Zscaler Internet Access
  • 29 Sep 2024
  • 6 Minutes to read
  • Contributors
  • Dark
    Light

Zscaler Internet Access

  • Dark
    Light

Article summary

Zscaler Internet Access is a cloud-based secure services edge (SSE) solution that provides secure access to the internet, regardless of their location or device. It offers advanced features such as web filtering, threat protection, data loss prevention (DLP), and SSL inspection to protect against web-based threats and enforce security policies.

INTEGRATION: S3, HTTP Collector (CloudNSS)

TABLES: Detection Finding, Data Security Finding, Authentication, Network activity, HTTP Activity, DNS Activity

Integration

DataBee ingests ZIA web, firewall, DNS and DLP events via CloudNSS.

ZIA supports two ways of sending events using CloudNSS

  • Pushing logs via HTTP/s.

  • S3 bucket

Data supports both methods

Sending logs from Zscaler via HTTP/s

DataBee Configuration

In this step, we will get the URL and tokens for Zscaler to use when sending events to DataBee.

The high level steps are:

  1. Add a Zscaler Data Source with JSON formatted logs

  2. Get Authorization token, DatasourceID and TenantID

Detailed steps can be found at https://docs.databee.buzz/docs/http-collector

A screenshot of a computer  Description automatically generated

A screenshot of a computer  Description automatically generated

Zscaler Configuration (HTTP/s)

We will need to configure ZIA to send logs to the DataBee HTTP collector.

  1. Log into the Zscaler console as an Administrator

  2. Navigate to the Administration button on the left and click on Nanolog Streaming Service

A screenshot of a computer  Description automatically generated 

  1. Click on the Cloud NSS tab and Add a new feed. 

  2. Enter the following details:

  • Authorization:

  • DatasourceID 

  • TenantID

  • Select Log type that needs to be forwarded. 

  • Set Feed Output Type as JSON 

  •  

Sending logs from Zscaler via S3

Sending logs using S3 will require the proper roles and permissions to be set up on AWS.

AWS Configuration

S3 setup is only required if this is a destination of choice for CloudNSS. If CloudNSS sends logs directly to the DataBee’s HTTP endpoint, this step can be skipped.

The integration of Cloud NSS and Amazon S3 provides long-term log retention, preprocessing of log data before ingestion, and compatibility with analytics solutions that can easily read log data from S3 buckets.  

Create a User Group in AWS IAM   

To create an AWS IAM user group:  

1. Log in to the AWS Management Console.  

2. In the search bar, enter IAM and select IAM.  

A screenshot of a computer  Description automatically generated 

 

       3. In the left-side navigation, go to Access Management > User groups.  

A screenshot of a screen  Description automatically generated 

 

4. Click Create group. The Create user group page appears.  

A screenshot of a computer  Description automatically generated 

5. On the Create user group page, create a user group:  

a. Enter a name for the user group (e.g., Zscaler_Group_Test).  

A screenshot of a computer  Description automatically generated 

b. Skip the options to add users and attach permissions policies.  

c. Click Create group. You are redirected to the User groups page and a success message appears. 

Create a User and Access Key in AWS IAM  

To create a user and access key in AWS IAM:  

1. In the left-side navigation of IAM, go to Access Management > Users.  

A screenshot of a screen  Description automatically generated 

 

2. Click Add users. The Create user wizard appears.  

A screenshot of a web page  Description automatically generated 

3. In the Create user wizard, create a user:  

a. Enter a user name (e.g., Zscaler_User_Test), then click Next.  

A screenshot of a computer  Description automatically generated 

b. Add the user to the newly created user group (e.g., Zscaler_Group_Test), then click next. A screenshot of a computer  Description automatically generated 

 

c. Review your choices, then click Create user.  

A screenshot of a computer  Description automatically generated 

You are redirected to the Users page and a success message appears.  

4. Click View user in the success message, or use the search bar to find the user by name, then select the new user. A screenshot of a web page  Description automatically generated 

5. On the Summary page for the newly created user, scroll down and click the Security credentials tab.  

6. On the Security credentials tab, scroll down to the Access keys section and click Create access key. The Create  access key wizard appears.  

A screenshot of a computer  Description automatically generated  

7. In the Create access key wizard, create an access key:  

a. Select a use case, then click Next.  

Inserting image... 

b. Click Create access key.  

A screenshot of a computer  Description automatically generated 

 

A success message appears.  

c. Click Download .csv file to download and save a CSV file containing the access key ID and secret access key  required for creating a Cloud NSS feed in the ZIA Admin Portal.  

A screenshot of a computer  Description automatically generated 

Create an S3 Bucket and Folder in Amazon S3  

To create an S3 bucket and folder in Amazon S3:  

1. In the search bar at the top of the screen, enter S3 and select S3.  

A screenshot of a computer  Description automatically generated 

2. In the left-side navigation, go to Buckets.  

A screenshot of a phone  Description automatically generated 

 

3. Click Create bucket. The Create bucket page appears.  

A screenshot of a computer  Description automatically generated 

4. On the Create bucket page, create a bucket:  

a. Enter a name for the bucket (e.g., zscaler-bucket-test). The bucket name is part of its Amazon Resource  Name (ARN), which is required for creating a policy in AWS.  

