Zscaler Digital Transformation - Engineer (WIP) Questions
And Answers |Zscaler Digital Transformations Q &A Gade
A+.
Current Zscaler Stats
150 Zero Trust Exchange data centers worldwide
230B+ Requests processed per day
8.4B+ Security incidents & policy violations prevented per day
250K Unique security updates per day
What are the three levels of Zscaler's multitenant architechure
1. Central Authority = The Brains
2. Enforcement Nodes & Brokers = The Engines
3. Logging Services = The Memory
What is the Control Plane?
The control plane is where all of the policy administration and functions are done. All of the
authentication exists at the control plane. This can be thought of as the Central Authority as
well.
What is the Enforcement Node / Public Service Edge?
Zscaler Enforcement Nodes (ZENs) are full-featured, inline internet security gateways within
the Zscaler cloud. They inspect all web traffic bi-directionally for malware and enforce
security and compliance policies. ZENs act as a proxy, handling traffic and applying security
rules. These were relabeled Public Service Edges.
What is the ZIA Central Authority?
The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and nervous system of
a Zscaler cloud. It monitors the cloud and provides a central location for software and
database updates, policy and configuration settings, and threat intelligence. The CA consists
of one active server and two servers in passive standby mode. The active CA replicates data
in real time to the two standby CAs, so any of them can become active at any time. Each
server is hosted in a separate location to ensure fault tolerance.
What is the ZPA Central Authority?
,The Central Authority is the brains of the Zscaler Private Access cloud as well in terms of
understanding your applications that you define from your application segments, which App
Connectors are able to service those requests, the health of those App Connectors, and the
paths that the users should take to get to those applications through those App Connectors.
And it manages the visibility of those applications, and gives you real-time updates of those
applications
How does the Zscaler Central Authority (CA) work?
An administrator will log into the admin interface, they get a security token to access the
data.
Access is determined by RBAC control for that administrator to control what they're able to
see (i.e. can be allowed to see the user information in logs, may not be allowed to see the user
information in the logs, etc. The control can extend to a variety of areas, such as being able to
manage certain security policies, URL filtering policies, firewall policies, etc.
Admins may or may not be granted a token to access logs, download, view information,
decrypt user info, etc. depending on access levels.
How does a user interact with the Public Service Edge (PSE)?
When they connect, the node pulls down the policy information as a base policy object, then
downloads only changes between users (User A, User B, etc. This is done with 192-bit
Bitmaps references the changes to the base policy.
For traffic inspection, the PSE/ZEN (Zscaler Enforcement Node - same thing as PSE)
performce a Single-Scan Multi-Action. The IP header is stripped and the packet sent off the
different engines for processing and the ZEN makes a decision based on responses
What is Zscaler's Peering Policy?
Open, anyone can request access to peer.
How does Zscaler provide fault tolerance in their DCs?
Within the data centers, there are multiple service instances, N+1 redundancy for every single
one of the Zscaler Enforcement Nodes, and N+2 redundancy for our Central Authority, the
brains of the cloud, as well as the logging content for the cloud. And then within those cloud
nodes, there are load balancers
Describe Zscaler's Order of Execution
,What is Subcloud?
A subcloud is a subset of ZIA Public Service Edges, which are full-featured secure internet
gateways that inspect all web traffic bi-directionally for malware and enforce security,
compliance and next-generation firewall (NGFW) policies. Subclouds are also of interest if
you have Private Service Edges, or you want to restrict access to Public Service Edges.
Useful to geofence users to specific locations, flip to different DCs if one is having issues.
etc.
How do you setup Subcloud?
You must use a custom PAC file that doesn't use the variables gateway.<Zscaler cloud> and
${GATEWAY} in its return statement.
Use the following variables for applications that don't support PAC files:
gateway.<Subcloud>.<Zscaler cloud> secondary.gateway.<Subcloud>.<Zscaler cloud>
Use the following variables in PAC files:
${GATEWAY.<Subcloud>.<Zscaler cloud>}
${SECONDARY.GATEWAY.<Subcloud>.<Zscaler cloud>}
Use the following variables for Kerberos:
${GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
${SECONDARY.GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
Example, if you want to restrict the traffic forwarding within the data centers only in the US,
then configure your PAC files to use the Zscaler-managed subcloud CONUS for any of the
following clouds:
zscaler.net
zscalertwo.net
zscalerthree.net
Use the variables ${GATEWAY.CONUS.<Zscaler cloud>} and
${SECONDARY.GATEWAY.CONUS.<Zscaler cloud>} in the return statement of your
PAC file.
