🔍 Filter Releases
Internet & SaaS (ZIA)
Service - zscaler.net
Increased File Size Support for Advanced Detections
With the Advanced Detections package for Advanced Sandbox, you can analyze EXE and DLL files with sizes up to 200 MB. To learn more, see About Sandbox....
Support for AI/ML Detection Source
The Zscaler Admin Console is enhanced with the ability to view the AI/ML detection source for your Internet & SaaS (ZIA) traffic. The following updates are available: Web Insights LogsThe AI/ML Detection Source filter and column are added to the Web Insights Logs p...
Support for DLP Scan Timeout Identifiers in Web Insights Logs
You can filter and view logs for specific DLP identifiers of transactions that were exempted from policy enforcement due to a scan timeout. As part of the update, the following changes are available in the Zscaler Admin Console: Web Insights LogsThe filter an...
Support for Restoring Quarantined Files in Salesforce
You can now restore quarantined Salesforce files to their original location with the Restore remediation action on the SaaS Security Assets page. See image. This action is available only for files initially quarantined...
Third-Party Proxies and Gateways Limits
You can add up to 256 proxies and proxy gateways for third-party proxy services (Infrastructure > Internet & SaaS > Network Policies > Proxies & Gateways) in the Zscaler Admin Console. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-enti...
Additional Support for Predefined DLP Dictionaries in Endpoint DLP
The following predefined Data Loss Prevention (DLP) dictionaries are now supported for use in Endpoint DLP policy rules: • Addresses (Japan) • First Names (J...
Enhancement to Cloud Application Instances
The cloud application instances feature is extended to new cloud applications. You can create cloud application instances for the following cloud applications: • Google Gemini <li dat...
Instance Discovery Report Support for Azure
You can view the Instance Discovery Report for Microsoft Azure; this application supports three levels of discovery: • Domain • Tenant <li data-list-item...
Updates to Malware Protection Policy Endpoints
You can update the Malware Protection policy and retrieve the Malware Protection policy for an organization using the following endpoints: • "GET /malwarePolicy" <li data-list-item-id="e83742e3c2bff0a63...
Updates to NSS Collector Server Endpoints
You can add, update, and delete NSS Collector servers and retrieve a list of all configured NSS Collector servers for an organization using the following endpoints: • "GET /nssCollectors" <li data-list-...
Updates to Secure Browsing and Votiro CDR Endpoints
You can retrieve a list of all supported browsers and their versions and update the Smart Browser Isolation policy settings using the following endpoints: • "GET /browserControlSettings/supportedBrowserVersions</...
Updates to the IPS Control Policy Endpoints
You can create, update, delete, and retrieve custom IPS signature rules using the following endpoints: • "GET /ipsSignatureRules" • "POST /ip...
Support for New Workday Filters and Prompts
You can use a new filter Last Functionally Updated to easily identify recently modified records when creating custom reports in Workday. Additionally, the prompts Starting Prompt and Ending Prompt fields provide greater control and precision when defining report parameters. <p...
Expanded SSPM Controls for Google Workspace
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Google Workspace with 24 new SSPM controls, providing deeper visibility and stronger security posture assessment. The Cloud Identity license must be assigned to the Google Workspace Admin onboarding...
Gen AI Prompt Configuration for QuillBot and Google AI
Zscaler's Gen AI prompt configuration is extended to the QuillBot and Google AI generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen...
Policy Level Gen AI Prompt Configuration
You can capture end user prompts for generative AI applications from the Cloud Application Control policy. This allows granular control of Gen AI prompt configuration. As part of this update, the Capture Prompts option is added to the Add/Edit AI & ML Rule window (Policies > Acce...
Enabling Incident Forwarding for Slack Chats
Zscaler is now forwarding Slack chat-based DLP policy incidents to the Zscaler Incident Response and Zscaler Workflow Automation along with already supported file-based violations. These incidents are also sent to Web Insights and Logs and to the respective DLP policy's auditor. To lea...
NSS Support for Admin Audit, ZIdentity Authentication, and ZIdentity SCIM Logs
The following enhancements are available for the NSS Feeds and Cloud NSS Feeds: • New log types, ZIdentity Authentication and ZIdentity SCIM, are added to the NSS for Web type. These log types provide support for the ZIdentity Authent...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries: • Argentina Uniform Bank Code: Detect Leakage of CBU • Cambodian National ID: Detect Leakage...
Support for Collaboration Scope for Microsoft Teams
When creating a DLP rule for Microsoft Teams, you can define the collaboration scope as External, Internal, or Any to scan messages and attachments in channels containing external, internal, or any (internal or external) members. <a class="image-icon" href="#collab-scope-dl...
Support for Smartsheet as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Smartsheet as an API-based platform to provide visibility into posture misconfigurations. You can onboard a Smartsheet tenant from the 3rd-Party App Governance Admin Portal. See image. To...
Enhancement to Atlassian Integration in 3rd-Party App Governance
The Add Integration window for Atlassian in 3rd-Party App Governance is enhanced to allow you to enter the Atlassian subdomain and API token while adding the integration. This reduces the number of steps and simplifies the integration process to improve the user experience. <p...
Add or Remove NTP Servers Using CLI
You can add or remove custom NTP servers from the configuration files using CLI commands. This prevents syntax errors and duplicate entries in the configuration files. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-internet-saas-ntp-server-synchron...
Default Rules for Advanced Sandbox
If your organization is subscribed to the Advanced Sandbox package, the following default rules are available: • Sandbox_Docs_Trusted • Sandbox_Docs_Archives • Sandbox_Exes_We...
DLP Rule Name Support for Web DLP Reports and Insights
Users can schedule Web DLP incident reports by DLP Rule Name to improve visibility and monitor incident counts in the Zscaler Admin Console: Data Type DLP Rule Name is introduced in the Interactive Reports widgets and Web Insights. <a class="image-icon" href="#dlp-rul...
Document Classification and Logging for Email DLP Insights
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Email DLP Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classific...
Enhancements to Predefined O365 One Click rule in SSL/TLS Inspection Policy
You can choose Evaluate Other Policies or Bypass Other Policies under the Do Not Inspect action in the O365 One Click predefined rule in the SSL/TLS Inspection Policy. This allows you to configure the predefined O365 One Click rule to either evaluate other policies (i.e., URL Fil...
Exclude Selected URL Classes & Categories from NSS Feeds
Filters to include or exclude selected URL classes, URL categories, and URL super categories have been added to NSS and Cloud NSS feeds for web logs. When configuring a feed, you can select the respective URL classes and categories and include them in the logs by default or choos...
New Network Applications in Firewall Control
The Zscaler service extends support to identify two new network applications, namely Kafka (Application Service category) and Zalo (Instant Messaging category). You can view these apps on the Network Applications page and configure them in Firewall Filtering rules to identify and...
Support for Cloud NSS Feeds for Alerts
You can configure a separate Cloud NSS feed for alerts, enabling you to monitor your Cloud NSS feeds for data lag, data loss, and the connection to your cloud-based security information and event management (SIEM) system. <a class="image-icon" href="#img-cloud-nss-alert-fee...
API Session Timeout
When configuring advanced settings (Policies > Common Configuration > Advanced > Advanced Settings), you can specify how long API-initiated sessions can be inactive before they are forced to reauthenticate. The timeout duration can range from 5 to 20 minutes. <a class="imag...
Subdocument Type Support in Data Discovery Report
The Data Discovery Report is enhanced to include subdocument type support, providing enhanced visibility via an interactive bubble chart for ML categories. This chart utilizes nested bubbles to represent granular subdocument types, such as tax forms and legal contracts. By drilli...
Update to Workload Groups Endpoints
You can delete a list of workload groups for an organization using the "DELETE /workloadGroups" endpoint. To learn more, go to "DELETE /workloadGroups" from Workload Groups. To learn more about...
Client Browser for Zero Trust Browser
Zero Trust Browser has been updated with several significant changes to provide seamless and secure enterprise access from any browser. The solution consists of three primary components: a browser extension that handles web-based security and access, a lightweight agent that enforces device postu...
Enhancement to Advanced Threat Protection Policy
Advanced Threat Protection now enables users to allow the Web Proxy Auto-Discovery (WPAD) protocol from external sources to automatically discover proxy settings by locating PAC files via DHCP or DNS queries. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-threat-pro...
Outbound Email DLP Quarantine with Release or Delete Emails in Workflow Automation
Zscaler now supports the Quarantine action when configuring Outbound Email DLP policies for Microsoft Exchange. When Quarantine is selected, emails that match policy criteria are quarantined directly in Microsoft Exchange. To use the Quarantine feature, go to Policy > Email DLP a...
Advanced SSPM Support for Lucidchart
Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...
Support for Zendesk as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...
Document Classification and Logging for SaaS Security API, Email, and Endpoint DLP
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of d...
Enhancement to Gen AI Prompt Configuration
The generative AI prompt configuration is extended to the Grammarly application. As part of this change, the Grammarly option is added to the Policy > URL & Cloud App Control > Advanced Policy Settings page. <a class="image-ic...
Expanded SSPM Controls for Microsoft Copilot
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Microsoft Copilot with 15 new SSPM controls, providing deeper visibility and stronger security posture assessment....
Support for Microsoft Copilot Readiness Assessment
Organizations face a significant security risk when users inadvertently overshare or mishandle sensitive internal files. The integration of AI tools, such as Microsoft Copilot, intensifies this risk, as these tools can access information within the improperly shared files, leadin...
Cloud Custom IPS Enhancements
Custom IPS is supported on Zscaler's public cloud, allowing you to create and deploy custom IPS signature rules without requiring any additional infrastructure (previously required a Private Service Edge deployment). You can inspect traffic transiting the Zscaler cloud again...
