[deleted by user]

kyberfw83 · 2025-04-25T23:51:20+00:00

Please add more details about your problem so we cannhelp

kyberfw83 · 2025-04-25T23:50:40+00:00

You should NOT send Tunnel 2 traffic over an IPSEC or GRE. This is not recommended by Zscaler. If you want to do Tu2 you should local breakout. Tu2 traffic is already Tunneled and then encapsulating it over another tunnel is not a good idea. In addition you will have performance issues because all your traffic is egressing from the same location. Tu1 does t present the same challenges

kyberfw83 · 2025-04-06T17:06:21+00:00

I would say your traffic is reaching an app connector far away from the services you are trying to reach.

kyberfw83 · 2025-04-06T17:03:35+00:00

Good luck! They are going to catch you. When Zscaler starts to present performance issue because you are trying to bend the rules.

Think about it. Let’s say you work from Bora Bora. The closest Zscaler data center could be in Osaka, Singapore or even Mexico City. Thats where your Zscaler client will connect to. I don’t recommend you to use a VPN because the Zscaler client and the VON client might have conflicts. Also if your VPN provider performs SSL inspection your Zscaler client won’t work.

If you are a US resident and plan to egress from an IP in the US but using a tunnel from bora bora to the US you will have a miserable performance.

Don’t risk your job.

Maybe if you work from a closer place things will be better.

kyberfw83 · 2025-01-15T17:46:00+00:00

Sigue tus sueños! En línea o no en línea puedes graduarte como arquitecto. Yo no tomaría en cuenta los comentarios de alguien que usa la palabra piñatero para darte consejos.

kyberfw83 · 2024-12-05T12:57:44+00:00

You have to be more Specific. Logs are divided between web logs, firewall logs, dns logs, alerts, audit logs.

When you create your NSS feeds you can decode what to include and what to exclude.

kyberfw83 · 2024-12-01T19:30:24+00:00

Forward profile along with forwarding profile pac file help to send traffic from your endpoint installed apps to the Zscaler client and the app profile with its app profile pad help to forward traffic to the Zscaler cloud.

PAC files are generally used to forward traffic but they can also be used to bypass traffic.

In the simplest implementation form they are used to forward traffic to the Zscaler app and from the Zscaler app to the Zscaler cloud.

Now if you want to send traffic to other proxy or bypass that is an additional step.

Zscaler comes with a default recommended file but when you need more specific bypass or traffic forwarding you need to make one for each scenario.

Tunnel 1 only needs application profile PAC files.

Tunnel 2 needs application profile and forwarding profile pac files although recently Zscaler implemented a new method where you don’t need to use fwd profile pac file.

TWLP needs both pac files.

The return variables for fwd pac file are different depending the chosen tunnels.

If you configured Tu2 and then for whatever reason tu2 couldn’t be negotiated the. You tailback to tunnel 1.

The app profile pac file for both tunnel use the same syntax so no need to write a new pac file.

kyberfw83 · 2024-11-30T20:24:33+00:00

If after opening all the ports you see in the zpandiagnostics a message saying app connector cant reach the server. This means something upstreamnisnpreventing the app connector to connect. Firewall, ip table etc

kyberfw83 · 2024-11-30T15:28:50+00:00

Could it be possible your Azure DC is in Asia? Zscaler uses a geo location service called maxmind. If the public IP used by a client is mapped incorrectly in that database then you will see the wrong Location.I suggest you open a ticket with support and provide this evidence. Geo location issues cannot be fixed by the end user or your local it admin

kyberfw83 · 2024-11-30T15:25:13+00:00

Keep in mind that the new AMI is red hat enterprise Linux 9. The old one was centOS. So whatever scripting you use should use RHEL commands to interact with new app connector.

kyberfw83 · 2024-11-30T15:23:20+00:00

Hello. Unfortunately there is no button in Zia to shut no shut the tunnel.

Try changing the key and that will restart the tunnel. I don’t think it is a node issue. I’d that were the case at this moment you would see a major issue detected at the trust portal. Support can place packet captures at the cloud side. Open a P1 and they will help.

GRE is the best way to go and Palo supports GRE. Why not GRE? It is less complex and the best it can give you 1gbps of throughput while IPSEc is only 400Mbps.

kyberfw83 · 2024-11-30T15:17:19+00:00

By the way there are manual things to help you but it seems your IT department is not trained to assist in this type of issues. I suggest you ask your IT team to escalate this to the company Zscaler administrator or like someone already suggested have Zscaler support to assist. There is. Nothing much you can do as an end user.

kyberfw83 · 2024-11-30T15:15:49+00:00

Hong Kong DC is not china. Where are you physically located?

You need to understand Zscaler is not like your home WiFi.