What is Zscaler's position on China traffic and operations?
, The first thing to think about Zscaler is simply an overlay network. We don't provide a VPN.
We're not obfuscating the traffic. We're also not a content provider. We're a viable security
solution to provide inspection and policy around a customer's traffic before it egresses to the
internet. We don't generate traffic, we don't generate requests or create content.
It's a simple security posture for customers. Users generate the request and they're accessing
content that is provided by something else. Zscaler is applying that security policy. As an
overlay network, Zscaler must comply and operate within the laws and regulations of the
country where our nodes are hosted, including China.
What is China Premium Access?
With Premium Access, customers are using the Zscaler Enforcement Nodes that are publicly
available in our data center. We are peered with multiple partners with bandwidth-based
entitlement. Customers connect with Zscaler Client Connector or IPSec/GRE to the Zscaler
enforcement nodes, and then they hit the edge router inside of China. Anything that's
domestic will just route from there.
Anything that is external to China then has to pass through the Chinese firewall before it gets
out to the internet. And because it's a multi-tenant environment with a shared address, we
have to make sure that the policy that's applied on those nodes is effectively the minimum
that is allowed through the China firewall. We will overly block things to prevent
overblocking for all users going through the China firewall.
Why does Zscaler rate limit API calls? What error will you get?
Both to make sure the code is written efficiently, as well as to protect the Zscaler cloud for
reliability, availability, and scalability. If rate limiting kicks in, the user or the API call will
get a 429 error.
How is an API Authenticated Session created?
Ggenerate an API token for Zscaler Internet Access, obfuscate the API key, post the API key
to Zscaler, and then you'll get a JSESSIONID that you can use for subsequent calls for that
cookie.
What are some of the API Schemas?
You have API policy for your URL categorization, URL lookups, blacklist /whitelist
management, user management, admin log exports, SSL certificate management, or to rotate
your SSL certificates. There's an API for generating those tunnels for IPSec tunnels, GRE
tunnels, creating IP addresses. There's an API for Sandbox as well as the cloud firewall
configuration.
And Answers |Zscaler Digital Transformations Q &A Gade
A+.
Current Zscaler Stats
150 Zero Trust Exchange data centers worldwide
230B+ Requests processed per day
8.4B+ Security incidents & policy violations prevented per day
250K Unique security updates per day
What are the three levels of Zscaler's multitenant architechure
1. Central Authority = The Brains
2. Enforcement Nodes & Brokers = The Engines
3. Logging Services = The Memory
What is the Control Plane?
The control plane is where all of the policy administration and functions are done. All of the
authentication exists at the control plane. This can be thought of as the Central Authority as
well.
What is the Enforcement Node / Public Service Edge?
Zscaler Enforcement Nodes (ZENs) are full-featured, inline internet security gateways within
the Zscaler cloud. They inspect all web traffic bi-directionally for malware and enforce
security and compliance policies. ZENs act as a proxy, handling traffic and applying security
rules. These were relabeled Public Service Edges.
What is the ZIA Central Authority?
The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and nervous system of
a Zscaler cloud. It monitors the cloud and provides a central location for software and
database updates, policy and configuration settings, and threat intelligence. The CA consists
of one active server and two servers in passive standby mode. The active CA replicates data
in real time to the two standby CAs, so any of them can become active at any time. Each
server is hosted in a separate location to ensure fault tolerance.
What is the ZPA Central Authority?
,The Central Authority is the brains of the Zscaler Private Access cloud as well in terms of
understanding your applications that you define from your application segments, which App
Connectors are able to service those requests, the health of those App Connectors, and the
paths that the users should take to get to those applications through those App Connectors.
And it manages the visibility of those applications, and gives you real-time updates of those
applications
How does the Zscaler Central Authority (CA) work?
An administrator will log into the admin interface, they get a security token to access the
data.
Access is determined by RBAC control for that administrator to control what they're able to
see (i.e. can be allowed to see the user information in logs, may not be allowed to see the user
information in the logs, etc. The control can extend to a variety of areas, such as being able to
manage certain security policies, URL filtering policies, firewall policies, etc.
Admins may or may not be granted a token to access logs, download, view information,
decrypt user info, etc. depending on access levels.