Support for Workday Tenant RaaS-based API Access
Workday tenants now support RaaS-based API access which enables secure, programmatic retrieval of data and management through web services. Existing Workday tenants need to be reauthenticated by editing the tenant and revalidating. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Support in SaaS Security Data at Rest DLP Policy for Quarantine of Sensitive Content in Microsoft Teams
The SaaS Security Data at Rest Scanning policy supports a new option to quarantine sensitive content in Microsoft Teams. You can specify a tombstone message that end users see when messages or files in Microsoft Teams are quarantined. <a class="image-icon" href="#ZIA-Webex-...
Advanced SaaS Security Posture Management Support for Oracle Financials Cloud
You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...
Application Investigation in Endpoint Data Scan
Zscaler's Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization's application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....
DLP Operational in Endpoint Data Scan
The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint's status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...
Exact Data Matching in Endpoint Data Scan
Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...
Filtering by User Group in Endpoint Data Scan
Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...
New Bandwidth Control Fields for Transactions
Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...
Share Files Externally in Endpoint Data Scan
Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...
Support for CIDR and Regex on Network Share DLP Resources
The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...
Support for Network Type on Endpoint DLP Policy Rules
The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...
Enhancement to Firewall Policies Endpoints
A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...
Enhancements to Admin Role Management
On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...
Expanded SSPM Controls for Salesforce
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....
SSL Inspection and SSL Policy Renamed to SSL/TLS Inspection and SSL/TLS Policy
The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...
Support for Certificate-based Authentication with Microsoft Applications for a Custom Zscaler Connector
When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...
Updates to Recipient Email Profile Endpoints
You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...
Introducing Flexible Permission Selection for SSPM Connectors
The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...
Enhancements to Endpoint DLP for macOS
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...
Security Fixes
Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....
Advanced SaaS Security Posture Management Support for JumpCloud
You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...
Insights Logs Improvements & Enhancements
The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...
Advanced SSPM Support for Airtable
Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...
Advanced SSPM Support for Bitwarden
Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...
Advanced SSPM Support for Sentry
Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for OneLogin as an API-Based Platform in Advanced SSPM
Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...
Logs for MCP Transactions
The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...
Expanded File Type Support for Sandbox
The Zscaler Sandbox now supports the Optical Disc Image (iso) file type. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e...
Regex Patterns in Custom URL Categories
The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...
DLP and File Type Support for MSIX Files
The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...
Enhancement to Extranet Application Support
Extranet Application Support can be configured bidirectionally, allowing partners to access your organization's resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...
Sandbox Verdict Logging
Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...
Enhanced Flexibility in the URL Filtering Policy Rule Creation
You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...
Enhancement to Zscaler Cloud Performance Test Tool
The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...
Increased AWS Account IDs in Tenant Profiles
You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...
NSS Support for Hyper-V
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...
NSS Support for Nutanix
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...
Update to Admin Audit Logs and Event Logs API Endpoints
When you request report generation using "POST /auditlogEntryReport" or "POST /eventlogEntryReport", it returns an HTTP "200 OK" status code with the "statusId" in the response (previously returned "204" status code). This "statusId</cod...
Enhancements to 3rd-Party App Governance and Advanced SSPM
The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...
Sandboxing Password-Protected PDF Files for Isolation
Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...
Deprecation of SSPM Policies for Microsoft 365
The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...
Enhanced Logging of Collaborator Group Members
This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...
Enhancement to URL Filtering Policy Page
On the URL Filtering Policy page (Policy > URL & Cloud App Control > URL Filtering Policy), the URL Filtering rules are paginated with up to 100 rules displayed per page. See image. You can filter and search for URL Filteri...
Enhancement to Virtual Service Edges
The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...
Gen AI Prompt Obfuscation
Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...
Granular Control for Atlassian AI Application
You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...
Logs for Email Received and Sent Time
The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...
Pattern Requirements for Custom DLP Dictionaries
For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...
Support for Adjustable Polling Intervals
When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...
Support for Number of Collaborators for File Sharing Apps in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...
Support for Quarantine File to Desired Location for File Sharing Apps
The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...
Automatic Local Language Translation for Isolation in ZIA
Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user's browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...
Original URL for Isolation Profiles in ZIA
Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...
Visual Indicator for Turbo Mode in Isolation for ZIA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Updates to Firewall Dashboard and Insights
On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...
Create VM Instance using the Virtual Service Edge Amazon Web Services Terraform Modules
You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...
Gen AI Prompt Configuration for Claude and Mistral
Zscaler's Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...
Enhancement to Filters in 3rd-Party App Governance and Advanced SSPM
In the App Inventory and User Inventory, and on the Posture page, the filter options that don't currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...
Support for GitHub User Email Enrichment in 3rd-Party App Governance
The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...
Support for Google Workspace OU Segregation
You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...
Updates to 3rd-Party App Governance API
The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users' email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...
Enhancements to Endpoint DLP for Windows
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...
Support for New SSPM Controls for GitHub
The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....
Traffic Capture for NDR
The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...
Web EUN for DNS Control Policy
The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...
Apply MIP Label as Manual Remediation Action in SaaS Security Assets
For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...
Additional Logging of Users Performing Actions on File
You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...
Create VM Instance using the Virtual Service Edge Azure Terraform Modules
You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....
Enhancement to Custom Views in 3rd-Party App Governance
When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...
Creative Commons Search Results
Zscaler supports Creative Commons (CC) search for certain search engines (i.e., Bing, Google, and Yahoo). This allows you to see only search results that are licensed under CC. The Enable Creative Commons Search Results option is added to the Policy > URL & Cloud App Control > Ad...
Zscaler Client Connector EUNs for Firewall, DNS, and IPS Policies
Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...
Support for Sublocation Scopes
You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...
JWT Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...
JWT Authentication Support for Workloads on Management Portal for Partners
The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...
Support for Enhanced US Driver's License Dictionary and Sub-Dictionaries
The Zscaler service supports the Enhanced Driver's License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...
Updates to SaaS Security Endpoints
You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...
Automatic Session Restore for Isolation
Isolated sessions now automatically restore their web pages if they time out on a user's device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...
Original URL of Website Name in Isolation
The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...
New AI/ML Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Document Classification and Logging
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...
Enhancement to SafeSearch
SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...
File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...
New Network Applications in Firewall Control
Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...
Shadow IT Report Enhancements
You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...
Support for Adaptive Access Engine
Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...
Support for Custom File Types in DLP and File Type Control Policies
You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...
Support for Custom File Types in File Type Policies and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...
Support for Quarantine File to Desired Location
The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...
Support for New SSPM Controls for Snowflake
The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....
Logs for Post-Quantum Cryptography Visibility
Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...
Async Location Download
For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...
Enhancement to the IP Destination Groups Endpoint
A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...
Gen AI Application Category in NSS Feeds for SaaS Security Logs
Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...
Update to Cloud Nanolog Streaming Service (NSS) Endpoints
The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...
Updates to Virtual Service Edge Endpoints
You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...
Updates to Workload Groups Endpoints
You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Advanced SaaS Security Posture Management Support for Docusign
Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...
SSL Inspection for IoT Devices
You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...
Support for New SaaS Application Tenant
Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...
Strict Checking of Popular Date Formats in EDM
To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...
Support for Expandable Limit for Users, Groups, Locations, & Departments in Policies
The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...
Source Countries for the URL Filtering Rules
You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...
Support for Expandable Limit for Users, Groups, Locations, & Departments per Rule
The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...
Enhancements to App Panel and Control Panel
A Notes tab is added to the App Panel in 3rd-Party App Governance and the Control Panel in Advanced SaaS Security Posture Management (SSPM). This tab allows you to communicate with and leave notes for multiple other users. You can add notes to each app or control and also comment...
New Endpoints for 3rd-Party App Governance
The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...
Support for Cloud-to-Cloud Forwarding in DLP
You can now forward information about transactions that violate various Data Loss Prevention (DLP) incidents directly to your appliances you've defined in the ZIA Admin Portal by going to Administration > Data Loss Prevention and selecting Cloud-to-Cloud Forwarding. <a...
Gen AI Security Report Enhancements
The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...
Improvements to the Zscaler Incident Receiver JSON Metadata File
To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...
Third-Party URL Category Lookup
Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...
OpenOffice File Type Support for DLP
The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...
Search for Configuration Changes in Audit Logs
You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...
Updated Search for Firewall Filtering Rules
The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...
Updates to End User Subscription Agreement (EUSA) Endpoints
The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...
SaaS Security DLP Policies Support Folder Level Changes
When a folder's permissions are modified or a folder is shared with a new collaborator, files previously in violation of the SaaS Security DLP policy rules in the folder are rescanned against those rules. This feature is presently being rolled out to Microsoft OneDrive and SharePoint applica...
Logs for SSL Inspection Policy Rule Name
You can filter and view logs to learn which specific SSL Inspection policy r...
Multifile Support for Isolation in ZIA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
Support for Device Groups in Forwarding Control
In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...
Support for Step-Up Authentication
Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...
Support for Collaborator Groups
You can filter and view logs for External Collaborator Group and Internal Collaborator Group for the File Sharing Applications category. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights LogsFilters and colum...
Support for Number of Collaborators for Google Drive in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...
Content Location Match Criteria for Web DLP Rules
You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...
Improvements to the Users Page
Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...
Support for Correlated View of App Users and DLP File Access
A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...
Support for Detecting Internal Apps
Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...
Support for Excessive Data Permissions Finding for GitHub Apps
A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...
Support for SaaS Application Tenants Label Management
You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...
Support for SaaS Dashboard in Advanced SSPM
You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...
Add Comments for ATP Blocked Malicious URLs
You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...
Customizable User Confirmation Templates
You can now create and manage multiple user confirmation templates for enhanced policy-level customization in the ZIA Admin Portal by going to Administration > Notification Templates > User Confirmation and clicking Add Custom Message. When configuring Endpoint DLP or Inline Web...
