Scribd
Upload
300 views

ZCCA Policy-Web-AccessControl StudentGuide 5.6 v1

This document provides an overview and instructions for navigating an online training module about Zscaler web access control policies. The module covers an overview of available web policies, focusing on access control policies. It includes an interactive demonstration of how to create and configure cloud app control and URL filtering policies in the Zscaler admin portal user interface. The document provides step-by-step guidance and explanations for common policy configuration options.

Uploaded by

utpalsinha
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
300 views

ZCCA Policy-Web-AccessControl StudentGuide 5.6 v1

This document provides an overview and instructions for navigating an online training module about Zscaler web access control policies. The module covers an overview of available web policies, focusing on access control policies. It includes an interactive demonstration of how to create and configure cloud app control and URL filtering policies in the Zscaler admin portal user interface. The document provides step-by-step guidance and explanations for common policy configuration options.

Uploaded by

utpalsinha
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 105

ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.

6v1 November 9, 2018

Slide 1 - Zscaler Policies

Slide notes

Welcome to the Zscaler Web Access Control Policies Module.

Page 1 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 2 - Navigating the eLearning Module

Slide notes

Here is a quick guide to navigating this module. There are various controls for playback including play and pause,
previous, next slide and fast forward. You can also mute the audio or enable Closed Captioning which will cause a
transcript of the module to be displayed on the screen. Finally, you can click the X button at the top to exit.

Page 2 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 3 - Agenda

Slide notes

In this module, we will cover: an overview of the Web policies available; and a detailed look at the available Web Access
Control policies.

Page 3 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 4 - Web Policy Overview

Slide notes

The first topic we will cover is an overview of the available Web policies.

Page 4 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 5 - Web Policy Areas

Slide notes

The Web policy area is the most extensive of the policy areas, and allows the creation of Security, Access Control and
Data Loss Prevention policies.

Page 5 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 6 - Web Policy Areas

Slide notes

In this module, we will look at each of the policies available in the Access Control category, and provide some
recommendations for the policy settings.

Page 6 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 7 - Interactive Demo: Web Policy – Access Control

Slide notes

In the next section, we will have a detailed look at the Web Access Control Policies.

This section has been created as an interactive demo to give you a feel for the navigation of the Zscaler Admin Portal UI.
You will be asked to select the appropriate menu options to navigate the UI. You may also use the Play control to
proceed to the next step.

Page 7 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 8 - Web Policy Areas

Slide notes

The URL & Cloud App Control Policy allows you to create filtering rules to Block, Allow, or allow with a Caution, access
for identified cloud apps, or to specified URLs or URL categories. The URL & Cloud App Control area is where you will
probably spend most of your time, as this is where you will define what kinds of sites and applications your users are
allowed to use.

Note that the Cloud App Control Policy takes priority over the URL Policy, and Zscaler recommends controlling access by
cloud app in preference to URL wherever possible. The Rules are evaluated in the order listed, and rule evaluation stops
at the first match; there is a default Allow All rule, although this is not visible.

Page 8 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 9 - Slide 9

Slide notes

As the Cloud App Control Policy takes precedence over URL filtering, we’ll look at that first. Click the CLOUD APP
CONTROL POLICY tab.

Page 9 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 10 - Slide 10

Slide notes

There are several rules in here by default, although all are disabled. Default rules are available to control access for:
Instant Messaging; Social Networking & Blogging; Streaming Media & File Sharing; and Webmail.

You can edit any of these rules to enable them, change their order, or to adjust the target criteria or actions, you can also
create duplicates if you choose.

Page 10 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 11 - Slide 11

Slide notes

To add a new rule, click the Add field

Page 11 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 12 - Slide 12

Slide notes

and select the type of rule to add. In this example will add a Webmail rule.

Page 12 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 13 - Slide 13

Slide notes

Set the Rule Order, Admin Rank (if this feature has been enabled), Rule Name, and Rule Status as required. Remember
that rules must be enabled for us to apply them, and that rules are evaluated from the top (Rule 1) downward, with a
first match.

As an example, you might have a Social Media rule that allows all users to read Facebook, Slashdot, and Twitter but not
post to them, but you have another that allows Marketing to post things to Twitter and Facebook as part of their social
media marketing activities. The most specific rule MUST be listed first, or it will never be triggered, so in this example the
Marketing rule must come before the all users rule.

