All Categories Zscaler Internet Access URL & SSL Policies Co-Relation

URL & SSL Policies Co-Relation

This article will elaborate on how Zscaler service evaluate URL request when single URL logically belongs to multiple URL Categories and referenced in both URL and SSL policies.

Before we dive into explaining on how Zscaler service evaluate URL request, let's understand how the policy enforcement is done by Zscaler:

Zscaler service uses full-featured inline proxies called ZIA Public Service Edges. They feature Single-Scan, Multi-Action (SSMA) technology. SSMA handles the inspection and then the execution of the policy takes place in the ZIA Public Service Edge's web and firewall modules.

SSMA allows inspection engines to scan all content in a single pass. Packets are placed in shared memory in highly optimized custom servers. All CPUs on a ZIA Public Service Edge can access those packets at the same time. By having dedicated CPUs for each function, all engines can inspect the same packets at the same time. This approach is starkly different from the chained model of physical or virtual appliances, whereby each security service independently processes packets, adding incremental latency at each hop. Due to SSMA technology, the Zscaler service applies policies based on a variety of security engines with minimal latency.

Once the SSMA inspection process is complete, the ZIA Public Service Edge executes policies with specific precedence. Each ZIA Public Service Edge has two main modules for applying policies: a web module and a firewall module.

At a high-level, this is how traffic flows through the modules:

  • Outbound web traffic: When the ZIA Public Service Edge receives outbound web traffic from your organization to the internet it sends the traffic to its firewall module for policy evaluation. If the traffic violates a firewall policy, it blocks the transaction. If the traffic does not violate any firewall policies, it sends the traffic to the web module for policy evaluation. In the web module, if the traffic violates a web policy, it blocks the transaction. If the traffic does not violate any web policies, it allows the traffic to the internet.

  • Outbound non-web traffic: When the ZIA Public Service Edge receives outbound non-web traffic going to ports other than 80/443 (or other HTTP/S ports) it sends the traffic directly to the firewall module for policy evaluation. If the traffic violates a firewall policy, it blocks the transaction. If the traffic does not violate any firewall policies, it allows the traffic to the internet.

  • Inbound web traffic: When the ZIA Public Service Edge receives inbound web traffic (HTTP/HTTPS traffic for ports 80/443) from the internet in response to HTTP GET/POST requests it sends the traffic to its web module for policy evaluation. If the traffic violates a web policy, it blocks the transaction. If the traffic does not violate any web policies, it allows the traffic into your organization.

To learn more in detail on how policy enforcement is done for Web Traffic and Non-Web Traffic, please refer here: About Policy Enforcement | Zscaler

Now we will talk about on how Zscaler service evaluate URL request. Firstly, let add in some custom categories.

Picture1.png

  1. Wildcard Domain - ".razer.com"

  2. Subdomain 1 - "gold.razer.com"

  3. Subdomain 2 - "gold.razer.com"

Do take note the differences between "Custom URLs" and "URLs Retaining Parent Category", it is extremely important when it comes to creating custom categories in Zscaler.

Picture1.png

Custom URLs are only covered by policies that reference this specific custom category. For example, if you enter "gold.razer.com" here, it will no longer be covered by policies that reference Corporate Marketing, its parent URL category

URLs retaining parent category are covered by policies that reference the original parent category as well as those that reference this custom category. For example, if you enter "gold.razer.com" here, it will be covered by policies that reference this custom category as well as by policies that reference Corporate Marketing, its parent URL category.

Another key point to take note is how URLs are being matched when created in custom categories.

The exact match takes priority over the wildcard-matches. For example, when a user requests for "gold.razer.com", a category that contains the exact match, "gold.razer.com" takes priority over another category that contains the wildcard-match, ".gold.razer.com" or ".razer.com".

Now we will showcase different scenarios on how Zscaler service evaluate URL request when single URL logically belongs to multiple URL Categories and referenced in both URL and SSL policies to help you understand better.

Scenario 1:

For this scenario, we will be using the Wildcard Domain - ".razer.com".

URL Filtering Policy:

Picture1.png

Test Result:

Picture1.png

Web Insight Logs Result:

image.png

Scenario 2:

For this scenario, we will be using the Wildcard Domain - ".razer.com".

URL Filtering Policy:

Picture1.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 3:

For this scenario, we will be using the Wildcard Domain - ".razer.com" and Subdomain 1 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any policy or policy order is lower than the policy referencing Wildcard Domain and Subdomain 1.

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 4:

For this scenario, we will be using the Wildcard Domain - ".razer.com" and Subdomain 1 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any policy or policy order is higher than the policy referencing Wildcard Domain and Subdomain 1.

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 5:

For this scenario, we will be using the Wildcard Domain - ".razer.com", Subdomain 1 - "gold.razer.com" and Subdomain 2 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any policy or policy order is lower than the policy referencing Wildcard Domain or Subdomain 1 or Subdomain 2.

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 6:

For this scenario, we will be using the Wildcard Domain - ".razer.com", Subdomain 1 - "gold.razer.com" and Subdomain 2 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any policy or policy order is lower than the policy referencing Wildcard Domain and Subdomain 1 or Subdomain 2.

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 7:

For this scenario, we will be using the Wildcard Domain - ".razer.com", Subdomain 1 - "gold.razer.com" and Subdomain 2 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any URL Filtering policy, “Corporate Marketing” is referenced by SSL Inspection policy.

SSL Inspection Policy:

image.png

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 8:

For this scenario, we will be using the Wildcard Domain - ".razer.com", Subdomain 1 - "gold.razer.com" and Subdomain 2 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any URL Filtering policy and SSL Inspection policy. Subdomain 1 - "gold.razer.com" is being referenced by SSL Inspection policy, and Subdomain 2 - "gold.razer.com" is referenced by URL Filtering policy.

SSL Inspection Policy:

image.png

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 9:

For this scenario, we will be using the Wildcard Domain - ".razer.com", Subdomain 1 - "gold.razer.com" and Subdomain 2 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any URL Filtering policy and SSL Inspection policy. Wildcard Domain - ".razer.com" is referenced in both URL Filtering and SSL Inspection policy with lower policy order, Subdomain 1 - "gold.razer.com" is being referenced by SSL Inspection policy, and Subdomain 2 - "gold.razer.com" is referenced by URL Filtering policy.

SSL Inspection Policy:

image.png

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png

Scenario 10:

For this scenario, we will be using the Wildcard Domain - ".razer.com", Subdomain 1 - "gold.razer.com" and Subdomain 2 - "gold.razer.com". In addition, “Corporate Marketing” is not being referenced by any URL Filtering policy and SSL Inspection policy. Wildcard Domain - ".razer.com" is referenced in both URL Filtering and SSL Inspection policy with higher policy order, Subdomain 1 - "gold.razer.com" is being referenced by SSL Inspection policy, and Subdomain 2 - "gold.razer.com" is referenced by URL Filtering policy.

SSL Inspection Policy:

image.png

URL Filtering Policy:

image.png

Test Result:

image.png

Web Insight Logs Result:

image.png