Enhancement to EDM Match Count
The Zscaler Data Loss Prevention (DLP) Exact Data Match (EDM) dictionary search score total "matchCount" has been enhanced to be based on the number of unique sets of matches found in the content. Previously, "matchCount" was determined by the number o...
Enhancements to Cybersecurity Insights
You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...
Logs for Allowed File Type Rule
You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...
Downloading Policies
On the Print All Policies page (Administration > Print All Policies), you can download your organization's configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...
Location Groups Filter in NSS Feeds
A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...
Update to Firewall and Forwarding Rules
In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...
EDM and DLP Support for New PII Dictionaries
The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...
Index Tool Single Sign-On
Single sign-on (SSO) can be configured for the ZIA Index Tool when adding or editing an Index Tool configuration. See image. To learn more, see...
New EDM Data Types
When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...
Custom Browser EUN Support for File Type Control Policy
The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...
Support for Microsoft as an IdP in 3rd-Party App Governance
Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...
SaaS Security Data at Rest Scanning DLP Redaction Support
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy for file sharing applications supports redacting sensitive data in supported file types. To use this functionality, you first create a redaction profile that specifies whether the Zscaler service uses an as...
SaaS Security Data at Rest Scanning DLP Support for Trusted Users and Trusted Domains
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports specifying trusted users (i.e., users with email addresses outside your organization) and trusted domains (i.e., domains outside your organization) as part of your policy rules. The Zscaler service...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Ability to Set an Endpoint DLP Exception Rule To Take No Action
You can apply the None action to exception rules in Endpoint Data Loss Prevention (DLP) to exclude specific activities that match exception rule criteria from being reported (i.e., you might want to exclude specific users or groups from reporting incidents). <a class="image...
DLP Support for New ML-Based Dictionaries
The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....
Endpoint DLP Support for Predefined Dictionaries
The Zscaler service now supports the following existing predefined Data Loss Prevention (DLP) dictionaries for Endpoint DLP: • CNPJ Number (Brazil) • Mexico Unique Population Registration Code • National Economic Registry Number...
Enhancement to Posture Management Page
The Remediate option is removed from the policy drawer and Asset Summary tab on the Posture Management page. This option is available only if you subscribed to the Advanced SSPM service. See image. To learn more, see <a...
Expanded Onboarding Options for Salesforce
The Zscaler service supports custom, client-side connector onboarding for access to both sandbox and production Salesforce tenants. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access Sal...
New Macros Available for DLP Notification Templates
Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...
Support for EDM and IDM in Outbound Email DLP Policies
The Zscaler service supports using Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries and engines in your Outbound Email Data Loss Prevention (DLP) policy rules. See image. To le...
Support for Parent DLP Dictionaries and Sub-Dictionaries
The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...
Support for User Groups and Departments in Device Control Policy
Administrators can now define Device Control rules criteria (Analytics > Endpoint Data Scan > Device Control) based on User Groups and Departments. See image. To learn more, see <a href="https://help.zscaler.com/z...
Update to Zscaler Client Connector-based Notifications
You can embed links and add line breaks in the custom messages for Zscaler Client Connector-based End User Notifications (EUNs) (Administration > End User Notifications > Client Connector) and User Confirmation notifications (Administration > Notification Templates > User Confirm...
Updates to Cloud Service API: SaaS Security Endpoints
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • SaaS Security API To learn more about each endpoint, see th...
Tenancy Restriction Support for Amazon Web Services CLI
Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...
Multiple Sandbox API Token Support
Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...
Support for Filtering for Advanced Threat Protection
Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...
Exclude Selected Applications from NSS Feeds
A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...
Gen AI Prompt Configuration for Writer and Deepseek
Zscaler's Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...
Increase in the Default Number of Allowed File Type Control Policy Rules
The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....
Support for New SaaS Security Application Tenant
The SaaS Security Data at Rest Scanning DLP and Malware policies support configuring tenants for Zoom, a collaboration application. See image. To learn more, see <a href="https://help.zscaler.com/zia/ab...
Support for Quarantine Tombstone Template in the Assets Report
You can now choose the Tombstone Template when quarantining files to the user root folder in the Assets Report (Analytics > SaaS Security > Assets). See image. To learn more, see <a href="https://help.zscaler.co...
Update to Cloud Service API: Enhancement to Location Group Endpoint
A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...
Update to Custom IPS Signature Rules CSV Import
When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("'''") instead of double quotes ("""). This update has been made...
Support for Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...
Advanced SaaS Security Posture Management Support for Workday
You can configure Advanced SaaS Security Posture Management (SSPM) for Workday tenants. Select the SSPM Scan checkbox when onboarding a Workday tenant to enable the Advanced SSPM scan capability for the specific tenant....
Gen AI Prompt Configuration for Grok AI
Zscaler's Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...
SaaS Security Posture Management Support for Webex Teams
You can configure the SaaS Security Posture Management (SSPM) Scan for Webex Teams tenants. Select the SSPM Scan checkbox when onboarding a Webex Teams tenant to enable the SSPM scan capability for the specific tenant. S...
Support for Dedicated IP and Geolocalization IP
The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...
Update to Web Insights for Bandwidth Control
Web Insights includes additional information for Bandwidth Control with the new filter Bandwidth by Data Center. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-data-types-and-filters...
Support for Unified Onboarding of SaaS Application Tenants
You can onboard, edit, and delete new Software as a Service (SaaS) application tenants enabled with 3rd-Party App Governance or the Advanced SaaS Security Posture Management (SSPM) feature from the Add SaaS Application Tenant page in the ZIA Admin Portal. You can continue editing...
Support for Risk Explainability in 3rd-Party App Governance and Advanced SSPM
On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...
Cloud Application Updates
As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
SCIM-Based User Lookup For Outbound Email DLP
Zscaler Outbound Email DLP supports System for Cross-domain Identity Management (SCIM)-based user lookup to map email addresses with ZIA login names. To learn more, see <a href="https://help.zscaler.com/zia/step-step-configuration-guide-zscaler-outbound-email-dlp#prerequisites" target="_bla...
Zoom in Tenant Profile
The Tenant Profiles feature supports Zoom. This allows granular control of actions (e.g., disable file transfer in meetings, disable recording locally on the device, etc.) in Zoom. See image. To learn more, see <a href="htt...
Expanded File Type Support for File Type Control and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...
File Type Control Enhancements
You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...
Microphone and Camera Functionality for Isolation Profiles in ZIA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
Support for SaaS Security API Data at Rest Scanning DLP Policy Rules without Content Inspection
To enable this feature for your organization, contact Zscaler Support. On the Data at Rest Scanning page (Policy > Saas Security > Data at Rest Scanning), you can create Data at Rest Scanning Data Loss Prevention (DLP) policies without content matching. <...
Support for Site Groups in SaaS Application Tenants and DLP Policy
SaaS Application Tenants (Administration > SaaS Application Tenants > Manage SaaS Application Components) supports the management of SharePoint tenant Sites and Site Groups. In the Components tab, you can view a list of the SharePoint sites that are available under the selected S...
Enhancements to Endpoint Data Scan
The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan): Nearby SharingZscaler Device Control is enhanced to prevent nearby sharing between endpoints and devices that are close by. The Nearby Sharing rule restricts the us...
HTTP Header Control
The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...
Update to Zscaler Client Connector-Based Notifications
Zscaler Client Connector-based End User Notifications (EUNs) and user confirmation messages for Inline Web DLP and Cloud App Control policies can be enabled without having an Endpoint DLP subscription. These policy EUNs are supported (without requiring Endpoint DLP) on the following Zscaler...
Added Alert for Unknown and Suspicious C2 Traffic
You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...
Enhancements to Admin Role Management
The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...
Instance Discovery Report Enhancements
The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...
Update to Cloud Service API: Cloud Application Instance Endpoints
The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...
Update to Cloud Service API: User Endpoint Rate Limit
The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...
Updates to Cloud Service API: Service Edges
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...
Updates to the Add UEBA Alerts Page
The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...
WebSocket Protocol Type in DLP Rules
You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...
ChatGPT in Tenant Profile
The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Update to Sandbox Scanning Portal URL
The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...
Email Notification Support for Policies in 3rd-Party App Governance
When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...
Support for Viewer Role in 3rd-Party App Governance
You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...
Email Notification Support for Revoking or Banning Apps in 3rd-Party App Governance
When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...
Auditor Email Notifications for Outbound Email DLP
You can configure notification templates so that email notifications are sent automatically to specified auditors when outbound email transactions trigger Outbound Email DLP rules. On the Notification Templates page (Administration > Notification Templates > DLP), you can c...
Configure External Trusted Domain & User Profiles in Tenant Onboarding
SaaS Application tenant onboarding for SaaS Security API now supports configuring external trusted domains and users. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-email-profiles" target="_bla...
Support for Number of Collaborators for File Sharing Applications in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as a scoping criteria for SharePoint and OneDrive to monitor file sharing among collaborators. Administrators can choose a range for the number of...
Developer Tools URL Category
The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...
Enhancements to the SaaS Security Scan Configuration
You can refresh the status of a scheduled SaaS Security DLP or malware scan by clicking the Refresh icon next to the status of an ongoing scan on the SaaS Security Scan Configuration page. See image. To learn more,...
New Predefined DLP Engines Available
The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...
Support for MIP Labels for PowerPoint Files in Data at Rest Scanning DLP Policy
For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...
Support for New SaaS Application Tenants
Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboardi...
UCaaS One Click Configuration Support for Talkdesk
Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...
Changes to Policy Action Reasons in Web Insights and NSS Reports
The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...
Expanded Python File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....
Hex-Encoded Requested Domain Field in NSS Feeds
The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...
Update to Cloud Service API
To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...
Update to Cloud Service API
The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...
Updates to Cloud Service API
The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...
Support for Number of Collaborators in DLP Policy
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...
Zscaler EUN Web Page for DNS Control Policy
Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...
DLP Support for New PII Dictionaries
The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
Enhancement to Secure Browsing
You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...
Isolation of Miscellaneous and Unknown Category in ZIA
Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...
Update to Application Service Groups
The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...
Multiple VM Sandbox Report Analysis
For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...
Remote Assistance Notification
The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...
DLP and EDM Support for PII
The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...
Enhancement to HTTP/2 in SSL Inspection Policy
The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...
Tenant-to-Tenant Firewall Control and Logging Improvements
Additional Firewall Control and Logging capabilities have been added for scenarios where an organization's roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization's tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...
Update to DNS Control Policy
The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...
Zscaler Incident Receiver Configuration Enhancement
Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...
Enhancement to Posture Page in Advanced SSPM
The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...
Enhancements to Assets Tab of the Control Panel in Advanced SSPM
The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...
Update to Cloud Service API: Data Center Exclusion
The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...
Administrator Scope Department Limit
When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...
Enhancements to the IoT Report
The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...
Increase in Query Limit for Sandbox Report API
The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...
Logs for Source and Destination IP Countries
You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...
Update to Cloud Service API
The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...
Real-Time DLP Support for Files and Messages for Webex
Zscaler supports real-time Data Loss Prevention (DLP) for messages and file attachments sent via Webex Teams. To learn more, see Step-by-Step Configuration Guide for Webex Teams Re...
Support for Case-Sensitive Logging for Select Domains
Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...
Enhancement to Posture Controls Report in Advanced SSPM
When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...
Enhancements to Endpoint DLP
Optical Character Recognition (OCR) SupportThe Zscaler service supports OCR for Endpoint DLP to scan PNG, JPEG, TIFF, and BMP files for sensitive text data. This functionality does not require configuration and is automatically available based on whether your subscription includes the ZS...
Advanced SaaS Security Posture Management Support for Zoom
You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting...
Extranet Application Support
To access Extranet Application Support, contact your Zscaler Account team. Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished wit...
Service - zscalerone.net
Increased File Size Support for Advanced Detections
With the Advanced Detections package for Advanced Sandbox, you can analyze EXE and DLL files with sizes up to 200 MB. To learn more, see About Sandbox....
Support for AI/ML Detection Source
The Zscaler Admin Console is enhanced with the ability to view the AI/ML detection source for your Internet & SaaS (ZIA) traffic. The following updates are available: Web Insights LogsThe AI/ML Detection Source filter and column are added to the Web Insights Logs p...
Support for DLP Scan Timeout Identifiers in Web Insights Logs
You can filter and view logs for specific DLP identifiers of transactions that were exempted from policy enforcement due to a scan timeout. As part of the update, the following changes are available in the Zscaler Admin Console: Web Insights LogsThe filter an...
Third-Party Proxies and Gateways Limits
You can add up to 256 proxies and proxy gateways for third-party proxy services (Infrastructure > Internet & SaaS > Network Policies > Proxies & Gateways) in the Zscaler Admin Console. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-enti...
Updates to Malware Protection Policy Endpoints
You can update the Malware Protection policy and retrieve the Malware Protection policy for an organization using the following endpoints: • "GET /malwarePolicy" <li data-list-item-id="e83742e3c2bff0a63...
Updates to NSS Collector Server Endpoints
You can add, update, and delete NSS Collector servers and retrieve a list of all configured NSS Collector servers for an organization using the following endpoints: • "GET /nssCollectors" <li data-list-...
Updates to Secure Browsing and Votiro CDR Endpoints
You can retrieve a list of all supported browsers and their versions and update the Smart Browser Isolation policy settings using the following endpoints: • "GET /browserControlSettings/supportedBrowserVersions</...
Updates to the IPS Control Policy Endpoints
You can create, update, delete, and retrieve custom IPS signature rules using the following endpoints: • "GET /ipsSignatureRules" • "POST /ip...
Policy Level Gen AI Prompt Configuration
You can capture end user prompts for generative AI applications from the Cloud Application Control policy. This allows granular control of Gen AI prompt configuration. As part of this update, the Capture Prompts option is added to the Add/Edit AI & ML Rule window (Policies > Acce...
Enhancement to Cloud Application Instances
The cloud application instances feature is extended to new cloud applications. You can create cloud application instances for the following cloud applications: • Google Gemini <li dat...
Instance Discovery Report Support for Azure
You can view the Instance Discovery Report for Microsoft Azure; this application supports three levels of discovery: • Domain • Tenant <li data-list-item...
Support for Smartsheet as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Smartsheet as an API-based platform to provide visibility into posture misconfigurations. You can onboard a Smartsheet tenant from the 3rd-Party App Governance Admin Portal. See image. To...
Enhancement to Atlassian Integration in 3rd-Party App Governance
The Add Integration window for Atlassian in 3rd-Party App Governance is enhanced to allow you to enter the Atlassian subdomain and API token while adding the integration. This reduces the number of steps and simplifies the integration process to improve the user experience. <p...
Gen AI Prompt Configuration for QuillBot and Google AI
Zscaler's Gen AI prompt configuration is extended to the QuillBot and Google AI generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries: • Argentina Uniform Bank Code: Detect Leakage of CBU • Cambodian National ID: Detect Leakage...
Add or Remove NTP Servers Using CLI
You can add or remove custom NTP servers from the configuration files using CLI commands. This prevents syntax errors and duplicate entries in the configuration files. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-internet-saas-ntp-server-synchron...
Default Rules for Advanced Sandbox
If your organization is subscribed to the Advanced Sandbox package, the following default rules are available: • Sandbox_Docs_Trusted • Sandbox_Docs_Archives • Sandbox_Exes_We...
DLP Rule Name Support for Web DLP Reports and Insights
Users can schedule Web DLP incident reports by DLP Rule Name to improve visibility and monitor incident counts in the Zscaler Admin Console: Data Type DLP Rule Name is introduced in the Interactive Reports widgets and Web Insights. <a class="image-icon" href="#dlp-rul...
Document Classification and Logging for Email DLP Insights
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Email DLP Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classific...
Enhancements to Predefined O365 One Click rule in SSL/TLS Inspection Policy
You can choose Evaluate Other Policies or Bypass Other Policies under the Do Not Inspect action in the O365 One Click predefined rule in the SSL/TLS Inspection Policy. This allows you to configure the predefined O365 One Click rule to either evaluate other policies (i.e., URL Fil...
Exclude Selected URL Classes & Categories from NSS Feeds
Filters to include or exclude selected URL classes, URL categories, and URL super categories have been added to NSS and Cloud NSS feeds for web logs. When configuring a feed, you can select the respective URL classes and categories and include them in the logs by default or choos...
New Network Applications in Firewall Control
The Zscaler service extends support to identify two new network applications, namely Kafka (Application Service category) and Zalo (Instant Messaging category). You can view these apps on the Network Applications page and configure them in Firewall Filtering rules to identify and...
Support for Cloud NSS Feeds for Alerts
You can configure a separate Cloud NSS feed for alerts, enabling you to monitor your Cloud NSS feeds for data lag, data loss, and the connection to your cloud-based security information and event management (SIEM) system. <a class="image-icon" href="#img-cloud-nss-alert-fee...
Client Browser for Zero Trust Browser
Zero Trust Browser has been updated with several significant changes to provide seamless and secure enterprise access from any browser. The solution consists of three primary components: a browser extension that handles web-based security and access, a lightweight agent that enforces device postu...
Enhancement to Advanced Threat Protection Policy
Advanced Threat Protection now enables users to allow the Web Proxy Auto-Discovery (WPAD) protocol from external sources to automatically discover proxy settings by locating PAC files via DHCP or DNS queries. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-threat-pro...
API Session Timeout
When configuring advanced settings (Policies > Common Configuration > Advanced > Advanced Settings), you can specify how long API-initiated sessions can be inactive before they are forced to reauthenticate. The timeout duration can range from 5 to 20 minutes. <a class="imag...
NSS Support for Admin Audit, ZIdentity Authentication, and ZIdentity SCIM Logs
The following enhancements are available for the NSS Feeds and Cloud NSS Feeds: • New log types, ZIdentity Authentication and ZIdentity SCIM, are added to the NSS for Web type. These log types provide support for the ZIdentity Authent...
Subdocument Type Support in Data Discovery Report
The Data Discovery Report is enhanced to include subdocument type support, providing enhanced visibility via an interactive bubble chart for ML categories. This chart utilizes nested bubbles to represent granular subdocument types, such as tax forms and legal contracts. By drilli...
Update to Workload Groups Endpoints
You can delete a list of workload groups for an organization using the "DELETE /workloadGroups" endpoint. To learn more, go to "DELETE /workloadGroups" from Workload Groups. To learn more about...
Advanced SSPM Support for Lucidchart
Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...
Support for Zendesk as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...
Document Classification and Logging for SaaS Security API, Email, and Endpoint DLP
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of d...
Enhancement to Gen AI Prompt Configuration
The generative AI prompt configuration is extended to the Grammarly application. As part of this change, the Grammarly option is added to the Policy > URL & Cloud App Control > Advanced Policy Settings page. <a class="image-ic...
Cloud Custom IPS Enhancements
Custom IPS is supported on Zscaler's public cloud, allowing you to create and deploy custom IPS signature rules without requiring any additional infrastructure (previously required a Private Service Edge deployment). You can inspect traffic transiting the Zscaler cloud again...
New Bandwidth Control Fields for Transactions
Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...
Enhancement to Cloud Nanolog Streaming Service (NSS) Endpoints
A new query parameter "onPremNss" is available for the following Nanolog Streaming Service (NSS) feed endpoints: • "GET /nssFeeds" • "POST /nssFeeds" • "GET /nssFeeds/{feedId}" • "PUT /nssFeeds/{feedId}" • <co...
Enhancement to Firewall Policies Endpoints
A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...
Enhancements to Admin Role Management
On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...
SSL Inspection and SSL Policy Renamed to SSL/TLS Inspection and SSL/TLS Policy
The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...
Updates to Recipient Email Profile Endpoints
You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...
Security Fixes
Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....
Insights Logs Improvements & Enhancements
The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...
Advanced SSPM Support for Airtable
Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...
Advanced SSPM Support for Bitwarden
Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...
Advanced SSPM Support for Sentry
Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for OneLogin as an API-Based Platform in Advanced SSPM
Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...
Logs for MCP Transactions
The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...
Expanded File Type Support for Sandbox
The Zscaler Sandbox now supports the Optical Disc Image (iso) file type. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e...
DLP and File Type Support for MSIX Files
The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...
Enhancement to Extranet Application Support
Extranet Application Support can be configured bidirectionally, allowing partners to access your organization's resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...
Sandbox Verdict Logging
Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...
Enhanced Flexibility in the URL Filtering Policy Rule Creation
You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...
Enhancement to Zscaler Cloud Performance Test Tool
The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...
Increased AWS Account IDs in Tenant Profiles
You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...
NSS Support for Hyper-V
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...
NSS Support for Nutanix
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...
Update to Admin Audit Logs and Event Logs API Endpoints
When you request report generation using "POST /auditlogEntryReport" or "POST /eventlogEntryReport", it returns an HTTP "200 OK" status code with the "statusId" in the response (previously returned "204" status code). This "statusId</cod...
Enhancements to 3rd-Party App Governance and Advanced SSPM
The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...
Sandboxing Password-Protected PDF Files for Isolation
Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...
Regex Patterns in Custom URL Categories
The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...
Granular Control for Atlassian AI Application
You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...
Automatic Local Language Translation for Isolation in ZIA
Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user's browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...
Visual Indicator for Turbo Mode in Isolation for ZIA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Enhancement to URL Filtering Policy Page
On the URL Filtering Policy page (Policy > URL & Cloud App Control > URL Filtering Policy), the URL Filtering rules are paginated with up to 100 rules displayed per page. See image. You can filter and search for URL Filteri...
Enhancement to Virtual Service Edges
The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...
Gen AI Prompt Obfuscation
Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...
Pattern Requirements for Custom DLP Dictionaries
For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...
Create VM Instance using the Virtual Service Edge Amazon Web Services Terraform Modules
You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...
Updates to Firewall Dashboard and Insights
On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...
Enhancement to Filters in 3rd-Party App Governance and Advanced SSPM
In the App Inventory and User Inventory, and on the Posture page, the filter options that don't currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...
Support for GitHub User Email Enrichment in 3rd-Party App Governance
The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...
Support for Google Workspace OU Segregation
You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...
Updates to 3rd-Party App Governance API
The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users' email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...
Gen AI Prompt Configuration for Claude and Mistral
Zscaler's Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...
Traffic Capture for NDR
The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...
Web EUN for DNS Control Policy
The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...
Create VM Instance using the Virtual Service Edge Azure Terraform Modules
You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....
Enhancement to Custom Views in 3rd-Party App Governance
When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...
Creative Commons Search Results
Zscaler supports Creative Commons (CC) search for certain search engines (i.e., Bing, Google, and Yahoo). This allows you to see only search results that are licensed under CC. The Enable Creative Commons Search Results option is added to the Policy > URL & Cloud App Control > Ad...
Zscaler Client Connector EUNs for Firewall, DNS, and IPS Policies
Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...
Support for Enhanced US Driver's License Dictionary and Sub-Dictionaries
The Zscaler service supports the Enhanced Driver's License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...
JWT Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...
JWT Authentication Support for Workloads on Management Portal for Partners
The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...
Support for Adaptive Access Engine
Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...
Automatic Session Restore for Isolation
Isolated sessions now automatically restore their web pages if they time out on a user's device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...
Original URL of Website Name in Isolation
The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...
Enhancement to the IP Destination Groups Endpoint
A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...
Update to Cloud Nanolog Streaming Service (NSS) Endpoints
The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...
Updates to SaaS Security Endpoints
You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...
New AI/ML Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
New Network Applications in Firewall Control
Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...
Support for New SSPM Controls for Snowflake
The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....
Logs for Post-Quantum Cryptography Visibility
Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...
Enhancement to SafeSearch
SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for Custom File Types in DLP and File Type Control Policies
You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...
Support for Custom File Types in File Type Policies and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...
Document Classification and Logging
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...
File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...
Shadow IT Report Enhancements
You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...
SSL Inspection for IoT Devices
You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...
Support for Expandable Limit for Users, Groups, Locations, & Departments in Policies
The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...
Support for Expandable Limit for Users, Groups, Locations, & Departments per Rule
The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...
Async Location Download
For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...
Gen AI Application Category in NSS Feeds for SaaS Security Logs
Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...
Source Countries for the URL Filtering Rules
You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...
Updates to Virtual Service Edge Endpoints
You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...
Updates to Workload Groups Endpoints
You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...
New Endpoints for 3rd-Party App Governance
The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...
OpenOffice File Type Support for DLP
The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...
Gen AI Security Report Enhancements
The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...
Improvements to the Zscaler Incident Receiver JSON Metadata File
To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...
Third-Party URL Category Lookup
Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...
Logs for SSL Inspection Policy Rule Name
You can filter and view logs to learn which specific SSL Inspection policy r...
Multifile Support for Isolation in ZIA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
Search for Configuration Changes in Audit Logs
You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...
Support for Device Groups in Forwarding Control
In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...
Support for Step-Up Authentication
Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...
Updated Search for Firewall Filtering Rules
The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...
Updates to End User Subscription Agreement (EUSA) Endpoints
The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...
Support for Number of Collaborators for Google Drive in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...
Improvements to the Users Page
Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...
Support for Correlated View of App Users and DLP File Access
A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...
Support for Detecting Internal Apps
Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...
Support for Excessive Data Permissions Finding for GitHub Apps
A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...
Support for SaaS Application Tenants Label Management
You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...
Support for SaaS Dashboard in Advanced SSPM
You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...
Content Location Match Criteria for Web DLP Rules
You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...
Add Comments for ATP Blocked Malicious URLs
You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...
Downloading Policies
On the Print All Policies page (Administration > Print All Policies), you can download your organization's configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...
Enhancements to Cybersecurity Insights
You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...
Logs for Allowed File Type Rule
You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...
EDM and DLP Support for New PII Dictionaries
The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...
Location Groups Filter in NSS Feeds
A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...
New EDM Data Types
When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...
Update to Firewall and Forwarding Rules
In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...
Support for Microsoft as an IdP in 3rd-Party App Governance
Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...
Custom Browser EUN Support for File Type Control Policy
The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...
DLP Support for New ML-Based Dictionaries
The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
New Macros Available for DLP Notification Templates
Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...
Support for Parent DLP Dictionaries and Sub-Dictionaries
The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...
Tenancy Restriction Support for Amazon Web Services CLI
Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...
Multiple Sandbox API Token Support
Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...
Support for Dedicated IP and Geolocalization IP
The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...
Support for Filtering for Advanced Threat Protection
Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...
Exclude Selected Applications from NSS Feeds
A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...
Increase in the Default Number of Allowed File Type Control Policy Rules
The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....
Update to Cloud Service API: Enhancement to Location Group Endpoint
A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...
Update to Custom IPS Signature Rules CSV Import
When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("'''") instead of double quotes ("""). This update has been made...
Gen AI Prompt Configuration for Writer and Deepseek
Zscaler's Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...
Support for Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...
Gen AI Prompt Configuration for Grok AI
Zscaler's Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...
Update to Web Insights for Bandwidth Control
Web Insights includes additional information for Bandwidth Control with the new filter Bandwidth by Data Center. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-data-types-and-filters...
Support for Risk Explainability in 3rd-Party App Governance and Advanced SSPM
On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...
Cloud Application Updates
As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Zoom in Tenant Profile
The Tenant Profiles feature supports Zoom. This allows granular control of actions (e.g., disable file transfer in meetings, disable recording locally on the device, etc.) in Zoom. See image. To learn more, see <a href="htt...
HTTP Header Control
The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...
Added Alert for Unknown and Suspicious C2 Traffic
You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...
Expanded File Type Support for File Type Control and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...
File Type Control Enhancements
You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...
Microphone and Camera Functionality for Isolation Profiles in ZIA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
WebSocket Protocol Type in DLP Rules
You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...
ChatGPT in Tenant Profile
The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Enhancements to Admin Role Management
The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...
Instance Discovery Report Enhancements
The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...
Update to Cloud Service API: Cloud Application Instance Endpoints
The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...
Update to Cloud Service API: User Endpoint Rate Limit
The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....
Update to Sandbox Scanning Portal URL
The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...
Updates to Cloud Service API: Service Edges
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...
Updates to the Add UEBA Alerts Page
The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...
Email Notification Support for Policies in 3rd-Party App Governance
When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...
Support for Viewer Role in 3rd-Party App Governance
You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...
Email Notification Support for Revoking or Banning Apps in 3rd-Party App Governance
When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...
Developer Tools URL Category
The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...
New Predefined DLP Engines Available
The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...
Support for MIP Labels for PowerPoint Files in Data at Rest Scanning DLP Policy
For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...
UCaaS One Click Configuration Support for Talkdesk
Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...
Changes to Policy Action Reasons in Web Insights and NSS Reports
The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...
Expanded Python File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....
Hex-Encoded Requested Domain Field in NSS Feeds
The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...
Update to Cloud Service API
The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...
Update to Cloud Service API
To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...
Updates to Cloud Service API
The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...
Support for Number of Collaborators in DLP Policy
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...
Zscaler EUN Web Page for DNS Control Policy
Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...
Multiple VM Sandbox Report Analysis
For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
DLP Support for New PII Dictionaries
The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...
Enhancement to Secure Browsing
You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...
Isolation of Miscellaneous and Unknown Category in ZIA
Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...