Page 13 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 14 - Slide 14

Slide notes

To select which Cloud applications this rule is to apply to, click the Cloud Applications field

Page 14 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 15 - Slide 15

Slide notes

select one or more applications from the list, and click Done. In this example we will use Gmail.

Page 15 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 16 - Slide 16

Slide notes

Target the rule using any combination of the Users, Groups, Departments, Locations, or Time options, remembering
that Users, Groups, and Department are combined using a logical OR, and that Locations and Time are combined
using a logical AND.

Page 16 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 17 - Slide 17

Slide notes

Then specify the Action to take on a match to this rule. The actions available for this Webmail rule are: Allow or Block
the viewing of mail; Allow or Block the sending of mail; and Allow or Block the sending of attachments. When allowing
an option, you can also specify a Daily Bandwidth Quota (MB) (for the application); and specify a Daily Time Quota
(min) (for a session).

Page 17 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 18 - Slide 18

Slide notes

Having configured the rule as required, click Save.

Page 18 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 19 - Slide 19

Slide notes

Page 19 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 20 - Slide 20

Slide notes

And Activate your changes.

Page 20 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 21 - Slide 21

Slide notes

Page 21 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 22 - Slide 22

Slide notes

Scrolling down to the Webmail category, you can see your new rule which, as it was added at the bottom, will be
evaluated last. You can adjust the Rule Order and even delete the disabled rules as you require.

Page 22 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 23 - Slide 23

Slide notes

Now let’s look at the URL filtering options, by clicking on the URL FILTERING POLICY tab.

Page 23 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 24 - Slide 24

Slide notes

Here you will also find a default rule for use as an example, which is Disabled. To add a rule, click the Add URL Filtering
Rule link.

Page 24 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 25 - Slide 25

Slide notes

As before, you can manage Rule Order, Admin Rank, Rule Name, and Rule Status at the top.

Page 25 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 26 - Slide 26

Slide notes

To select the categories of URL that this rule is to apply to, click the URL Categories field

Page 26 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 27 - Slide 27

Slide notes

and select from the available categories, and sub-categories. You can select entire categories, or only the required sub-
categories. Note that the categories are pre-defined, although you can manage them, and even add user defined
categories, we’ll look at how to do that in a few minutes.

If you wish to check a URL to see what category it is in, you can do a look-up through the help menu. Click ‘Help’ at the
top and choose URL lookup, enter the URL and click Lookup URL, we will tell you the category as well as any security
alerts on that URL.

Click Done once you have added all the required URL Categories.

Page 27 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 28 - Slide 28

Slide notes

Select the type of HTTP Requests the rule is to apply to, the options being All, or POST.

Page 28 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 29 - Slide 29

Slide notes

Then specify the target Users, Groups, Departments, Locations, Time, and Protocols criteria. Note that the Users,
Groups and Departments options all depend on the Users authenticating with Zscaler.

Page 29 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 30 - Slide 30

Slide notes

Finally, specify the Action to be taken if the rule is matched, the options are: Allow; Caution; or Block.

Allow is self-explanatory, traffic matching this rule will be allowed, although you may combine this with time or
bandwidth quota settings.

Page 30 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 31 - Slide 31

Slide notes

If you choose Caution, whenever a user tries to browse to a site that matches this rule, they will be presented with a
caution End User Notification (EUN) page that warns them against visiting this URL. The EUN pages can be customized
on the Administration > End User Notifications page of the admin portal.

You also have the option of specifying a Redirect URL should you wish to take them to a caution page that you manage
yourself.

Page 31 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 32 - Slide 32

Slide notes

If you choose Block, users will be blocked from accessing the page and a block EUN page will be shown. You also have
the option of specifying a Redirect URL.

Page 32 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 33 - Slide 33

Slide notes

Or you can enable the Allow Override option, and select Users or Groups that have the ability to override the block.

For example, this could be used in a school computer lab when a student is legitimately researching normally prohibited
content. When the student is shown the block page it will contain a link where a teacher can log in and allow access to
the site.

Page 33 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 34 - Slide 34

Slide notes

Add a Description if required, and click Save.

Page 34 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 35 - Slide 35

Slide notes

Page 35 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 36 - Slide 36

Slide notes

To manage the information about the rules that is displayed in the list, click on the 3-line icon on the upper right and
select which columns are to be shown. For example, if you want to remove the Admin Rank column, you can deselect it
here.