A screenshot of a computer  Description automatically generated 

b. Select your AWS Region. The region is part of the URL required for creating a Cloud NSS feed in the ZIA Admin  Portal.  

A screenshot of a computer  Description automatically generated 

c. (Optional) Maintain the default configurations for the remaining settings (e.g., Bucket Versioning, Default  encryption, etc.).   

d. Click Create bucket.  

You are redirected to the Buckets page and a success message appears.  

 

5. Click View details in the success message, or use the search bar to find the bucket by name, then select the new  bucket.  

A screenshot of a computer  Description automatically generated 

6. On the Objects tab of the bucket page, click Create folder. The Create folder page appears. Inserting image... 

7. On the Create folder page, create a folder:  

a. Enter a Folder name (e.g., logs-test).  

Inserting image... 

b. Maintain the default Server-side encryption settings and click Create folder.  

A screenshot of a computer  Description automatically generated 

You are redirected to the bucket page and a success message appears.  

8. Select the folder and click Copy URL. Save the URL (e.g., https://zscaler-bucket-test.s3.us-west-2. amazonaws.com/logs-test/) required for creating a Cloud NSS feed in the ZIA Admin Portal. The name of your  region (e.g., us-west-2) must be present in the URL.  

 

A screenshot of a web page  Description automatically generated 

9. Click the Properties tab, then copy and save the ARN (e.g., arn:aws:s3:::zscaler-bucket-test) required for  creating a policy in AWS.  

 

A screenshot of a computer  Description automatically generated 
 

Create a Policy Granting the User Group Access to the S3 Bucket in Amazon IAM  

A policy is a JSON document in AWS that specifies who has access to AWS resources and what actions they can perform  on those resources. You can attach a policy to an identity (e.g., user group) or resource (e.g., S3 bucket) to define its  permissions. 

To integrate with Cloud NSS, the user group (e.g., Zscaler_Group_Test) needs permission to perform the PutObject action on the S3 bucket (e.g., zscaler-bucket-test). The PutObject action adds an object to a bucket. The  user must have WRITE permissions to perform the PutObject action..  

To create a policy granting the user group PutObject access to the S3 bucket:  

1. Go to the IAM Management Console.  

2. In the left-side navigation, go to Access management > Policies.  

     3. Click Create policy. The Create policy wizard appears.  

 

A screenshot of a computer  Description automatically generated 

4. In the Create policy wizard, create a policy:  

a. Click the JSON tab.  

 

A white background with black text  Description automatically generatedb. In the JSON editor, write a policy that allows PutObject access to the S3 bucket (e.g., zscaler-bucket-test).  See the following example.  

"Version": "2012-10-17", 

"Statement": [ 

"Sid": "PutObjectActions", "Effect": "Allow", "Action": [ 

"s3:PutObject" 

], 

"Resource": [ 

"arn:aws:s3:::zscaler-bucket-test/*" 

c. Click Next: Tags.  

d. Click Next: Review.  

 

A screenshot of a computer  Description automatically generated 
 
e. Enter a name for the policy (e.g., zscaler_policy_test).  

 

A screenshot of a computer  Description automatically generated 

f. Review the policy Summary information and click Create policy.  

A screenshot of a computer  Description automatically generated  

You are redirected to the Policies page and a success message appears.  

5. Attach the policy to the newly created user group:  

a. Click the link in the success message, or use the search bar to filter the policies by name, then select the new  policy (e.g., zscaler_policy_test). The policy Summary page appears.  

 

A screenshot of a computer  Description automatically generated 

b. On the policy Summary page, click the Policy usage tab, then click Attach. The Attach policy page appears.  

 

A screenshot of a web page  Description automatically generated 

c. On the Attach policy page, search for and select the newly created user group (e.g., zscaler_group_test),  then click Attach policy.  

 

A screenshot of a computer  Description automatically generated 

You are redirected to the Summary page, which shows the user group (e.g., zscaler_group_test) under Permissions.  

 

A screenshot of a computer  Description automatically generated

Zscaler Configuration (S3)

Log in to the Zscaler console as an Administrator and go to Nanolog Streaming Service

A screenshot of a computer  Description automatically generated

 

Go to the Cloud NSS Feeds tab and add a new destination

A screenshot of a computer  Description automatically generated

See Adding Cloud NSS Feeds and select the type of feed (e.g., Web Logs, Firewall Logs, DNS Logs etc.) that you want to configure. The following fields  require specific inputs:  

• SIEM Type: Select S3.  

• AWS Access Id: Enter the access key ID for the user created in AWS.  

• AWS Secret Key: Enter the secret access key for the user created in AWS.  

• Max Batch Size: This field shows the default maximum batch size for the log type (e.g., 32 MB for Web Log, 8 MB for  Tunnel, etc.). Optionally, you can enter a value between 1 MB and 32 MB.  

• S3 Folder URL: Enter the URL of the folder created in the S3 bucket (e.g., https://zscaler-bucket-test.s3.us-west-2.amazonaws.com/logs-test/).  

• Feed Output Type: Select JSON.  

• Feed Escape Character: Enter ,\".  

• Feed Output Format: Zscaler recommends adding "time":"%d{epochtime}" to the Feed Output Format.  


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence