Watch a video about Sandbox, including how to add rules to the policy
If you have the Cloud Sandbox subscription, you can add rules to the Sandbox policy. You can configure different rules in your Sandbox policy to apply to different sets of users or to different locations. Also, see the recommended Sandbox policy.
To add a Sandbox rule:
- Go to Policy > Sandbox.
- Click Add Sandbox Rule.
- In the Edit Sandbox Rule window, do the following:
- Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order. You can change the value, but if you've enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
- Admin Rank: This option appears if you enabled the Admin Rank feature in the Advanced Settings page.
Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule's Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
- Rule Name: Enter a unique name for the Sandbox rule, or use the default name.
- Rule Status: Choose to Enable or Disable the rule. An enabled rule is actively enforced. A disabled rule is not actively enforced and doesn't lose its place in the Rule Order scheme. The service simply skips it and moves to the next rule.
- File Types: Select the file types to which the rule applies. The file types you can select for your Sandbox policy include the following:
- Windows Executable
- Windows Library
- Microsoft Office
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft RTF
- Microsoft Word
- Android Application Package
- Web Content
- URL Categories: Select Any to select all URL categories, or select specific URL categories. You can search for URL categories or click the Add icon to add a new category.
- Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
- Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
- Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
- Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
- Sandbox Categories: Select the types of malicious files:
- Sandbox Adware: Refers to files that automatically render advertisements/install adware.
- Sandbox Malware/Botnet: Refers to files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
- Sandbox P2P/Anonymizer: Refers to files that contain anonymizers and P2P clients.
- First-Time Action: Choose the action that Zscaler takes when a user downloads an unknown file:
- Allow and do not scan: Allow users to download the file. The service does not send the file to the Sandbox engine for analysis.
- Allow and scan: Allow users to download the file. The service sends the file to the Sandbox engine for analysis.
- Quarantine: Quarantines the file while its being analyzed. A quarantine notification is displayed, and the user can only download the file after the analysis.
- Action for Subsequent Downloads: Choose to Allow or Block downloads of Sandbox classified files that match the criteria above.
- Description: Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
- Click Save and activate the change.
If you choose Block for Action for Subsequent Downloads, and a user attempts to download a malicious Sandbox classified file that matches the specified criteria, the Zscaler service displays a block notification and prevents the download.