Configuring Fail-Open Settings for the Zscaler App

About Fail-Open Settings

There may be situations, such as the following, in which the Zscaler App must automatically disable its web security service and allow users to bypass the app and access the web directly:

  • Your users may try to access the web from an airport or a café where a captive portal configured on the network requires users to pay or accept an acceptable use policy before connecting. You can configure your App Fail-Open settings so that when the Zscaler App detects a captive portal, it automatically disables its services for a specified period of time, allowing users first to complete the steps necessary to access the network.
  • The Zscaler App may run into issues reaching Zscaler Enforcement Nodes (ZEN). If so, you can choose to allow users to bypass the app and access the web directly, or if you prefer, disable users’ access to the Internet altogether.  
  • The Zscaler App may run into issues properly setting up its Z-tunnel (the lightweight tunnel it uses to forward traffic to ZENs). If so, you can choose to allow users to bypass the app and access the web directly, or if you prefer, disable users’ access to the Internet altogether.  

See below for instructions on configuring these settings in the Zscaler App Portal.

Configuring Fail-Open Settings

  1. From the Zscaler admin portal, go to Policy > Zscaler App Portal.
  2. In the Zscaler App portal, go to Administration from the top menu, then from the left menu, go to Zscaler App Support.
  3. In the App Fail Open tab, do the following:
    • Under If Captive Portal detected, then disable Web Security for: Enter the number of minutes the Zscaler App must keep its services disabled upon detection of a captive portal. You can enter any value from 1 to 60 minutes. After the specified period of time, the Zscaler App will enable its services automatically and traffic will be forwarded to the Zscaler service through the app.
    • Under If Zscaler Proxy Node (ZEN) is not reachable, then, select one of the following options:
      • Fail Open to Bypass: Users are allowed to bypass the app and access the web directly
      • Disable Internet Access: Users are blocked from accessing the web

        The app will continue to attempt reaching the ZEN in the background and automatically re-enable itself once it successfully reaches the ZEN.
    • Under If Zscaler App Tunnel Setup Fails, select one of the following options:
      • Fail Open to Bypass: Users are allowed to bypass the app and access the web directly
      • Disable Internet Access: Users are blocked from accessing the web

        The app will continue to attempt establishing the tunnel in the background and automatically re-enable itself once it successfully establishes the tunnel.
  4. Click Save.
Configuring Fail-Open Settings