Winter 2015/2016 Release Update Summary
The Winter release is an upgrade to the Zscaler Internet Security Platform which includes a redesigned administrative interface, enhancements to Zscaler's Web Security, Next Generation Firewall, and Behavioral Analysis capabilities plus improvements to our Zscaler App mobile client.
New Admin Portal
The new Admin Portal features an updated content-focused design, with a modern flat interface as well as more intuitive and consistent navigation. It offers new features, such as print preview and an improved data grid to enhance readability. Its responsive layout ensures a good user experience, whether you view the admin portal from a laptop, tablet or phone.
Zscaler recommends that you use the following system settings to best display and take full advantage of the Admin Portal’s features:
- Zscaler supports the current and previous versions of the browsers listed below. As of this release, these versions are:
- Google Chrome version 44 and 45 (recommended)
- Mozilla Firefox versions 37 and 38
- Safari 5.1.7 and 5.1.5 for Windows
- Safari 6.0.2 and 6.0.1 for Mac
- Internet Explorer versions 10 and 11
- Minimum resolution supported is 1024 X 768.
Dashboard and Reporting Features
Bandwidth Usage Dashboard
You can now view the ‘Total Bandwidth Consumption’ graph in the Bandwidth Usage Dashboard, even if your organization does not have a Bandwidth Control subscription.The graph displays a 30-day trend chart along with the 95th percentile trend line. You can also zoom-in from a 30-day view to a one-hour view right on the chart. Note that all other widgets on the Bandwidth Usage dashboard require a subscription.
Enhanced Cloud Applications Trend
The Zscaler Cloud Applications Dashboard features a new widget, Cloud Applications Trend, which displays all the cloud apps used by your organization. Zscaler has partnered with Skyhigh to provide a risk profile for each application. You can point to a cloud app in the widget and view the risk score provided by Skyhigh as well as the aggregated score provided by Zscaler. You can also download the data as a CSV file for further analysis. Note that this information is available on the dashboard and as a CSV file only. It is not available in the logs.
New Behavioral Analysis Report Link
If your organization uses NSS to stream logs to your SIEM, you can now open a Behavioral Analysis report based on the MD5 parameter that you retrieve from your logs in the SIEM. Before this release, admins could only view the report by clicking the MD5 URL in the logs displayed on the admin portal.
User Reports Enhanced
You can now exclude locations from user reports in the Dashboard, Interactive Reports and Web Insights. In earlier releases, the Top User reports included locations as well. Starting with this release, you have the option to exclude locations from the report.
Role-Based Log View
You can now control the number of days admins are allowed to view logs. For example, if an admin needs temporary access to the logs to verify compliance, you can allow access for a specified number of days. When you define a role, you can select a time frame from30days toUnrestricted. By default, admins can view logs for an unrestricted time period.
Admin Portal Timeout
You can now specify how long admins can be inactive on the Zscaler Admin Portal before they must log in again. By default, sessions restart after 30 minutes. You can choose a different time frame, from 30 minutes to 10 hours.
Preview End User Notifications
You can now preview end user notifications that you customize. This facilitates proofreading content and will help ensure that the notifications display as expected.
Surrogate IP for Known Browsers
The Surrogate IP feature has been enhanced with the ability to apply the feature to all traffic, including traffic from known browsers. In earlier releases, when Surrogate IP was enabled for a location, the service mapped users to their device IP addresses only when it received traffic from unknown user agents. This enhancement enables the service to leverage IP-to-user mapping to authenticate users and apply user policies even if users browse to sites that support cookies. This allows the service to authenticate without requiring the browser to complete HTTP redirects for every transaction, ensuring performance even for users who connect, for example, over high-latency satellite links. In the admin portal, you can specify the length of time that the service can use IP-to-user mapping to authenticate traffic from known browsers. After the defined period of time, the service will refresh and revalidate the existing IP-to-user mapping so that it can continue to use the mapping for authenticating users on browsers.
Multiple Certificates for SAML Authentication
The service now offers multiple Service Provider SSL certificates for signing SAML requests. You can migrate to a new signing certificate at any time by selecting a certificate in the admin portal.
Web Security Policies
- The Zscaler service now uses AES as the key signing algorithm for both the Zscaler root CA as well as for signing the private key of self-signed certificates. Before this release, Zscaler used 3DES as the key signing algorithm. Note that this does not impact any existing certificates that were generated before this release.
- The Zscaler service hosts Certificate Revocation Lists (CRLs) which provide the serial numbers of revoked certificate issuers. The Zscaler service now provides a CRL distribution point (CDP) for every certificate it generates, so that client applications can locate the CRLs as necessary. The certificate displays the CDP, as shown in the example below.
- If your organization uses its own intermediate root certificate for SSL inspection, your organization can now upload a certificate chain to the Zscaler service, in addition to the intermediate root certificate. This allows the service to send the intermediate root certificate along with the key chain to a user’s device during SSL inspection.
In earlier releases, when only the intermediate root certificate was uploaded and sent to a user’s device, issues could arise if the user’s machine did not have the complete certificate chain. Additionally, if your intermediate root certificate is compromised, you won’t need to revoke the current certificate manually. Instead, you can just upload a new Intermediate root certificate along with the certificate chain. The service will then push the new certificate and certificate chain to your users’ devices, ensuring that the duplicate root CA is purged and the new intermediate certificate is used for SSL inspection immediately.
One-Click Office 365 Deployment
The Office 365 suite of applications presented various challenges that required users to configure additional SSL and authentication bypass rules.
In this release, Zscaler has greatly simplified the configuration. You simply send all Office 365 traffic to the Zscaler cloud and turn on Enable Office 365 One-Click Configuration in Advanced Policy Settings. The Zscaler service automatically performs the necessary configurations so your users can seamlessly use all Office 365 applications. Additionally, Zscaler fingerprints more than 300 applications, including Office 365 applications, so you won’t have to worry about any URL changes in the Office 365 applications.
Policy for Unauthenticated Traffic
For policies where you can specify users and departments in the criteria, you now have control over which rules the service applies to unauthenticated traffic. Unauthenticated traffic may include, for example, traffic to URLs or cloud apps you have selected under Authentication Bypass, traffic to applications that do not support cookie authentication, as well as traffic in other circumstances where the service cannot authenticate users. This new feature will be particularly helpful for customers who currently place a default block on web traffic (a URL Filtering rule that blocks all traffic that is not explicitly allowed through the URL Filtering policy).
Now, when creating rules for these policies, you can specify, using the Department criteria, whether the rule applies to unauthenticated traffic. In addition, under the Users criteria, you can specify the types of unauthenticated traffic to which the rule applies (for example, to apply a rule only when traffic is unauthenticated due to an Authentication Bypass, as opposed to another factor). Any rule that applies to unauthenticated traffic must apply to all locations; you cannot apply a rule to unauthenticated traffic and select just one particular location. Note that you will not experience any changes to current behavior, or be able to use this new policy option, until you enable this feature explicitly in the Advanced Settings page.
Enhanced Malware Policy
The Malware policy was streamlined and redesigned to be clearer and simpler to configure.
Standardized Wildcard Usage
The Zscaler service has standardized the use of wildcard expressions when specifying URLs for Authentication Bypass and when specifying URLs in the following policy scenarios:
- URL Filtering (URLs entered when creating custom URL categories referenced in URL Filtering rules)
- Bandwidth Control (URLs entered when adding cloud applications to bandwidth classes)
- SSL Inspection (URLs entered in policy for non-decrypted traffic and URLs bypassed for SSL decryption)
In earlier releases, wildcard expressions were treated inconsistently across the aforementioned policies. With this release, if you enter .safemarch.com for Authentication Bypass or in one of the aforementioned policy scenarios, any URL which includes .safemarch.com will match. For example, all of the following URLs will match:
Data Loss Prevention (DLP)
- The Zscaler service has added new file types you can select when configuring Zscaler and External DLP Engine policy rules. You can now select Text File (TXT, HTML, XML) as well as HTTP Form data as file types for both types of rules. Note that if you previously added Zscaler DLP Engine rules that specified Text File for file type criteria before this upgrade, those rules will be migrated so that they apply also to HTTP Form data after the upgrade.
Next Generation Firewall Enhancement
FQDN Based Policy in Next Generation Firewall
The Next Gen Firewall NAT policy has been enhanced with the addition of domain-based destination addresses. To support domains with multiple destination IP addresses or with destination IP addresses that may change, you can now enter FQDNs as well as IP addresses in the destination field of your NAT Control rules.
The Virtual ZEN (VZEN), which was introduced in the Summer release, has been enhanced with the features listed below. VZENs will be generally available in the Winter 2015 release.
- You can now use SNMP to monitor a VZEN. Traps can be raised in case of an adverse event that impacts traffic processing. SNMP is configured locally on the VZEN
- If a VZEN has intermittent connectivity to the Zscaler cloud, the weblogs are queued and sent when possible instead of being dropped. These weblogs and their delays are shown in transaction drilldowns in the admin portal. The NSS also has new fields to distinguish between the weblog generation time and weblog transmission time.
- When a new VZEN build is made available, the VZENs in a cluster will stagger their updates to ensure high availability.
- Zscaler now offers three VZEN SKUs, targeted for different throughput and performance requirements:
- Small (30 Mbps)
- Medium (up to 100 Mbps)
- Large (up to 650 Mbps).