Update to Application Service Groups
The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...
Remote Assistance Notification
The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...
Enhancement to Posture Page in Advanced SSPM
The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...
Enhancements to Assets Tab of the Control Panel in Advanced SSPM
The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...
Update to Cloud Service API: Data Center Exclusion
The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...
Update to DNS Control Policy
The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...
DLP and EDM Support for PII
The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...
Enhancement to HTTP/2 in SSL Inspection Policy
The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...
Tenant-to-Tenant Firewall Control and Logging Improvements
Additional Firewall Control and Logging capabilities have been added for scenarios where an organization's roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization's tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...
Zscaler Incident Receiver Configuration Enhancement
Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...
Administrator Scope Department Limit
When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...
Enhancements to the IoT Report
The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...
Increase in Query Limit for Sandbox Report API
The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...
Logs for Source and Destination IP Countries
You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...
Update to Cloud Service API
The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...
Support for Case-Sensitive Logging for Select Domains
Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...
Enhancement to Posture Controls Report in Advanced SSPM
When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...
ZPA Application Segment Limits
You can add up to 2,000 Zscaler Private Access (ZPA) application segments while configuring Source IP Anchoring in the ZIA Admin Portal. To increase the application segment limits, contact Zscaler Support. To learn more, see <a href="https://help.zscaler.com/zia/configuring-source-ip-anchor...
Service - zscalertwo.net
Enhancement to Cloud Application Instances
The cloud application instances feature is extended to new cloud applications. You can create cloud application instances for the following cloud applications: • Google Gemini <li dat...
Support for New Workday Filters and Prompts
You can use a new filter Last Functionally Updated to easily identify recently modified records when creating custom reports in Workday. Additionally, the prompts Starting Prompt and Ending Prompt fields provide greater control and precision when defining report parameters. <p...
Updates to Malware Protection Policy Endpoints
You can update the Malware Protection policy and retrieve the Malware Protection policy for an organization using the following endpoints: • "GET /malwarePolicy" <li data-list-item-id="e83742e3c2bff0a63...
Updates to NSS Collector Server Endpoints
You can add, update, and delete NSS Collector servers and retrieve a list of all configured NSS Collector servers for an organization using the following endpoints: • "GET /nssCollectors" <li data-list-...
Updates to Secure Browsing and Votiro CDR Endpoints
You can retrieve a list of all supported browsers and their versions and update the Smart Browser Isolation policy settings using the following endpoints: • "GET /browserControlSettings/supportedBrowserVersions</...
Updates to the IPS Control Policy Endpoints
You can create, update, delete, and retrieve custom IPS signature rules using the following endpoints: • "GET /ipsSignatureRules" • "POST /ip...
Additional Support for Predefined DLP Dictionaries in Endpoint DLP
The following predefined Data Loss Prevention (DLP) dictionaries are now supported for use in Endpoint DLP policy rules: • Addresses (Japan) • First Names (J...
Gen AI Prompt Configuration for QuillBot and Google AI
Zscaler's Gen AI prompt configuration is extended to the QuillBot and Google AI generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen...
Policy Level Gen AI Prompt Configuration
You can capture end user prompts for generative AI applications from the Cloud Application Control policy. This allows granular control of Gen AI prompt configuration. As part of this update, the Capture Prompts option is added to the Add/Edit AI & ML Rule window (Policies > Acce...
Enabling Incident Forwarding for Slack Chats
Zscaler is now forwarding Slack chat-based DLP policy incidents to the Zscaler Incident Response and Zscaler Workflow Automation along with already supported file-based violations. These incidents are also sent to Web Insights and Logs and to the respective DLP policy's auditor. To lea...
Expanded SSPM Controls for Google Workspace
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Google Workspace with 24 new SSPM controls, providing deeper visibility and stronger security posture assessment. The Cloud Identity license must be assigned to the Google Workspace Admin onboarding...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries: • Argentina Uniform Bank Code: Detect Leakage of CBU • Cambodian National ID: Detect Leakage...
Support for Collaboration Scope for Microsoft Teams
When creating a DLP rule for Microsoft Teams, you can define the collaboration scope as External, Internal, or Any to scan messages and attachments in channels containing external, internal, or any (internal or external) members. <a class="image-icon" href="#collab-scope-dl...
Add or Remove NTP Servers Using CLI
You can add or remove custom NTP servers from the configuration files using CLI commands. This prevents syntax errors and duplicate entries in the configuration files. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-internet-saas-ntp-server-synchron...
Default Rules for Advanced Sandbox
If your organization is subscribed to the Advanced Sandbox package, the following default rules are available: • Sandbox_Docs_Trusted • Sandbox_Docs_Archives • Sandbox_Exes_We...
DLP Rule Name Support for Web DLP Reports and Insights
Users can schedule Web DLP incident reports by DLP Rule Name to improve visibility and monitor incident counts in the Zscaler Admin Console: Data Type DLP Rule Name is introduced in the Interactive Reports widgets and Web Insights. <a class="image-icon" href="#dlp-rul...
Document Classification and Logging for Email DLP Insights
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Email DLP Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classific...
Enhancements to Predefined O365 One Click rule in SSL/TLS Inspection Policy
You can choose Evaluate Other Policies or Bypass Other Policies under the Do Not Inspect action in the O365 One Click predefined rule in the SSL/TLS Inspection Policy. This allows you to configure the predefined O365 One Click rule to either evaluate other policies (i.e., URL Fil...
Exclude Selected URL Classes & Categories from NSS Feeds
Filters to include or exclude selected URL classes, URL categories, and URL super categories have been added to NSS and Cloud NSS feeds for web logs. When configuring a feed, you can select the respective URL classes and categories and include them in the logs by default or choos...
New Network Applications in Firewall Control
The Zscaler service extends support to identify two new network applications, namely Kafka (Application Service category) and Zalo (Instant Messaging category). You can view these apps on the Network Applications page and configure them in Firewall Filtering rules to identify and...
NSS Support for Admin Audit, ZIdentity Authentication, and ZIdentity SCIM Logs
The following enhancements are available for the NSS Feeds and Cloud NSS Feeds: • New log types, ZIdentity Authentication and ZIdentity SCIM, are added to the NSS for Web type. These log types provide support for the ZIdentity Authent...
Support for Cloud NSS Feeds for Alerts
You can configure a separate Cloud NSS feed for alerts, enabling you to monitor your Cloud NSS feeds for data lag, data loss, and the connection to your cloud-based security information and event management (SIEM) system. <a class="image-icon" href="#img-cloud-nss-alert-fee...
Support for Smartsheet as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Smartsheet as an API-based platform to provide visibility into posture misconfigurations. You can onboard a Smartsheet tenant from the 3rd-Party App Governance Admin Portal. See image. To...
Enhancement to Atlassian Integration in 3rd-Party App Governance
The Add Integration window for Atlassian in 3rd-Party App Governance is enhanced to allow you to enter the Atlassian subdomain and API token while adding the integration. This reduces the number of steps and simplifies the integration process to improve the user experience. <p...
API Session Timeout
When configuring advanced settings (Policies > Common Configuration > Advanced > Advanced Settings), you can specify how long API-initiated sessions can be inactive before they are forced to reauthenticate. The timeout duration can range from 5 to 20 minutes. <a class="imag...
Subdocument Type Support in Data Discovery Report
The Data Discovery Report is enhanced to include subdocument type support, providing enhanced visibility via an interactive bubble chart for ML categories. This chart utilizes nested bubbles to represent granular subdocument types, such as tax forms and legal contracts. By drilli...
Update to Workload Groups Endpoints
You can delete a list of workload groups for an organization using the "DELETE /workloadGroups" endpoint. To learn more, go to "DELETE /workloadGroups" from Workload Groups. To learn more about...
Client Browser for Zero Trust Browser
Zero Trust Browser has been updated with several significant changes to provide seamless and secure enterprise access from any browser. The solution consists of three primary components: a browser extension that handles web-based security and access, a lightweight agent that enforces device postu...
Enhancement to Advanced Threat Protection Policy
Advanced Threat Protection now enables users to allow the Web Proxy Auto-Discovery (WPAD) protocol from external sources to automatically discover proxy settings by locating PAC files via DHCP or DNS queries. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-threat-pro...
Support for Microsoft Copilot Readiness Assessment
Organizations face a significant security risk when users inadvertently overshare or mishandle sensitive internal files. The integration of AI tools, such as Microsoft Copilot, intensifies this risk, as these tools can access information within the improperly shared files, leadin...
Cloud Custom IPS Enhancements
Custom IPS is supported on Zscaler's public cloud, allowing you to create and deploy custom IPS signature rules without requiring any additional infrastructure (previously required a Private Service Edge deployment). You can inspect traffic transiting the Zscaler cloud again...
Support for Workday Tenant RaaS-based API Access
Workday tenants now support RaaS-based API access which enables secure, programmatic retrieval of data and management through web services. Existing Workday tenants need to be reauthenticated by editing the tenant and revalidating. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Support in SaaS Security Data at Rest DLP Policy for Quarantine of Sensitive Content in Microsoft Teams
The SaaS Security Data at Rest Scanning policy supports a new option to quarantine sensitive content in Microsoft Teams. You can specify a tombstone message that end users see when messages or files in Microsoft Teams are quarantined. <a class="image-icon" href="#ZIA-Webex-...
Enhancement to Gen AI Prompt Configuration
The generative AI prompt configuration is extended to the Grammarly application. As part of this change, the Grammarly option is added to the Policy > URL & Cloud App Control > Advanced Policy Settings page. <a class="image-ic...
Outbound Email DLP Quarantine with Release or Delete Emails in Workflow Automation
Zscaler now supports the Quarantine action when configuring Outbound Email DLP policies for Microsoft Exchange. When Quarantine is selected, emails that match policy criteria are quarantined directly in Microsoft Exchange. To use the Quarantine feature, go to Policy > Email DLP a...
