, America/San Francisco, Auth-Enable, XFF-Enable, Firewall-Enable, Bandwidth-Enable, 10, 100, SurrogateIP-Enable, 20Hours,,,, locationName1,,, SurrogateIP-Enforced-KnownBrowsers, 4Hours, GRE-Enable, AUP-Enable, 12Hours,,, aupBlockInternetAccess-Enable, aupForceSSLInspection-Enable, Caution-Enable, IPS-Enable​, Exclude-Manual-Group, Exclude-Dynamic-Group, Kerberos-Enable, Digest-Auth-Enable, Basic-Auth-Enable, IOT, This is a sample description for the sublocation IoT-Discovery-Enable, 5332748,,,, CookiesAndProxy-Enable, IoT-Policy-Enable

Following is a field-value template for adding an IP address to an existing location:

+, IP, <location-name>, <ip>

The fields required for adding or deleting IP addresses are:

• Add/Delete: Enter + or - to indicate whether you want to add or delete the IP address for the location.
• IP: Enter the word IP.
• Location-name: Enter the name of the location to which you want to add the IP address.
• IP address: Enter the IP address.

Following is a sample field-value for adding an IP address to an existing location:

+, IP, locationName1, 10.10.36.92

Following is a field-value template for adding an IP address to an existing sublocation:

+, sublocationip, <sublocation-name>, <ip>, <parentLocation-name>

The fields required for adding or deleting IP addresses are:

• Add/Delete: Enter + or - to indicate whether you want to add or delete the IP address for the sublocation.
• Sublocationip: Enter the word sublocationip.
• Sublocation-name: Enter the name of the sublocation to which you want to add the IP address.
• IP address: Enter the IP address.
• ParentLocation-name: Enter the name of the location to which the sublocation belongs.

Following is a sample field-value for adding an IP address to an existing sublocation:

+, sublocationip, sublocationName1, 10.10.1.1, locationName1

Following is a field-value template for adding a VPN to an existing location:

+, VPN, <location-name>, <vpn-type>, <vpn-username>

The fields required for adding or deleting VPNs are:

• Add/Delete: Enter + or - to indicate whether you want to add or delete the VPN information for the location.
• VPN: Enter the word VPN.
• Location-name: Enter the name of the location to which you want to add the VPN information.
• VPN-type: Enter the VPN type (IP or FQDN).
• VPN-userName: Enter the VPN username. For IP addresses, enter the gateway IP address that your organization provided to Zscaler. For FQDN, enter the FQDN that your organization provided to Zscaler.

Following is a sample field-value for adding a VPN to an existing location:

+, VPN, locationName1, IP, 95.132.125.146

Following is a field-value template for adding a dedicated proxy port to an existing location:

+, PORT, <location-name>, <Dedicated port>

The fields required for adding or deleting dedicated proxy ports are:

• Add/Delete: Enter + or - to indicate whether you want to add or delete the port for the location.
• PORT: Enter the word PORT.
• Location-name: Enter the name of the location to which you want to add the port.
• Dedicated port: Enter the port number for the location.

Following is a sample field-value for adding a dedicated proxy port to an existing location:

+, PORT, locationName1, 10002

Following is a field-value template for adding a Virtual Service Edge to an existing location:

+, VirtualServiceEdge, <location-name>, <VirtualServiceEdgeName>

The fields required for adding or deleting Virtual Service Edges are:

• Add/Delete: Enter + or - to indicate whether you want to add or delete the Virtual Service Edge for the location.
• VirtualServiceEdge: Enter the word VirtualServiceEdge.
• Location-name: Enter the name of the location to which you want to add the Virtual Service Edge.
• VirtualServiceEdgeName: Enter the name of the Virtual Service Edge.

Following is a sample field-value for adding a Virtual Service Edge to an existing location:

+, VirtualServiceEdge, locationName1, VSEOne

Following is a field-value template for adding a Virtual Service Edge cluster to an existing location:

+, VirtualServiceEdgeCluster, <location-name>, <VirtualServiceEdgeClusterName>

The fields required for adding or deleting Virtual Service Edge clusters are:

• Add/Delete: Enter + or - to indicate whether you want to add or delete the Virtual Service Edge cluster for the location.
• VirtualServiceEdgeCluster: Enter the word VirtualServiceEdgeCluster.
• Location-name: Enter the name of the location to which you want to add the Virtual Service Edge cluster.
• VirtualServiceEdgeClusterName: Enter the name of the Virtual Service Edge cluster.

Following is a sample field-value for adding a Virtual Service Edge cluster to an existing location:

+, VirtualServiceEdgeCluster, locationName1, VSEClusterOne