How do I configure block notifications?
The Zscaler service displays a notification page to users whenever it blocks access to certain sites, files, or Internet applications. Additionally, the service displays a notification when it blocks access to a site due to a bad certificate (that is, if the certificate issuer is unknown, if the certificate has expired, or if the Common Name in the certificate does not match). For example, if a user browses to a site that is in a URL category that was blocked, the service blocks access to the site and displays a block notification similar to the one below.
The service displays the block notification any time there is a policy violation. For example, if a user attempts to upload or download an infected file attachment, the service blocks the file and displays a notification in the user’s browser stating that a virus-infected file was blocked. Similarly, if a user exceeds a daily quota for how much time he or she can browse social networking sites (as set by an administrator), the attempt to log onto one of their servers is blocked and the service displays a page in the user’s browser stating that access has been denied because the daily quota was reached.
The service provides a default notification which you can customize, or you can redirect users to an external site that hosts the notification page.
To configure the block notification page:
- Go to Administration > Resources > End User Notifications.
- In the Configure Notifications section, choose Default to display the system-generated message or choose Custom to redirect to an external site. See image.
- If you choose the Default notification message, do any of the following:
- Display Reason: Enable this to display why access to a site, file, or application was blocked or restricted in the end user notifications. This setting will affect the caution and block notifications.
- Display Company Name: Enable this to display the name of your organization in the end user notifications. This setting will affect the caution and block notifications.
- Display Company Logo: Enable to display the logo of your organization in the end user notification. You can upload your company logo on the Company Profile page. This setting will affect the caution and block notifications.
- Optionally, enter text to customize the Notification Message. This message appears when the service blocks access due to your organization's policies. Any changes in this field affects the URL Categorization Notifications, Security Violation Notifications, and Web DLP Violation Notifications at the same time.
- NOTE: If you choose to disable these settings, the changes will not be reflected in the previews of the templates, but the changes will be seen by your users after you save them.
- If you choose Custom, enter the Redirect URL that hosts the notification. See the Redirection Guidelines.
When the user's browser is redirected, the URL includes query parameters, which administrators can use to customize the page that is served or for logging purposes. During the redirection, all query parameters are sent to the external site. For Web DLP Violation policy requests, the query parameters enable the administrator to find the Web Post DLP transaction. These query parameters are:
- action: Specifies the action that triggered the redirect.
- cat: Specifies the URL category of the URL (if available).
- kind: Specifies the policy that triggered the URL redirection. See a list of possible values for kind and their mapping to policies.
- reason: Specifies the string that contains additional information about the URL.
- reasoncode: Specifies the reason that this notification or redirect triggered. See a list of possible values for reasoncode and their explanation.
- referer: Specifies the referer URL in URL-encoded format.
- rule: Specifies the internal rule-id that triggered the block (if available).
- timebound: Specifies whether this notification or redirect is triggered by a policy that includes time interval as a criteria.
- url: Specifies the original URL that caused this redirect or notification.
- user: Specifies the user-id (the login name) of the user (if available).
- zsq: This parameter is used by the Zscaler service.
Kind to Policy
Reasoncode to Explanation
- Each block notification ( URL Categorization Notifications, Security Violation Notifications, and Web DLP Violation Notifications) has its own individual Notification Text field where you enter text for each notification separately. Any text entered in a block notification's Notification Text field appears that notification alone. See image.
Any custom text you enter in the Notification Text and Notification Message fields appears in the block notifications as seen below.
Note that you cannot change the other text in the block notifications because it is generated when users are blocked because of policy violations. However, you can customize the appearance of the text or hide it with CSS styles.
To learn how to use this field to customize the appearance of the block notifications with CSS styles, click here.
- The IT Support section provides information on how users can seek additional information about why access to pages, files or web applications was restricted. You can provide an email address or phone number for a contact who can explain your company's use of the Zscaler service to protect your network, or a URL pointing to a page you created on your company intranet that describes your current policy about using corporate network and Internet resource. This information appears on the notification page.
- Click Preview Template(s) to see what the block notification will look like after any changes. You can preview the notification as many times as you want.
- Click Save and activate the change or proceed to configure the URL categorization notification or caution notification.