Advanced SSPM Support for Lucidchart
Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...
Support for Zendesk as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...
Advanced SaaS Security Posture Management Support for Oracle Financials Cloud
You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...
Document Classification and Logging for SaaS Security API, Email, and Endpoint DLP
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of d...
Expanded SSPM Controls for Microsoft Copilot
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Microsoft Copilot with 15 new SSPM controls, providing deeper visibility and stronger security posture assessment....
New Bandwidth Control Fields for Transactions
Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...
Application Investigation in Endpoint Data Scan
Zscaler's Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization's application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....
DLP Operational in Endpoint Data Scan
The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint's status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...
Enhancement to Firewall Policies Endpoints
A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...
Enhancements to Admin Role Management
On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...
Exact Data Matching in Endpoint Data Scan
Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...
Expanded SSPM Controls for Salesforce
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....
Filtering by User Group in Endpoint Data Scan
Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...
Share Files Externally in Endpoint Data Scan
Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...
SSL Inspection and SSL Policy Renamed to SSL/TLS Inspection and SSL/TLS Policy
The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...
Support for Certificate-based Authentication with Microsoft Applications for a Custom Zscaler Connector
When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...
Support for CIDR and Regex on Network Share DLP Resources
The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...
Support for Network Type on Endpoint DLP Policy Rules
The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...
Updates to Recipient Email Profile Endpoints
You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...
Introducing Flexible Permission Selection for SSPM Connectors
The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...
Enhancements to Endpoint DLP for macOS
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...
Advanced SaaS Security Posture Management Support for JumpCloud
You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...
Insights Logs Improvements & Enhancements
The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...
Security Fixes
Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....
Increased AWS Account IDs in Tenant Profiles
You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...
Logs for MCP Transactions
The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...
Advanced SSPM Support for Airtable
Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...
Advanced SSPM Support for Bitwarden
Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...
Advanced SSPM Support for Sentry
Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for OneLogin as an API-Based Platform in Advanced SSPM
Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...
DLP and File Type Support for MSIX Files
The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...
Granular Control for Atlassian AI Application
You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...
Support for Adjustable Polling Intervals
When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...
Support for Number of Collaborators for File Sharing Apps in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...
Support for Quarantine File to Desired Location for File Sharing Apps
The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...
Enhanced Flexibility in the URL Filtering Policy Rule Creation
You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...
Sandboxing Password-Protected PDF Files for Isolation
Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...
Enhancement to Zscaler Cloud Performance Test Tool
The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...
Regex Patterns in Custom URL Categories
The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...
Deprecation of SSPM Policies for Microsoft 365
The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...
Enhanced Logging of Collaborator Group Members
This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...
Enhancement to Virtual Service Edges
The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...
Gen AI Prompt Obfuscation
Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...
Logs for Email Received and Sent Time
The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...
Pattern Requirements for Custom DLP Dictionaries
For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...
Sandbox Verdict Logging
Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...
Updates to Firewall Dashboard and Insights
On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...
Expanded File Type Support for Sandbox
The Zscaler Sandbox now supports the Optical Disc Image (iso) file type. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e...
Enhancement to Extranet Application Support
Extranet Application Support can be configured bidirectionally, allowing partners to access your organization's resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...
NSS Support for Hyper-V
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...
NSS Support for Nutanix
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...
Update to Admin Audit Logs and Event Logs API Endpoints
When you request report generation using "POST /auditlogEntryReport" or "POST /eventlogEntryReport", it returns an HTTP "200 OK" status code with the "statusId" in the response (previously returned "204" status code). This "statusId</cod...
Enhancements to 3rd-Party App Governance and Advanced SSPM
The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...
Security Fixes
Proper validation of user input in the ZIA Admin Portal no longer allows an authenticated administrator to initiate back end functions through specific input fields in limited scenarios (CVE-2026-22567)....
Automatic Local Language Translation for Isolation in ZIA
Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user's browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...
Original URL for Isolation Profiles in ZIA
Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...
Visual Indicator for Turbo Mode in Isolation for ZIA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Gen AI Prompt Configuration for Claude and Mistral
Zscaler's Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...
Create VM Instance using the Virtual Service Edge Amazon Web Services Terraform Modules
You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...
Enhancement to Filters in 3rd-Party App Governance and Advanced SSPM
In the App Inventory and User Inventory, and on the Posture page, the filter options that don't currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...
Support for GitHub User Email Enrichment in 3rd-Party App Governance
The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...
Support for Google Workspace OU Segregation
You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...
Updates to 3rd-Party App Governance API
The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users' email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...
Additional Logging of Users Performing Actions on File
You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...
Enhancements to Endpoint DLP for Windows
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...
Support for New SSPM Controls for GitHub
The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....
Web EUN for DNS Control Policy
The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...
Traffic Capture for NDR
The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...
Creative Commons Search Results
Zscaler supports Creative Commons (CC) search for certain search engines (i.e., Bing, Google, and Yahoo). This allows you to see only search results that are licensed under CC. The Enable Creative Commons Search Results option is added to the Policy > URL & Cloud App Control > Ad...
Apply MIP Label as Manual Remediation Action in SaaS Security Assets
For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...
Support for Sublocation Scopes
You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...
JWT Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...
JWT Authentication Support for Workloads on Management Portal for Partners
The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...
Create VM Instance using the Virtual Service Edge Azure Terraform Modules
You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....
Support for Enhanced US Driver's License Dictionary and Sub-Dictionaries
The Zscaler service supports the Enhanced Driver's License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...
Enhancement to Custom Views in 3rd-Party App Governance
When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...
Zscaler Client Connector EUNs for Firewall, DNS, and IPS Policies
Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...
Support for Adaptive Access Engine
Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...
Updates to SaaS Security Endpoints
You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...
Automatic Session Restore for Isolation
Isolated sessions now automatically restore their web pages if they time out on a user's device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...
Original URL of Website Name in Isolation
The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...
New AI/ML Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Advanced SaaS Security Posture Management Support for Docusign
Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...
New Network Applications in Firewall Control
Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...
Support for New SaaS Application Tenant
Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...
Support for New SSPM Controls for Snowflake
The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....
Logs for Post-Quantum Cryptography Visibility
Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...
Support for Quarantine File to Desired Location
The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...
Support for Custom File Types in DLP and File Type Control Policies
You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...
Support for Custom File Types in File Type Policies and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...
Enhancement to SafeSearch
SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...
File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...
Shadow IT Report Enhancements
You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...
Strict Checking of Popular Date Formats in EDM
To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...
Document Classification and Logging
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for Expandable Limit for Users, Groups, Locations, & Departments in Policies
The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...
Gen AI Application Category in NSS Feeds for SaaS Security Logs
Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...
SSL Inspection for IoT Devices
You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...
Support for Expandable Limit for Users, Groups, Locations, & Departments per Rule
The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...
Content Location Match Criteria for Web DLP Rules
You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...
OpenOffice File Type Support for DLP
The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...
Async Location Download
For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...
Enhancement to the IP Destination Groups Endpoint
A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...
Gen AI Security Report Enhancements
The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...
Source Countries for the URL Filtering Rules
You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...
Update to Cloud Nanolog Streaming Service (NSS) Endpoints
The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...
Updates to Virtual Service Edge Endpoints
You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...
Updates to Workload Groups Endpoints
You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...
Enhancements to App Panel and Control Panel
A Notes tab is added to the App Panel in 3rd-Party App Governance and the Control Panel in Advanced SaaS Security Posture Management (SSPM). This tab allows you to communicate with and leave notes for multiple other users. You can add notes to each app or control and also comment...
New Endpoints for 3rd-Party App Governance
The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...
Improvements to the Zscaler Incident Receiver JSON Metadata File
To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...
Logs for SSL Inspection Policy Rule Name
You can filter and view logs to learn which specific SSL Inspection policy r...
Support for Cloud-to-Cloud Forwarding in DLP
You can now forward information about transactions that violate various Data Loss Prevention (DLP) incidents directly to your appliances you've defined in the ZIA Admin Portal by going to Administration > Data Loss Prevention and selecting Cloud-to-Cloud Forwarding. <a...
Third-Party URL Category Lookup
Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...
Search for Configuration Changes in Audit Logs
You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...
Updated Search for Firewall Filtering Rules
The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...
Updates to End User Subscription Agreement (EUSA) Endpoints
The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...
Support for Device Groups in Forwarding Control
In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...
New EDM Data Types
When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...
SaaS Security DLP Policies Support Folder Level Changes
When a folder's permissions are modified or a folder is shared with a new collaborator, files previously in violation of the SaaS Security DLP policy rules in the folder are rescanned against those rules. This feature is presently being rolled out to Microsoft OneDrive and SharePoint applica...
Multifile Support for Isolation in ZIA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
Support for Step-Up Authentication
Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...
Support for Collaborator Groups
You can filter and view logs for External Collaborator Group and Internal Collaborator Group for the File Sharing Applications category. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights LogsFilters and colum...
Support for Number of Collaborators for Google Drive in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...
Improvements to the Users Page
Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...
Support for Correlated View of App Users and DLP File Access
A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...
Support for Detecting Internal Apps
Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...
Support for Excessive Data Permissions Finding for GitHub Apps
A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...
Support for SaaS Application Tenants Label Management
You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...
Support for SaaS Dashboard in Advanced SSPM
You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...
Add Comments for ATP Blocked Malicious URLs
You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...
Customizable User Confirmation Templates
You can now create and manage multiple user confirmation templates for enhanced policy-level customization in the ZIA Admin Portal by going to Administration > Notification Templates > User Confirmation and clicking Add Custom Message. When configuring Endpoint DLP or Inline Web...
Enhancement to EDM Match Count
The Zscaler Data Loss Prevention (DLP) Exact Data Match (EDM) dictionary search score total "matchCount" has been enhanced to be based on the number of unique sets of matches found in the content. Previously, "matchCount" was determined by the number o...