How does a user interact with the Public Service Edge (PSE)?
When they connect, the node pulls down the policy information as a base policy object, then
downloads only changes between users (User A, User B, etc. This is done with 192-bit
Bitmaps references the changes to the base policy.
For traffic inspection, the PSE/ZEN (Zscaler Enforcement Node - same thing as PSE)
performce a Single-Scan Multi-Action. The IP header is stripped and the packet sent off the
different engines for processing and the ZEN makes a decision based on responses
What is Zscaler's Peering Policy?
Open, anyone can request access to peer.
How does Zscaler provide fault tolerance in their DCs?
Within the data centers, there are multiple service instances, N+1 redundancy for every single
one of the Zscaler Enforcement Nodes, and N+2 redundancy for our Central Authority, the
brains of the cloud, as well as the logging content for the cloud. And then within those cloud
nodes, there are load balancers
Describe Zscaler's Order of Execution
,What is Subcloud?
A subcloud is a subset of ZIA Public Service Edges, which are full-featured secure internet
gateways that inspect all web traffic bi-directionally for malware and enforce security,
compliance and next-generation firewall (NGFW) policies. Subclouds are also of interest if
you have Private Service Edges, or you want to restrict access to Public Service Edges.
Useful to geofence users to specific locations, flip to different DCs if one is having issues.
etc.
How do you setup Subcloud?
You must use a custom PAC file that doesn't use the variables gateway.<Zscaler cloud> and
${GATEWAY} in its return statement.
Use the following variables for applications that don't support PAC files:
gateway.<Subcloud>.<Zscaler cloud> secondary.gateway.<Subcloud>.<Zscaler cloud>
Use the following variables in PAC files:
${GATEWAY.<Subcloud>.<Zscaler cloud>}
${SECONDARY.GATEWAY.<Subcloud>.<Zscaler cloud>}
Use the following variables for Kerberos:
${GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
${SECONDARY.GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
Example, if you want to restrict the traffic forwarding within the data centers only in the US,
then configure your PAC files to use the Zscaler-managed subcloud CONUS for any of the
following clouds:
zscaler.net
zscalertwo.net
zscalerthree.net
Use the variables ${GATEWAY.CONUS.<Zscaler cloud>} and
${SECONDARY.GATEWAY.CONUS.<Zscaler cloud>} in the return statement of your
PAC file.
What is Zscaler's position on China traffic and operations?
, The first thing to think about Zscaler is simply an overlay network. We don't provide a VPN.
We're not obfuscating the traffic. We're also not a content provider. We're a viable security
solution to provide inspection and policy around a customer's traffic before it egresses to the
internet. We don't generate traffic, we don't generate requests or create content.
It's a simple security posture for customers. Users generate the request and they're accessing
content that is provided by something else. Zscaler is applying that security policy. As an
overlay network, Zscaler must comply and operate within the laws and regulations of the
country where our nodes are hosted, including China.
What is China Premium Access?
With Premium Access, customers are using the Zscaler Enforcement Nodes that are publicly
available in our data center. We are peered with multiple partners with bandwidth-based
entitlement. Customers connect with Zscaler Client Connector or IPSec/GRE to the Zscaler
enforcement nodes, and then they hit the edge router inside of China. Anything that's
domestic will just route from there.
Anything that is external to China then has to pass through the Chinese firewall before it gets
out to the internet. And because it's a multi-tenant environment with a shared address, we
have to make sure that the policy that's applied on those nodes is effectively the minimum
that is allowed through the China firewall. We will overly block things to prevent
overblocking for all users going through the China firewall.
Why does Zscaler rate limit API calls? What error will you get?
Both to make sure the code is written efficiently, as well as to protect the Zscaler cloud for
reliability, availability, and scalability. If rate limiting kicks in, the user or the API call will
get a 429 error.
How is an API Authenticated Session created?
Ggenerate an API token for Zscaler Internet Access, obfuscate the API key, post the API key
to Zscaler, and then you'll get a JSESSIONID that you can use for subsequent calls for that
cookie.
What are some of the API Schemas?
You have API policy for your URL categorization, URL lookups, blacklist /whitelist
management, user management, admin log exports, SSL certificate management, or to rotate
your SSL certificates. There's an API for generating those tunnels for IPSec tunnels, GRE
tunnels, creating IP addresses. There's an API for Sandbox as well as the cloud firewall
configuration.