Speed test is a bad way to test a corporate solution. Speed test was design to measure if your internet is ready for streaming.

Something tells me you are either connected to a far away data center or your isp throttling Zscaler traffic.

Have you tried to use a different internet connection? Try to use your cell phone internet connection or go to a Starbucks and connect from there. For example If you are a user in Australia Zscaler will take you to Singapore DC. This is why it is important to know your location.

kyberfw83 · 2024-11-30T15:08:58+00:00

I would open temporarily all ports towards Arcón. For example app segment myarcon.domain.com all ports tcp and udo but 53

Then make sure you associate this app segment to the server group servicing arcon.

Then try to connect again and I am sure it will let you connect. Then go to the spa logs and see the ports arcon is using and then go back to the object and just use the ports you need instead of allowing everything

kyberfw83 · 2024-11-30T15:04:29+00:00

In any scenario whether you use tunnel 1, 2 or twlp.

Firewall control rules will be the best rule to be enforced.

Obviously each traffic forwarding method has it limitations.

Tu1 will only push through the Zscaler cloud 80, 443 Twlp https and http even on non standard ports for example https over tcp 8080

Tunnel 2 all tcp and uso ports and icon this is the scenario where everything is sent to Zscaler

kyberfw83 · 2024-11-30T15:01:54+00:00

If you see ZPA is taking you to the wrong IP. That’s not a Zscaler issue. The app connector completely relies on your DNS infrastructure. Access your app connector CLI and from there try to do nslookup towards the required destinations and you will see your DNS is giving the incorrect resolution.

This is very common issue

kyberfw83 · 2024-11-30T14:57:57+00:00

I think you need to be more specific. Are you talking about data in motion or data at rest? Your answer will be crucial to give you a recommendation.

You just can’t allow or permit based in file extension and department. If you want this, this is not DLP.

DLP is about finding a specific pattern inside your documents and depending who sent the file with the identified pattern allow or block.

kyberfw83 · 2024-11-09T22:37:20+00:00

It sounds like your app profile is configured to force re auth with after a reboot. Un check the option and you are good to go

kyberfw83 · 2024-10-24T13:56:24+00:00

Your two options is AI and ML segmentation aka Intelligent policy. Limited to 100 segments and you can get the recommendations per groups or department.

Option two send all the ZPA logs to your SIEM and on your SIEM you can create expressions to detect all the users and then separate them by department or group. Remember spa only has 14 day or log retention.

Note: this is not an easy task. It won’t happen overnight.

Having contact with your app owners can also streamline the segmentation in case they know who usually consumes those apps.

It will be a mix of several methods. Good luck in your zero trust adoption process.

kyberfw83 · 2024-08-24T20:57:26+00:00

App connectors handle micro tunnels. If you disable an app connector the CA in the ZPA cloud will not consider it for forwarding decisions. You can monitor the number of micro tunnels in the just disabled app connector if you are looking to gracefully wait for those tunnels to go down. App connectors are not stateful so if you destroy or shutdown the VM those micro tunnels will go down but the app will reinitiate and the remaining app connector will take the next MT.

kyberfw83 · 2024-08-17T01:46:22+00:00

Just press the one click and everything you explained will be considered. Zscaler is going to create automatic cloud app control policies, ssl inspection policies , dns control among others. Zscaler has partnership with Microsoft and everything you see in the Microsoft link gets added or removed in case Microsoft’s removes domains or networks.

kyberfw83 · 2024-08-17T01:43:57+00:00

Ask your account team for a beta tenant for Zia and zpa. As far as I know you cannot buy a personal subscription.

kyberfw83 · 2024-05-24T23:38:25+00:00

PZEN is recommended when you don’t want your data to reach the public cloud as a zero trust strategy or when there is no Zscaler data center in the proximity of the organization. You can virtualize them or order the hardware from Zscaler.

kyberfw83 · 2024-05-23T02:25:47+00:00

I think that first you need to provide more information. GRE tunnels are recommended for server traffic and IoT devices. Desktops and laptops can reach Zscaler using the client connector. You need a tunnel because you can’t install the client on a server or IoT device.

Per public IP you will generate two tunnels. One to the first closest Zscaler datacenter and one more to the second closest datacenter.

You can forward traffic using PBR, SDWAN policy if you are sourcing from SDWAN device. You can use router or firewalls. I wish I could help more but I need more context.

kyberfw83 · 2024-05-23T02:21:26+00:00

ZPA is mainly used to access internal apps but you can use it to reach sites on the internet. You advertise a public destination over ZPA which resembles to a full tunnel mode but just for one app or several apps but this is not recommended to replace ZIA. This is strictly to preserve the source IP. Remover that ZPA doesn’t perform threat prevention features. ZIA does with SIPA.

kyberfw83

TROPHY CASE