Secure Private Access (ZPA)
Ranges & Limitations
This article lists the ranges and limitations for policies, fields, and other features. All values are per organization unless noted otherwise.
If you need to increase a maximum limit for your organization, send a request to Zscaler Support.
Administration
The following table shows the ranges and limitations for administration settings:
| Feature | Limit |
| Admins | 5,000 admins |
| Roles | 100 roles |
App Connector Management
The following table shows the ranges and limitations for App Connector management:
| Feature | Limit |
| App Connectors | 100 App Connectors |
| App Connector Groups | 100 groups |
| App Connector Provisioning Keys | 100 keys |
Application Management
The following table shows the ranges and limitations for application management:
| Feature | Limit |
| Applications | 6,000 applications 2,000 applications per application segment The 2,000 applications per application segment limit applies to both IP addresses and domains. Wildcards also fall in the same category (i.e., every entry for the application in the ZPA Admin Portal counts as one). 4,000 Source IP Anchoring-enabled domains or IP addresses DNS resolution can resolve a single domain (such as example.com or host.example.com) to no more than 200 IP addresses on the App Connector. The ZPA cloud can only handle up to 100 TXT records for any domain that it looks up. The DNS TXT records are ignored if the lookup surpasses 100 DNS TXT records. |
| Application Segments | 6,000 segments 240 Source IP Anchoring-enabled segments |
| DNS Suffixes | 50 suffixes |
| Segment Groups | 200 groups |
| Servers | 10,000 servers |
| Server Groups | 1,000 groups |
AppProtection Management
The following table shows the ranges and limitations for AppProtection management:
| Feature | Limit |
|---|---|
| Custom Control Parameters | 100 custom control parameters per custom control 100 custom control parameters per AppProtection profile |
Authentication
The following table shows the ranges and limitations for authentication configuration:
| Feature | Limit |
| IdP Configurations | 10 configurations |
| SAML Attributes | 100 attributes |
Backup and Restore
The following table shows the ranges and limitations for Backup and Restore:
| Feature | Limit |
|---|---|
| Backups | 10 backups per day The 10 backups per day limit applies to manually added backups, scheduled backups, and backups that are created within a Microtenant and have a Completed or In Progress status. |
| Restores | 10 restores per day |
Browser Protection Management
The following table shows the ranges and limitations for Browser Protection configuration:
| Feature | Limit |
| Monitored Users | 20,000 users |
Certificate Management
The following table shows the ranges and limitations for certificate management:
| Feature | Limit |
| (web server) Certificates | 1,000 certificates |
| Enrollment Certificates | 1,000 certificates |
Client Type Management
The following table shows the ranges and limitations for ZPA client type management:
| Feature | Limit |
| Client Type Microtunnel (M-Tunnel) Requests | 100 M-Tunnels per second The 100 M-Tunnels per second limit applies to the Zscaler Client Connector, Web Browser, Web Browser Unauthenticated, or ZIA Public Service Edge client types. To learn more, see About User Activity Diagnostics. The 100 M-Tunnels per second limit can be changed. To learn more, contact Zscaler Support. |
Cloud Connector Management
The following table shows the ranges and limitations for Cloud Connector management: Cloud Connector
| Feature | Limit |
| Cloud Connector M-Tunnel Requests | 200 M-Tunnels per second The 200 M-Tunnels per second limit can be changed. To learn more, contact Zscaler Support. |
Identity Management
The following table shows the ranges and limitations for identity management:
| Feature | Limit |
| SCIM updates | 50 per second |
| SCIM Groups | 1,000 groups per user The 1,000 groups per user limit means that if a user is a part of more than 1,000 groups, the remaining groups are not synced until some of them are removed for the user on the IdP. There is no limit to the number of SCIM groups that can be synced. |
Machine Management
The following table shows the ranges and limitations for machine management:
| Feature | Limit |
| Machine Groups | 100 groups |
Microtenants
The following table shows the ranges and limitations for Microtenant management:
| Feature | Limit |
| Microtenants | 500 Microtenants |
Organization
The following table shows the organization ranges and limitations for organization management:
| Feature | Limit |
| Admin User Password | 100 characters |
Policies
The following table shows the ranges and limitations for policy management:
| Feature | Limit |
| Access Policy | 2,000 policy rules 1,000 application segments per policy rule 48 App Connector groups per policy rule The 48 App Connector groups per policy rule limit applies even if All App Connector groups for the application is selected when configuring an access policy rule. To learn more, see Configuring Access Policies. 50 locations for extranet application support 10 location groups for extranet application support |
| AppProtection Policy | 500 policy rules 1,000 application segments per policy rule |
| Client Forwarding Policy | 500 policy rules 1,000 application segments per policy rule |
| Isolation Policy | 500 policy rules 1,000 application segments per policy rule |
| Log Receiver Policy | 1,000 application segments per policy rule |
| Privileged Capabilities Policy | 5,000 policy rules 200 privileged consoles per privileged capabilities policy |
| Privileged Credentials Policy | 5,000 policy rules 1,000 privileged consoles per privileged credentials policy |
| Redirection Policy | 2,000 policy rules |
| Timeout Policy | 500 policy rules 1,000 application segments per policy rule |
Private Cloud Controller Management
The following table shows the ranges and limitations for Private Cloud Controller management:
| Feature | Limit |
|---|---|
| Private Cloud Controllers | 100 Private Cloud Controllers |
| Private Cloud Controller Groups | 100 Private Cloud Controller Groups |
| Private Cloud Controller Provisioning Keys | 100 keys |
Privileged Remote Access
The following table shows the ranges and limitations for Privileged Remote Access:
| Feature | Limit |
| Privileged Approvals | 20,000 privileged approvals 200 application segments per privileged approval Only privileged approvals with approval statuses of Future or Active are counted. Privileged approvals with an approval status of Expired are not considered as part of the total amount. Each user can create up to 20 privileged approval requests on the My Requests page in the PRA Portal. |
| Privileged Consoles | 10 privileged consoles With a license, this can be increased to the maximum limit of 35,000 privileged consoles. Contact your Zscaler Account team for more information. |
| Privileged Credentials | 10,000 privileged credentials |
| Privileged Credential Pools | 500 privileged credential pools 100 privileged credentials per privileged credential pool |
| Privileged Portals | 100 privileged portals When configuring a privileged portal within the Default Microtenant, you can link a maximum of 6,000 privileged consoles to the privileged portal. |
Support Information
The following table shows the ranges and limitations for Support Information management:
| Feature | Limit |
| App Connectors | 100 App Connectors per session |
| Private Service Edges | 100 Private Service Edges per session |
| Actions | 10 Actions per session |
| Targets | 10 Targets per session |
| Concurrent Sessions | 5 Concurrent Sessions per customer The 5 Concurrent Sessions per customer limit is only on sessions that are in a Pending or Processing state. There is no limit on Completed, Failed, or Partially_Completed sessions. |
User Portal
The following table shows the ranges and limitations for user portal:
| Feature | Limit |
| Portal Links | 500 links You can only configure 150 links at a time when configuring portal links in the ZPA Admin Portal. |
ZPA Private Service Edge Management
The following table shows the ranges and limitations for ZPA Private Service Edge management:
| Feature | Limit |
| Private Service Edges | 100 Private Service Edges |
| Private Service Edge Groups | 100 groups |
| Private Service Edge Provisioning Keys | 100 keys |