The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities:

• Admin & Role Management

  You can retrieve information about the current administrator or auditor user accessing the API using the new GET /adminUsers/me endpoint.

  Close
• System Audit Report

  You can retrieve the System Audit Report and the information available in specific report sections using the following endpoints:

  • GET /configAudit
  • GET /configAudit/ipVisibility
  • GET /configAudit/pacFile

  Close

To learn more about each endpoint, see the API Reference and API Rate Limit Summary.

Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule and by manually specifying the following IP address for the Zscaler-hosted notification web page: 34.215.46.88.

See image.

To learn more, see Configuring the DNS Control Policy.

The following are new predefined DLP Dictionaries:

• National Identification Number (Chile RUN)
• National Identification Number (Peru CUI)
• National Document ID (Uruguay)

To learn more, see Understanding Predefined DLP Dictionaries.

In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State.

See image.

Close

To learn more, see Using Persistent State for Isolation and Creating Isolation Profiles for ZIA.

You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate):

• Users
• Groups

These fields appear only when the Enable AI/ML based Smart Browser Isolation option is enabled.

See image.

To learn more, see Configuring Smart Browser Isolation Policy.

The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application service groups are defined using the metadata including IP addresses published by the respective providers to identify the traffic belonging to their services. Zscaler continuously updates and validates the latest IP addresses published by the providers, ensuring that organizations have the most up-to-date information for traffic identification and policy enforcement.

See image.

To learn more, see About Application Service Groups and Configuring the Firewall Filtering Policy.

For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the report outputs to identify mitigation effectiveness and potential risk.

See image.

To learn more, see About Sandbox and Viewing Sandbox Reports and Data.

The Zscaler service displays a notification when Remote Assistance is enabled.

See image.

The maximum time limit for both view-only and full access is 90 days.

To learn more, see Enabling Remote Assistance.

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities:

• Admin & Role Management

  You can create, update, and delete admin roles and retrieve a list of admin roles using the following endpoints:

  • GET /adminRoles
  • GET /adminRoles/lite
  • POST /adminRoles
  • GET /adminRoles/{roleId}
  • PUT /adminRoles/{roleId}
  • DELETE /adminRoles/{roleId}

  Close
• User Management

  You can create, update, and delete groups and retrieve a list of groups using the following endpoints:

  • GET /groups
  • POST /groups
  • GET /groups/lite
  • GET /groups/{groupId}
  • GET /groups/lite/{groupId}
  • PUT /groups/{groupId}
  • DELETE /groups/{groupId}

  You can create, update, and delete departments and retrieve a list of departments using the following endpoints:

  • GET /departments
  • POST /departments
  • GET /departments/lite
  • GET /departments/{id}
  • GET /departments/lite/{id}
  • PUT /departments/{departmentId}
  • DELETE /departments/{departmentId}

  Close
• Traffic Forwarding

  You can update a subcloud and retrieve information about subclouds using the following endpoints:

  • GET /subclouds
  • GET /subclouds/isLastDcInCountry/{id}
  • PUT /subclouds/{id}

  Close

To learn more about each endpoint, see the API Reference and API Rate Limit Summary.

The Postman collection is also updated to include new and updated resources. To learn more, see Configuring the Postman REST API Client.

The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization.

See image.

Close

To learn more, see About SSL Inspection and Configuring SSL Inspection Policy.

Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboarding process.

See image.

To learn more, see About SaaS Application Tenants and Adding SaaS Application Tenants.

The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. When there is a policy match with the traffic, the transaction appears in DNS logs with the response code populated against the existing DNS Error Code column and the rule action is indicated by a "Block" value in the Request Action or Response Action columns.

See image.

To learn more, see Configuring the DNS Control Policy Action.

Update to Cloud Service API

The cloud service API is updated to include a new action value, BLOCK_WITH_RESPONSE, and a new blockResponseCode attribute for specifying the response code in the FirewallDnsRule model when the BLOCK_WITH_RESPONSE action is used.

To learn more, see the API Reference.

The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements:

• You can export the assets report to a CSV file.
• You can copy the asset evidence or download it as a JSON file.

See image.

Close

To learn more, see About the Control Panel.

The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices.

To learn more, see About the IoT Report.

You can get an overview of the IoT web policies status and deep dive into their action impact on IoT web communications, such as domains/IPs and the corresponding policy action statistics in the IoT Report > Discovered Devices > Selected IP Address.

See Image.

To learn more, see About Discovered Devices.

The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour.

To learn more, see the Obtaining Sandbox Reports Using API and Sandbox Report articles.

You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal:

Web Insights Logs

The following filters and columns are added to Web Insights Logs:

• Destination IP Countries
• Is Destination IP Country Risky?
• Is Source IP Country Risky?
• Source IP Countries

See image.

