icon-zpa.svg
Secure Private Access (ZPA)

About Isolation Policy

Using the Isolation policy, you can create rules that define when application requests are redirected to Isolation. This requires having Isolation enabled for your organization and creating an Isolation profile prior to setting up the Isolation policy rule.

Isolation policy rules allow you to:

  • Define policies to provide secure clientless access to critical applications via a containerized isolated browser on the Zscaler cloud, ensuring the posture of a user's machine doesn't affect the related applications.
  • Reduce the surface area of attacks by providing true application-level zero trust access to critical applications (e.g., hiding all application-level transactions between the browser and the related applications).
  • Enforce data exfiltration controls by ensuring users are unable to copy, paste, upload, or download files between their computers and the applications they are accessing.

When the user is authenticated, the session timeout value is the minimum timeout across all timeout policies configured. After the timeout happens, the user needs to reauthenticate with ZPA to access applications via Isolation.

Along with defining an Isolation policy, you also need to define an access policy for the application to be accessible from within the browser Isolation environment. Application requests not directed to Isolation are reviewed based on access policies.

If ZPA is undergoing a maintenance period, Isolation might not be available.

Isolation policy rules are comprised of two main building blocks:

  • Criteria: These are the conditions of a policy rule. A user's application request must match all of the conditions within a policy rule.
  • Boolean Operators: These are the operands used between criteria. Isolation policy rules use AND and OR operators only.

About the Isolation Policy Page

On the Isolation Policy page (Policy > Isolation Policy), you can do the following:

  1. Expand all of the displayed rows in the table to see more information about each policy rule.
  2. Show all the rules in the table. The rows remain collapsed. Depending on the number of rules, this can take a few minutes.

By default, the UI only displays the first 100 rules. Alternatively, you can scroll to see more rules.

  1. Add new Isolation policy rules.
  2. Filter the information that appears in the table. By default, no filters are applied.
  3. View a list of all Isolation policy rules that were configured.
  4. Copy an existing Isolation policy rule's criteria, and use it to create a new rule.
  5. Edit an existing edit policy rule.
  6. Delete an Isolation policy rule.
  7. Review the Default Rule. This rule is not editable.
  8. Go to the Access Policy page to add a new access policy or manage existing policies.
  9. Go to the Timeout Policy page to add a new timeout policy or manage existing policies.
  10. Go to the Client Forwarding Policy page to add a new client forwarding policy or manage existing policies.
  11. Go to the Privileged Policy page to add new privileged capabilities policies and privileged credentials policies or manage existing policies.
  12. Go to the Security Policy page to add new AppProtection Policies and Browser Protection Policies or to manage existing policies.

Viewing and managing isolation policies within the ZPA Admin Portal

Related Articles
About Isolation PolicyConfiguring Isolation PoliciesEditing Isolation Policies