Restricting Groups
Restricting GroupsAD FS 2.0 federates all the groups of a user, by default. You can restrict the groups to only those to which policies will be applied. Zscaler recommends putting users in groups that...
View ArticleBandwidth quota and Bandwidth control
Bandwidth QuotaThe bandwidth quota includes data uploaded to and downloaded from the URL category. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must...
View ArticleTips : Zscaler Portal
Tips: Custom URL1. We can add 25000 custom URL across all categories. 2. We can add 48 custom Categories 3. We can add 30 keywords per category 4. We can add 1000 keywords across...
View ArticleTroubleshoot: Split brain seen intermittently on FGT a-p HA
Fortinet TAC requires below details to investigate the issue further, Provide the below from both the HA units in 2 separate files: #get system status #get system performance status #diag sys top 1 40...
View ArticleForward specific URL or domain domain traffic using FOR loop
Route specific URL or domain traffic to internal proxy and all other traffic to Zscaler. function FindProxyForURL(url, host) {// Route the .cn domains to Specific Internal proxy_list var...
View ArticleClik here to view.
FTP Control
FTP ControlBy default, the Zscaler service does not allow users from a location to upload or download files from FTP sites. You can configure the FTP Control policy to allow access to specific sites....
View ArticleSSL VPN conserve mode, one-time login per user, WAN link load balancing
SSL VPN conserve modeFortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free...
View ArticleClient device certificate authentication with multiple groups
Client device certificate authentication with multiple groupsSupported Fortios version 5.6.2In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate...
View ArticleGenerate a self-signed SSL certificate using the OpenSSL for DPI / Full...
To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:1. Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the...
View ArticleClik here to view.
Creating CA,server and client certificates using openssl for SSL VPN
Creating CA,server and client certificates using openssl for SSL VPN Prerequistics:1. Go to “cd /opt/edoceo/etc/ssl”2. OpenSSL root CA configuration file. Click here to download# Copy to...
View Articleopenssl.cnf
# OpenSSL root CA configuration file.# Copy to '/opt/edoceo/etc/ssl#/openssl.cnf'.[ ca ]# `man ca`default_ca = CA_default[ CA_default ]# Directory and file locations.dir =...
View ArticleClik here to view.
Reverse proxy web caching and SSL offloading for an Internet web server
Reverse proxy web caching and SSL offloading for an Internet web server Supported version: FortiOS 5.4.xIn this configuration, clients on the Internet use HTTP and HTTPS to browse to a web server that...
View ArticleHow to configure SSL Inspection for Chrome browser and delete HSTS from browsers
How to configure SSL Inspection for Chrome browser and delete HSTS from browsersHTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol...
View ArticleClik here to view.
Authenticating SSL VPN users using LDAP
Authenticating SSL VPN users using LDAPRegistering the LDAP server on the FortiGateImporting LDAP usersCreating the SSL VPN user groupCreating the SSL address rangeConfiguring the SSL VPN...
View ArticleClik here to view.
About Policy Based Routing
About Policy Based RoutingTraditional routing is destination-based, meaning packets are routed based on destination IP address. However, it is difficult to change the routing of specific traffic in a...
View ArticleClik here to view.
Using Fiddler to debug SAML tokens issued from ADFS
Using Fiddler to debug SAML tokens issued from ADFSMany applications want to federate with leverage certain attributes like nameid (nameidentifier), but the problem is the format is wildly different...
View ArticleCommon issues or queries when using PAC file
My web browser doesn’t seem to be using the PAC file despite the PAC URL being configured, what are some possible reasons for this?Ensure that the web server has a MIME type...
View ArticleZAPP On - Captive Portal Detection
ZAPP On - Captive Portal DetectionThe forwarding mechanism like GRE/IPSec Tunnel to Zscaler with Zapp On will be the best approach if we doesn’t default route to the gateway. Few DNS mapping might be...
View ArticleTime Intervals
Time IntervalsYou can define time intervals for use in policies. For example, if you want to block users from accessing shopping sites from 8 AM to 5 PM on weekdays, you can create a time interval...
View ArticleImprove upload/download speed of SSL VPN users
Improve upload/download speed of SSL VPN usersThe Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS tunneling implementation avoids TCP over TCP issues and...
View ArticleClik here to view.
Allow specific channels while blocking access to the rest of YouTube
Allow specific channels while blocking access to the rest of YouTubeThe following configuration explains how to allow certain content while still blocking access to the rest of YouTube.Create an custom...
View ArticleClik here to view.
Personnel Gmail restrictions for specific group only
Personnel Gmail restrictions for specific group only.In Zscaler as of now there is no option to block the personnel gmail only for specific group. But there is an option to allow only specific domains...
View ArticleHTTP header trace in Chrome and Mozilla Firefox
To capture HTTP headers in Chrome:Open the developer tools window by pressing CTRL + SHIFT + ior,Open the menu on the top-right corner and select More Tools > Developer Tools.Click the Network...
View ArticleClik here to view.
Client to Client communication in Zscaler Private Access
Client to Client communication in Zscaler Private AccessValidating a client hostname allows you to enable client-based remote assistance. To enable remote assistance, a regular expression of allowed...
View ArticleClik here to view.
Internal Error Please contact Administrator (3005)
Internal Error Please contact Administrator (3005) This error used to see when deploy ZCC con user machines. In most cases this issue was not solved with retry, connect from another internet, and...
View Article