How do I configure the policy for unauthenticated traffic?

There may be scenarios in which the Zscaler service does not identify the user sending traffic to the service. For example, the service does not authenticate user traffic to URLs or cloud apps you have selected to exempt from authentication. As another example, the service may not authenticate user traffic because it is encrypted and SSL inspection is not enabled.

For policies where you can specify users and departments in the criteria, the Zscaler service enables you to specify which rules the service applies to such unauthenticated traffic. If your organization has a default block on web traffic (a URL Filtering rule that blocks all traffic which is not explicitly allowed through the URL Filtering policy), this feature can help you ensure that lack of authentication does not lead to an unnecessary block of user traffic.

Note:

  • You will not be able to use this feature until you explicitly enable it in Advanced Settings.
  • Any rule that applies to unauthenticated traffic must apply to all locations; you cannot apply a rule to unauthenticated traffic and select particular locations.

Once the feature is enabled in Advanced Settings, under the Department criteria, you can specify whether the policy rule applies to unauthenticated traffic. For more granularity, under the Users criteria, you can specify the types of unauthenticated traffic to which the policy rule applies (for example, to apply a rule only when traffic is unauthenticated due to an exemption you specified, as opposed to another factor). See below for detailed configuration instructions.

Configuring the Policy for Unauthenticated Traffic

A.  Enable the feature in Advanced Settings:

  1. Go to Administration > Advanced Settings.
  2. Under Policy for Unauthenticated Traffic, turn on Enable Policy for Unauthenticated Traffic.
  3. Click Save.
Configuring the Policy for Unauthenticated Traffic

B.  When selecting criteria for policy rules, you can choose to apply a rule only to specific types of unauthenticated traffic, or to all unauthenticated traffic. As noted above, this option is available only for policies where you can specify users and departments in the criteria.

  • To apply a rule to specific types of traffic:
  1. Navigate to the applicable policy (for example, Policy > URL & Cloud App Control > URL Filtering Policy).
  2. In the dropdown menu under Users, the service provides a General Users category as well as a Special Users category. Under General Users, you can select any user(s) to which you want the rule to apply. Then under Special Users, you can select the type(s) of unauthenticated traffic to which you want the rule to also apply. The four types of unauthenticated traffic are:
    • Authentication Bypass URL: User traffic to URLs or cloud apps you have selected to exempt from authentication
    • Miscellaneous Unauthenticated Transactions: User traffic that cannot be authenticated due to miscellaneous issues
    • Unauthenticated Protocol: User traffic that cannot be authenticated by the configured authentication method (for example, undecrypted HTTPS traffic)
    • Unauthenticated User Agent: User traffic that cannot be authenticated because the user-agent cannot be authenticated by the configured authentication method

      See the image below. The example is for a rule under the URL Filtering policy.
  1. Any rule that applies to unauthenticated traffic must apply to all locations. In Locations, select Any if you have chosen to apply this rule to unauthenticated traffic, either under Users or Departments.
  2. After specifying other criteria for the rule as necessary, click Save and activate the change.
  • To apply the rule to all unauthenticated traffic:
  1. Navigate to the applicable policy (for example, Policy > URL & Cloud App Control > URL Filtering Policy).
  2. In the dropdown menu under Departments, the service provides a Regular Departments category and a Special Departments category. Under Regular Departments, select any department(s) to which you want the rule to apply. Then under Special Departments, select Unauthenticated Transactions if you want the rule to apply also to any unauthenticated traffic.

    See the image below. The example is for a rule under the URL Filtering policy.
  1. Any rule that applies to unauthenticated traffic must apply to all locations. In Locations, select Any if you have chosen to apply this rule to unauthenticated traffic, either under Users or Departments.
  2. After specifying other criteria for the rule as necessary, click Save and activate the change.