Page 36 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 37 - Slide 37

Slide notes

And the Admin Rank column will be removed from the main policy screen.

Page 37 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 38 - Slide 38

Slide notes

Be sure to Activate any changes that you made to the Policy.

Page 38 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 39 - Slide 39

Slide notes

Page 39 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 40 - Slide 40

Slide notes

Finally in this Policy type, let’s look at the advanced settings available, click on the ADVANCED POLICY SETTINGS tab.

Page 40 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 41 - Slide 41

Slide notes

On this tab, in the Advanced URL Filtering Options section there are a number of options that can be enabled:
Dynamic Content Categorization; Embedded Sites Categorization; and SafeSearch.

Page 41 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 42 - Slide 42

Slide notes

Also in this section, you have the option of adding a list of Allowed Domains for Google Apps.

Page 42 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 43 - Slide 43

Slide notes

The Office 365 Configuration section is where you can enable the Microsoft-Recommended One Click Office 365
Configuration option, and enable and configure Office 365 Tenant Restrictions if required.

Page 43 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 44 - Slide 44

Slide notes

You also have the option to Block or Allow Skype traffic. Be sure to Save and Activate any changes you make on this
page.

Page 44 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 45 - Slide 45

Slide notes

To view Zscaler recommendations for configuring URL & Cloud App Control Policy settings, click the Recommended
Policy link.

Page 45 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 46 - Slide 46

Slide notes

For the URL & Cloud App Control Policy Zscaler recommends that you: block all HTTP requests to the Adult Material,
Drugs, Gambling, Illegal or Questionable, Militancy/Hate and Extremism categories; allow Cloud apps depending on
your business needs and corporate policy; and that you enable both the Dynamic Content Categorization, and
SafeSearch advanced settings.

We also strongly recommend that you enable the Microsoft Office One Click option, and configure Tenant Restrictions
if necessary. Also, that you Allow Skype traffic if it is required.

Page 46 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 47 - Slide 47

Slide notes

As you will recall, by default the Cloud App Control rules take precedence over the URL Filtering rules, and if a Cloud
App Control rule is matched, no further rule evaluation takes place. However, you have the option to allow cascading to
the URL Filtering rules even if there is a Cloud app match. To enable this option, from the Administration menu, click
Advanced Settings

Page 47 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 48 - Slide 48

Slide notes

and enable the Allow Cascading to URL Filtering option, and Save the change.

Page 48 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 49 - Slide 49

Slide notes

To manage those URL categories, click the Resources option in the side bar menu then click URL Categories.

Page 49 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 50 - Slide 50

Slide notes

Here you will find all of the URL Classes, Super-Categories, and Categories that have been defined by Zscaler. On this
page, you can add categories, edit the existing super-categories or categories, or even move a super-category under a
different class.

For example, if your organization is in the gambling industry, you may wish to move whole Gambling super-category
under the Business class. For categories, you can enter custom URLs and keywords to classify sites.

Page 50 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 51 - Slide 51

Slide notes

You can add up to 25,000 custom URLs (across all categories), and up to 48 custom categories. You can add up to 256
keywords per category, and up to 1,000 across all categories. To add a URL category, click the Add option at the top, or
against the preferred super-category.

Page 51 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 52 - Slide 52

Slide notes

Give the new URL category a Name, then if necessary select the correct super-category to list it under.

Page 52 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 53 - Slide 53

Slide notes

Configure the category as necessary, by adding: Custom URLs; ‘URLs retaining parent category’ (which are URLs that
already exist in another category, and you want to copy them rather than move them to this category); and Custom
Keywords. Then click Save.

Page 53 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 54 - Slide 54

Slide notes

Page 54 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 55 - Slide 55

Slide notes

You can search by name or keyword to find the new category in the list if necessary. Once you Activate these changes,
any new URL categories are now available for use within a Policy, any updated categories will be used by any Policy that
has them selected in a rule.

Page 55 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 56 - Slide 56

Slide notes

By default, the Zscaler service listens to port 80 for HTTP traffic, port 443 for HTTPS traffic, port 53 for DNS traffic, and
port 21 for FTP traffic. If you wish to enable the service to listen for these protocols on non-standard ports, you must
enable this on the Advanced Settings page. From the Administration menu, click Advanced Setting.

Page 56 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 57 - Slide 57

Slide notes

Scroll down to the bottom of the page

Page 57 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 58 - Slide 58

Slide notes

and enable the Auto Proxy Forwarding for Non-defined Ports option for the protocols you need to support on non-
standard ports. Then Save your setting

Page 58 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 59 - Slide 59

Slide notes

Page 59 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 60 - Slide 60

Slide notes

and be sure to Activate your changes.

Page 60 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 61 - Slide 61

Slide notes

Page 61 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 62 - Web Policy Areas

Slide notes

The File Type Control Policy allows you to create filtering rules to Block, Allow, or allow with a Caution, the ability to
download or upload specified types of files.

Page 62 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 63 - Slide 63

Slide notes

Page 63 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 64 - Slide 64

Slide notes

File Type Control is pretty straightforward, it allows you to block the upload, download, or both, of specific file types
from some or all URL categories. To add a rule, click the Add File Type Control Rule link.

Page 64 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 65 - Slide 65

Slide notes

As with the Cloud App Control and URL Filtering rules, you can manage Rule Order, Admin Rank, Rule Name, and
Rule Status at the top.

Page 65 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 66 - Slide 66

Slide notes

Select the target File Types that this rule is to apply to. The File Types supported are classified by the following
categories: Archive (with detection of suspicious embedded script files), Audio, Executable, Image (including .3dm,
.dicom, and .tiff/.tif files), Microsoft Office (which includes their macro-enabled file formats), Mobile, Other Documents
(including Autodesk .ipt files), Video, and Web Content.

Page 66 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 67 - Slide 67

Slide notes

You also have the option to specify target URL Categories

Page 67 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 68 - Slide 68

Slide notes

as well as the Users, Groups, Departments, Locations, Time, and Protocols criteria.

Page 68 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 69 - Slide 69

Slide notes

Then specify the Action to be taken if the rule is matched, the options are; Allow, Caution, or Block. You must of course
specify the direction in which to apply the rule; Download, Upload, or both. Click Save when you are done configuring
the rule

Page 69 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 70 - Slide 70

Slide notes

Page 70 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 71 - Slide 71

Slide notes

and Activate your changes.

Page 71 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 72 - Slide 72

Slide notes

Page 72 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 73 - Slide 73

Slide notes

The Rules are evaluated in the order listed, and rule evaluation stops at the first match; there is a default Allow All rule
although this is not visible. To view Zscaler recommendations for configuring File Type Control Policy settings, click the
Recommended Policy link.

Page 73 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 74 - Slide 74

Slide notes

For the File Type Control Policy Zscaler recommends that you configure a first rule with a Caution action for the
download of executables from all URL Categories, and a second rule with an Allow policy to download all file types
from all URL Categories.

Page 74 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 75 - Web Policy Areas

Slide notes

The Bandwidth Control Policy allows you to create filtering rules to throttle traffic of selected classes, when a link is
over-subscribed. The Rules are evaluated in the order listed, and rule evaluation stops at the first match; there is a
default unrestricted rule which may be edited if necessary.

You should note that Bandwidth Control is also applied to authentication and SSL traffic that has been otherwise
exempted from inspection.

Page 75 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 76 - Slide 76

Slide notes

Bandwidth Control allows you to set bandwidth thresholds for certain types of usage to make sure that all of a site’s
bandwidth isn’t being chewed up by streaming media or other applications, which are slowing or stopping legitimate
traffic. When enabled on a Location, Bandwidth Control is enforced for all uplink and downlink traffic from that
Location, regardless of the Zen the traffic uses, as Bandwidth Control functionality is load-balanced across the ZENs.

Bandwidth classes identify the URL categories and applications to which the service allocates bandwidth, and you must
configure the bandwidth classes before you can reference them in Bandwidth Control policy rules. You can configure
bandwidth classes from the Administration > Bandwidth Classes page, on the CLOUD APPLICATIONS tab, where you
can edit the predefined bandwidth classes or add up to 17 new bandwidth classes.

Click Add Bandwidth Class to add a new bandwidth class.

Page 76 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 77 - Slide 77

Slide notes

Give your new bandwidth class a name, then select the URL Categories, and/or the Cloud Applications for it to match.
If necessary, you can also add Domains to the bandwidth class (although only a maximum of 8 may contain custom
Domains). These criteria are combined using a logical OR function.

