Click to watch a video about Sandbox, including how to add rules to the policy.
If you have the Cloud Sandbox subscription, you can add rules to the Sandbox policy. You can configure different rules in your Sandbox policy to apply to different sets of users or to different locations. See also the recommended Sandbox policy.
To add a Sandbox rule:
- Go to Policy > Web > Sandbox.
- Click Add Sandbox Rule.
- In the Edit Sandbox Rule window, complete the following:
- Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order. You can change the value, but if you've enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
- Admin Rank: This option appears if you enabled the Admin Rank feature in the Advanced Settings page.
Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule's Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
- Rule Name: Enter a unique name for the Sandbox rule, or use the default name.
- Rule Status: Choose to Enable or Disable the rule. An enabled rule is actively enforced. A disabled rule is not actively enforced and doesn't lose its place in the Rule Order scheme. The service simply skips it and moves to the next rule.
- File Types: Select the file type(s) to which the rule applies. The file types you can select for your Sandbox policy include the following:
- Windows Executable
- Windows Library
- Microsoft Office
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft RTF
- Microsoft Word
- Android Application Package
- Web Content
- URL Categories: Select Any to select all URL categories, or select specific URL categories. You can search for URL categories or click the Add icon to add a new category.
- Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
- Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
- Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
- Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
- Sandbox Categories: Select the type(s) of malicious files:
- Sandbox Adware: Refers to files that automatically render advertisements/install adware.
- Sandbox Malware/Botnet: Refers to files that behave like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
- Sandbox P2P/Anonymizer: Refers to files that contain anonymizers and P2P clients.
- Action: Choose to Allow or Block users from downloading the selected files.
- First Time: Enable to choose the action that Zscaler takes when a user downloads a file for the first time.
- First Time Action: Choose the action that Zscaler takes when a user downloads a file for the first time:
- Allow and do not scan: Allow users to download the files. The service does not send the files to the Sandbox engine for analysis.
- Allow and scan: Allow users to download the files. The service sends the files to the Sandbox engine for analysis.
- Quarantine: Quarantine files while they are being analyzed. A quarantine notification is displayed, and the user can only download the file after the analysis.
- Description: Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
- Click Save and activate the change.
If you choose Block for the Sandbox action, and a user attempts to download a file that is found to be malicious by the Sandbox engine, the Zscaler service displays a block notification and prevents the download.