How do I configure the policy for unauthenticated traffic?


How do I configure the policy for unauthenticated traffic?

There might be scenarios in which the Zscaler service does not identify the user sending traffic to the service. For example, the service does not authenticate user traffic to URLs or cloud apps you have selected to exempt from authentication. In another example, the service might not authenticate user traffic because it is encrypted and SSL inspection is not enabled.

For policies where you can specify users and departments in the criteria, the Zscaler service enables you to specify which rules the service applies to such unauthenticated traffic. If your organization has a default block on web traffic (i.e., a URL filtering rule that blocks all traffic which is not explicitly allowed through the URL filtering policy), this feature can help you ensure that lack of authentication does not lead to an unnecessary block of user traffic.

The following applies when configuring a policy for unauthenticated traffic:

  • You must explicitly enable this feature in Advanced Settings before you can use it
  • Any rule that applies to unauthenticated traffic must apply to all Groups and Departments

Once the feature is enabled in Advanced Settings, you can specify whether the policy rule applies to unauthenticated traffic under the Department criteria. For more granularity, you can specify the types of unauthenticated traffic to which the policy rule applies under the Users criteria. For example, to apply a rule only when traffic is unauthenticated due to an exemption you specified, as opposed to another factor.

Configuring the Policy for Unauthenticated Traffic

  1. Enable the Policy for Unauthenticated Traffic feature in Advanced Settings:
    1. Go to AdministrationAdvanced Settings.
    2. Under Policy for Unauthenticated Traffic, turn on Enable Policy for Unauthenticated Traffic.
    3. Click Save.

              Screenshot showing the Enable Policy For Unauthenticated Traffic Option

  1. When selecting criteria for policy rules, you can choose to apply a rule only to specific types of unauthenticated traffic, or to all unauthenticated traffic.

    This option is available for all policies where you can specify Users and Departments in the criteria.

  • To apply a rule to specific types of traffic:
  1. Navigate to the applicable policy 
    For example, Policy > URL & Cloud App Control > URL Filtering Policy or Policy > Firewall Control > Firewall Filtering Policy
  2. In the drop-down menu under Users, the service provides a General Users category as well as a Special Users category. Under General Users, you can select any users to which you want the rule to apply. Under Special Users, you can select the types of unauthenticated traffic to which you want the rule to also apply. The four types of unauthenticated traffic are:
    • Unauthenticated User Agent: User traffic that cannot be authenticated because the user-agent cannot be authenticated by the configured authentication method
    • Unsupported Method: User traffic that cannot be authenticated because of HTTP methods that are not normally supported, such as FIND or PROPBIND
    • Unauthenticated Protocol: User traffic that cannot be authenticated by the configured authentication method (for example, un-decrypted HTTPS traffic)
    • Unauthenticated Proxy Port User: User traffic that is coming from port 9480. Zscaler Enforcement Nodes (ZENs) accept web requests on ports 80, 443, 9400, 9480 and 9443. Any traffic generated from a known gateway location and destined to ZENs with the proxy port of 9480 bypass authentication. 
    • Miscellaneous Unauthenticated Transactions: User traffic that cannot be authenticated due to miscellaneous issues
    • Authentication Bypass URL: User traffic to URLs or cloud apps you have selected under Authentication Bypass
    • Unknown Kerberos User: User traffic that cannot be authenticated because it comes from an unknown Kerberos user

The example below is for a rule under the URL filtering policy.
See image.

  1. If you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
  2. After specifying other criteria for the rule as necessary, click Save and activate the change.
  • To apply a rule to all unauthenticated traffic:
  1. Navigate to the applicable policy
    For example, Policy > URL & Cloud App Control > URL Filtering Policy or Policy > Firewall Control > Firewall Filtering Policy
  2. In the drop-down menu under Departments, the service provides a Regular Departments category and a Special Departments category. Under Regular Departments, select any departments to which you want the rule to apply. Under Special Departments, select Unauthenticated Transactions if you want the rule to also apply to any unauthenticated traffic.

The example below is for a rule under the URL filtering policy.
See image.

  1. If you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments
  2. After specifying other criteria for the rule as necessary, click Save and activate the change

Screenshot of applying a Zscaler URL Filtering policy rule to specific types of unauthenticated traffic

Applying a Zscaler URL Filtering policy rule to all unauthenticated traffic