We use the Zscaler app on our desktops and we want to fall back to "block all" if Zscaler fails or is disabled. We tried to set up a group policy that limits outbound access to the Zscaler IP addresses.
We want to block all URL patterns and allow a list of IP addresses in the Whitelist. Is there a way to use CIDR IP addresses instead of URL patterns in the Whitelist.
Solved! Go to Solution.
I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?
If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?
Probably stating the obvious here but test on non-production first 🤣
It looks like their are DNS names you can use instead of IP addresses.
Thanks for the suggestion.
I will add zscaler.net to the whitelist and see if that works.
I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?
If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?
Probably stating the obvious here but test on non-production first 🤣
My original assumption was faulty. I assumed that I would be able to block everything except for Zscaler traffic. This did not work. Even though the traffic is bound for Zscaler, it still gets blocked by the MX.
The Meraki firewall must still see the url and blocks it.
I think that BrechtSchamp is right. I would have to block traffic at the L3 firewall for this to work.
Thanks for the help.