Note that you can have up to 25,000 Domains across all of your bandwidth classes (including the URL Categories).

Page 77 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 78 - Slide 78

Slide notes

From the LARGE FILES tab, you can choose the minimum file size that will trigger throttling when users attempt to
download or upload files that are equal to or greater than the size specified.

Page 78 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 79 - Slide 79

Slide notes

The WEB CONFERENCING APPLICATIONS tab allows you to control whether bandwidth control should be applied to
the Web conferencing applications listed

Page 79 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 80 - Slide 80

Slide notes

and the VOIP APPLICATIONS tab allows you to control whether bandwidth control should be applied to the VOIP
applications listed.

Page 80 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 81 - Slide 81

Slide notes

Note that you also need to enable the Enforce Bandwidth Control option on each of the locations where you want to
enforce Bandwidth Control. You also need to configure the Upload (Mbps) and Download (Mbps) bandwidth available
for the site.

The values here are for Web traffic only, so you should subtract any bandwidth dedicated for other purposes (such as
MPLS connections), plus you should subtract about 5% from the actual bandwidth available, to allow for TCP protocol
overhead.

If you are unsure of the values to set here, you can check the Bandwidth Consumption Widget filtered for the Location,
on the Bandwidth Control Dashboard. This will give you an overview of your average and peak consumption values at
that Location.

Page 81 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 82 - Slide 82

Slide notes

To add or manage bandwidth control policy rules, from the Policy menu click Bandwidth Control.

Page 82 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 83 - Slide 83

Slide notes

Default rules exists, although they don’t apply any bandwidth restrictions by default, as no Locations have this feature
enabled by default. You can edit the default rules, or add a rule by clicking the Add Bandwidth Control Rule link.

Page 83 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 84 - Slide 84

Slide notes

As always, you can manage Rule Order, Admin Rank (if this feature has been enabled), and Rule Status at the top, you
must also specify a Rule Name.

Page 84 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 85 - Slide 85

Slide notes

You must select the Bandwidth Classes to apply this rule to, from the classes that are available by default, or that you
created earlier.

Page 85 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 86 - Slide 86

Slide notes

Set other Criteria for the rule as required, probably the most important to set is the Locations that this rule is to apply
to. The other options available are Time and Protocols.

Note that these criteria fields are combined using a logical AND function, and that the time zone that applies here is that
specified on the individual Locations.

Page 86 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 87 - Slide 87

Slide notes

Set the Min. Bandwidth, which is the minimum percentage of a location’s available bandwidth you want to guarantee
for this bandwidth class (both for upload and download).

Note that this setting is only enforced when there is contention on a Location’s connection, and when traffic from the
specified Bandwidth Classes is present (meaning that this is not a reservation).

Page 87 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 88 - Slide 88

Slide notes

Set the Max. Bandwidth, which is the maximum percentage of a location’s available bandwidth you want to guarantee
for this bandwidth class (both for upload and download).

Note that this setting is always applied for the Bandwidth Classes specified, meaning that this traffic can take up to this
percentage of the Location’s bandwidth at any time that it is required, whether or not there is any contention. This value
can be used to cap the bandwidth that an application can consume.

The key concept here is that you will set the policy rules as a percentage of available bandwidth. The amount of
bandwidth for a given site is specified when you create a Location for it.

Page 88 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 89 - Slide 89

Slide notes

Add a Description if necessary, and click Save once you are done.

Page 89 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 90 - Slide 90

Slide notes

Page 90 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 91 - Slide 91

Slide notes

and Activate your changes.

Page 91 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 92 - Slide 92

Slide notes

Page 92 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 93 - Slide 93

Slide notes

To view Zscaler recommendations for configuring Bandwidth Control Policy settings, click the Recommended Policy
link.

Page 93 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 94 - Slide 94

Slide notes

For the Bandwidth Control Policy Zscaler recommends: that you guarantee productivity applications a certain amount
of bandwidth (for example, you can set the minimum bandwidth to 50%); that you restrict large file downloads to a
maximum of 50% of the available bandwidth; and that you allocate the rest of the bandwidth to all other traffic.

For more details on Bandwidth Control, see the module on this topic in the ZCCP materials.

Page 94 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 95 - Web Policy Areas

Slide notes

One of the most important decisions you will need to make for your organization is whether to have the Zscaler service
intercept and inspect SSL traffic. More and more sites are moving to SSL; Google, Facebook, Twitter, and most recently
WhatsApp all require SSL connections.