To learn more, see Web Insights Logs: Columns and Web Insights Logs: Filters.

NSS Feeds

The following fields can be added to the Feed Output Format when configuring an NSS or Cloud NSS feed for web logs:

• %s{srcip_country}
• %s{dstip_country}
• %s{is_src_cntry_risky}
• %s{is_dst_cntry_risky}

To learn more, see NSS Feed Output Format: Web Logs.

The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan):

Device Control

Zscaler Device Control enables your organization to regulate and monitor device (removable storage devices and printers) usage by implementing device control policy rules that restrict access and mitigate security risks. This is done by intercepting as soon as the device is plugged into the endpoint, thereby preventing exfiltration of sensitive information.

To learn more, see About Device Control, Managing Removable Storage Device Rules, and Managing Printer Rules.

Inventory

The Inventory provides visibility into the use of removable storage devices (e.g., USB drives, external hard drives), printers, and portable devices (e.g., mobile phones and cameras) within your organization. This functionality automatically detects the usage of these devices and displays permission access based on the device control policy. You can also analyze Endpoint Data Loss Prevention (DLP) activities and incidents from various perspectives, like departments, DLP engines, AI & ML categories, file type, etc. for each device.

To learn more, see About Inventory, Analyzing Device Details, Analyzing Printer Details, and Analyzing Portable Device Details.

Activation

From the Activation menu, you can view the activation status and activate any changes made to the Device Control Policy Rules and Endpoint Configuration Settings.

To learn more, see Activating Device Control Policy Rules and Configuration Changes.

Configuration

The Configuration menu allows administrators to configure endpoint data scan and other endpoint settings, such as continuous classification and endpoint DLP exemption duration.

See Image.

To learn more, see Configuring Endpoint Data Scan and Endpoint Settings.

You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting the SSPM Scan checkbox under the onboarding section for the specific tenants and then validating and saving the changes.

See image.

The SSPM Scan checkbox is enabled only when you have the Advanced SSPM enabled for your tenant.

To learn more, see About SaaS Application Tenants, Adding SaaS Application Tenants, Understanding the SaaS Security Posture Management Policy, and Viewing and Managing the Supported SSPM Policies.

To access Extranet Application Support, contact your Zscaler Account team.

Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished with site-to-site VPN tunnels which present organizational, financial, and security drawbacks. Zscaler Extranet Application Support provides access to partner resources through IPSec tunnels, retaining the benefits of the Zscaler Zero Trust Exchange (ZTE) without requiring partners to install hardware and software.

Extranet resources are created on the Extranet page. Each resource is configured with one or more traffic selectors and DNS servers.

See image.

Extranet resources must be assigned to locations in order to grant users access to the partner resource. Extranet is available as a Location Type when configuring locations.

See image.

Selecting Extranet as the Location type prompts the user to select an Extranet Resource, Traffic Selector, and DNS Server.

See image.

After extranet locations are configured in the ZIA Admin Portal, they become available in the ZPA Admin Portal when configuring server groups and application segments. You can configure ZPA access policies to manage extranet applications.

To learn more about Extranet Application Support, see Understanding Extranet Application Support, About Extranet, and Configuring an Extranet. Ranges and limitations for Extranet Application Support are listed on Ranges & Limitations.

Extranet Insights

With the new Extranet Insights (Analytics > Extranet Insights), you can view IPSec tunnel data, as well as monitor the health and status of your configured extranets.

See image.

To learn more about Extranet Insights, see About Insights, About Insights Logs, Extranet Insights Logs: Columns, and Extranet Insights Logs: Filters.

Tunnel Insights Logs

A filter and column, Extranet Name, is added to Tunnel Insights Logs.

To learn more, see Tunnel Insights Logs: Columns and Tunnel Insights Logs: Filters.

NSS Feeds

When configuring an NSS or Cloud NSS feed for Tunnel logs, you can select Extranet in the Tunnel Type filter to limit the logs based on this tunnel type.

See image.

To learn more, see Adding NSS Feeds for Tunnel Logs and Adding Cloud NSS Feeds for Tunnel Logs.

Update to Cloud Service API

The cloud service API includes new endpoints to configure and manage extranet resources. The following endpoints are introduced to retrieve the list of configured extranet resources and add, modify, and delete extranet resources:

• GET /extranet
• POST /extranet
• PUT /extranet
• GET /extranet/lite
• GET /extranet/{id}
• DELETE /extranet/{id}

In addition, the following attributes are added to the Location model to assign an extranet to a location:

• extranet
• extranetIpPool
• extranetDns
• defaultExtranetTsPool
• defaultExtranetDns

To learn more about each endpoint, see the API Reference and API Rate Limit Summary.

The Postman collection has also been updated to include new and updated resources. To learn more, see Configuring the Postman REST API Client.