This means that if you do not enable SSL Inspection you are causing the Zscaler service to be blind to a massive amount
of traffic entering and exiting your network. For this reason, we highly recommend enabling SSL Inspection.

Page 95 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 96 - Slide 96

Slide notes

SSL Inspection is enabled on a per location basis

Page 96 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 97 - Slide 97

Slide notes

and uses the parameters defined on the Policy > SSL Inspection page.

On this page, you can configure an If SSL Inspection is Disabled, Block HTTPS to these Sites policy, in other words
what policy to apply to SSL traffic if you choose not to inspect SSL. So even if you choose not to terminate and scan SSL
traffic, you may still need to configure policy settings for SSL. Here you may: specify URL Categories to block; specify a
list of specific URLs to block; and elect whether to show your users a block notification.

Page 97 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 98 - Slide 98

Slide notes

The next section is applicable when you HAVE enabled SSL Inspection, and the first option here is to Block
Undecryptable Traffic. This is traffic that is using some kind of non-standard encryption type and Zscaler cannot
decrypt it. It is generally recommended that you enable this feature unless you know that you have applications using
non-standard encryption methods.

When you define policy for SSL Inspection, you have the option to configure URL Categories, specific hosts, or Cloud
applications that are not to be inspected. Configure this list carefully because it is applied globally throughout the
organization and takes precedence over per-location SSL scanning settings.

You might start by enabling SSL Inspection for risky URL categories only, such as Security Risk and Legal Liability
categories (for example Adult Content, Gambling, and Unknown/Miscellaneous). Include all categories other than
those you consider risky in the Do Not Inspect Sessions to these URL Categories/Hosts/Applications lists, for which
SSL transactions will not be decrypted. Then once you are ready, enable SSL inspection for all URL Categories; except
perhaps Banking and Healthcare, to allay privacy concerns within your organization.

Page 98 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Other options here include: what do to with connection requests to untrusted servers, meaning those with only a self-
signed certificate, whether to Allow, Pass Through (the certificate warnings), or Block; whether to block sites with a
revoked certificate; also whether to Enable SSL Scanning for Mobile Traffic (your Zscaler App users).

Page 99 of 105
ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 99 - Slide 99

Slide notes

The last item to cover in regards to SSL Inspection is the SSL certificates used. Remember that the user will be
establishing an SSL connection to Zscaler, and NOT to the server on the original URL, so the SSL certificate that the ZEN
presents to the user must be trusted by the user’s system. There are 2 ways to achieve this: first, you can download the
Zscaler Intermediate Root Certificate, and distribute it to your end user’s systems; or second, you can use the custom
certificate option.

With the Custom Certificate option, you need to have your company’s Root certificate authority generate an
Intermediate Certificate, and install it to Zscaler through the admin portal. As your user’s systems already trust your
company’s Root CA, they will then be able to trust certificates coming from Zscaler, since they have been signed your
own Root CA.

Page 100 of 105


ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 100 - Slide 100

Slide notes

Be sure to Save and Activate any changes that you make on this page. To view Zscaler recommendations for
configuring SSL Inspection settings, click the Recommended Policy link.

Page 101 of 105


ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 101 - Slide 101

Slide notes

As there are many options and variables when enabling SSL Inspection, Zscaler cannot provide concrete
recommendations. Refer to the on-line documentation for complete configuration guidelines.

Page 102 of 105


ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 102 - Slide 102

Slide notes

The Zscaler Root Certificate needs to be installed in the Trusted Root Certificate Authorities store on the end user’s
systems, which then makes it available for most Browsers.

Page 103 of 105


ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 103 - Slide 103

Slide notes

The Firefox Browser does not use the system certificate store however, and the Zscaler Root Certificate must be installed
to the Firefox certificate store as well.

Page 104 of 105


ZCCA-IA_Policy-Web-AccessControl_StudentGuide_5.6v1 November 9, 2018

Slide 104 - Thank you & Quiz

Slide notes

Thank you for following this Zscaler training module, we hope this module has been useful to you and thank you for your
time.

Click the X at top right to close this interface, then launch the quiz to test your knowledge of the material presented
during this module. You may retake the quiz as many times as necessary in order to pass.

Page 105 of 105

You might also like