Enhancements to Cybersecurity Insights
You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...
Logs for Allowed File Type Rule
You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...
Tenancy Restriction Support for Amazon Web Services CLI
Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...
Downloading Policies
On the Print All Policies page (Administration > Print All Policies), you can download your organization's configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...
Location Groups Filter in NSS Feeds
A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...
Update to Firewall and Forwarding Rules
In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...
DLP Support for New ML-Based Dictionaries
The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....
EDM and DLP Support for New PII Dictionaries
The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...
Index Tool Single Sign-On
Single sign-on (SSO) can be configured for the ZIA Index Tool when adding or editing an Index Tool configuration. See image. To learn more, see...
SaaS Security Data at Rest Scanning DLP Redaction Support
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy for file sharing applications supports redacting sensitive data in supported file types. To use this functionality, you first create a redaction profile that specifies whether the Zscaler service uses an as...
SaaS Security Data at Rest Scanning DLP Support for Trusted Users and Trusted Domains
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports specifying trusted users (i.e., users with email addresses outside your organization) and trusted domains (i.e., domains outside your organization) as part of your policy rules. The Zscaler service...
Custom Browser EUN Support for File Type Control Policy
The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Enhancement to Posture Management Page
The Remediate option is removed from the policy drawer and Asset Summary tab on the Posture Management page. This option is available only if you subscribed to the Advanced SSPM service. See image. To learn more, see <a...
Expanded Onboarding Options for Salesforce
The Zscaler service supports custom, client-side connector onboarding for access to both sandbox and production Salesforce tenants. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access Sal...
Multiple Sandbox API Token Support
Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...
New Macros Available for DLP Notification Templates
Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...
Support for EDM and IDM in Outbound Email DLP Policies
The Zscaler service supports using Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries and engines in your Outbound Email Data Loss Prevention (DLP) policy rules. See image. To le...
Support for Filtering for Advanced Threat Protection
Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...
Support for Parent DLP Dictionaries and Sub-Dictionaries
The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...
Updates to Cloud Service API: SaaS Security Endpoints
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • SaaS Security API To learn more about each endpoint, see th...
Support for Microsoft as an IdP in 3rd-Party App Governance
Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...
Ability to Set an Endpoint DLP Exception Rule To Take No Action
You can apply the None action to exception rules in Endpoint Data Loss Prevention (DLP) to exclude specific activities that match exception rule criteria from being reported (i.e., you might want to exclude specific users or groups from reporting incidents). <a class="image...
Endpoint DLP Support for Predefined Dictionaries
The Zscaler service now supports the following existing predefined Data Loss Prevention (DLP) dictionaries for Endpoint DLP: • CNPJ Number (Brazil) • Mexico Unique Population Registration Code • National Economic Registry Number...
Exclude Selected Applications from NSS Feeds
A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...
Increase in the Default Number of Allowed File Type Control Policy Rules
The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....
Support for User Groups and Departments in Device Control Policy
Administrators can now define Device Control rules criteria (Analytics > Endpoint Data Scan > Device Control) based on User Groups and Departments. See image. To learn more, see <a href="https://help.zscaler.com/z...
Update to Cloud Service API: Enhancement to Location Group Endpoint
A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...
Update to Custom IPS Signature Rules CSV Import
When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("'''") instead of double quotes ("""). This update has been made...
Update to Zscaler Client Connector-based Notifications
You can embed links and add line breaks in the custom messages for Zscaler Client Connector-based End User Notifications (EUNs) (Administration > End User Notifications > Client Connector) and User Confirmation notifications (Administration > Notification Templates > User Confirm...
Updates to Cloud Service API: Browser Control Policy
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • Browser Control Policy To learn more about each endpoint, see the...
Advanced SaaS Security Posture Management Support for Workday
You can configure Advanced SaaS Security Posture Management (SSPM) for Workday tenants. Select the SSPM Scan checkbox when onboarding a Workday tenant to enable the Advanced SSPM scan capability for the specific tenant....
SaaS Security Posture Management Support for Webex Teams
You can configure the SaaS Security Posture Management (SSPM) Scan for Webex Teams tenants. Select the SSPM Scan checkbox when onboarding a Webex Teams tenant to enable the SSPM scan capability for the specific tenant. S...
Support for Dedicated IP and Geolocalization IP
The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...
Support for New SaaS Security Application Tenant
The SaaS Security Data at Rest Scanning DLP and Malware policies support configuring tenants for Zoom, a collaboration application. See image. To learn more, see <a href="https://help.zscaler.com/zia/ab...
Support for Quarantine Tombstone Template in the Assets Report
You can now choose the Tombstone Template when quarantining files to the user root folder in the Assets Report (Analytics > SaaS Security > Assets). See image. To learn more, see <a href="https://help.zscaler.co...
Gen AI Prompt Configuration for Writer and Deepseek
Zscaler's Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...
Gen AI Prompt Configuration for Grok AI
Zscaler's Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...
SCIM-Based User Lookup For Outbound Email DLP
Zscaler Outbound Email DLP supports System for Cross-domain Identity Management (SCIM)-based user lookup to map email addresses with ZIA login names. To learn more, see <a href="https://help.zscaler.com/zia/step-step-configuration-guide-zscaler-outbound-email-dlp#prerequisites" target="_bla...
Support for Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...
Support for Unified Onboarding of SaaS Application Tenants
You can onboard, edit, and delete new Software as a Service (SaaS) application tenants enabled with 3rd-Party App Governance or the Advanced SaaS Security Posture Management (SSPM) feature from the Add SaaS Application Tenant page in the ZIA Admin Portal. You can continue editing...
Support for Risk Explainability in 3rd-Party App Governance and Advanced SSPM
On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...
Cloud Application Updates
As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...
Expanded File Type Support for File Type Control and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...
File Type Control Enhancements
You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...
Microphone and Camera Functionality for Isolation Profiles in ZIA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for SaaS Security API Data at Rest Scanning DLP Policy Rules without Content Inspection
To enable this feature for your organization, contact Zscaler Support. On the Data at Rest Scanning page (Policy > Saas Security > Data at Rest Scanning), you can create Data at Rest Scanning Data Loss Prevention (DLP) policies without content matching. <...
Support for Site Groups in SaaS Application Tenants and DLP Policy
SaaS Application Tenants (Administration > SaaS Application Tenants > Manage SaaS Application Components) supports the management of SharePoint tenant Sites and Site Groups. In the Components tab, you can view a list of the SharePoint sites that are available under the selected S...
Instance Discovery Report Enhancements
The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...
Enhancements to Admin Role Management
The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...
HTTP Header Control
The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...
Update to Cloud Service API: Cloud Application Instance Endpoints
The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...
Update to Cloud Service API: User Endpoint Rate Limit
The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...
Updates to Cloud Service API: Service Edges
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...
Updates to the Add UEBA Alerts Page
The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...
ChatGPT in Tenant Profile
The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Added Alert for Unknown and Suspicious C2 Traffic
You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...
Enhancements to Endpoint Data Scan
The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan): Nearby SharingZscaler Device Control is enhanced to prevent nearby sharing between endpoints and devices that are close by. The Nearby Sharing rule restricts the us...
Update to Zscaler Client Connector-Based Notifications
Zscaler Client Connector-based End User Notifications (EUNs) and user confirmation messages for Inline Web DLP and Cloud App Control policies can be enabled without having an Endpoint DLP subscription. These policy EUNs are supported (without requiring Endpoint DLP) on the following Zscaler...
WebSocket Protocol Type in DLP Rules
You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...
Update to Sandbox Scanning Portal URL
The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...
Email Notification Support for Policies in 3rd-Party App Governance
When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...
Support for Viewer Role in 3rd-Party App Governance
You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...
Email Notification Support for Revoking or Banning Apps in 3rd-Party App Governance
When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...
Auditor Email Notifications for Outbound Email DLP
You can configure notification templates so that email notifications are sent automatically to specified auditors when outbound email transactions trigger Outbound Email DLP rules. On the Notification Templates page (Administration > Notification Templates > DLP), you can c...
Configure External Trusted Domain & User Profiles in Tenant Onboarding
SaaS Application tenant onboarding for SaaS Security API now supports configuring external trusted domains and users. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-email-profiles" target="_bla...
Support for Number of Collaborators for File Sharing Applications in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as a scoping criteria for SharePoint and OneDrive to monitor file sharing among collaborators. Administrators can choose a range for the number of...
Changes to Policy Action Reasons in Web Insights and NSS Reports
The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...
Developer Tools URL Category
The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...
Enhancements to the SaaS Security Scan Configuration
You can refresh the status of a scheduled SaaS Security DLP or malware scan by clicking the Refresh icon next to the status of an ongoing scan on the SaaS Security Scan Configuration page. See image. To learn more,...
Hex-Encoded Requested Domain Field in NSS Feeds
The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...
New Predefined DLP Engines Available
The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...
Support for MIP Labels for PowerPoint Files in Data at Rest Scanning DLP Policy
For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...
UCaaS One Click Configuration Support for Talkdesk
Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...
Support for New SaaS Application Tenants
Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboardi...
Support for Number of Collaborators in DLP Policy
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...
Update to Cloud Service API
The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...
Update to Cloud Service API
To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...
Updates to Cloud Service API
The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...
DLP Support for New PII Dictionaries
The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...
Expanded Python File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....
Zscaler EUN Web Page for DNS Control Policy
Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
Enhancement to Secure Browsing
You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...
Isolation of Miscellaneous and Unknown Category in ZIA
Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...
Update to Application Service Groups
The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...
Remote Assistance Notification
The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...
Multiple VM Sandbox Report Analysis
For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...
Update to DNS Control Policy
The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...
DLP and EDM Support for PII
The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...
Enhancement to HTTP/2 in SSL Inspection Policy
The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...
Tenant-to-Tenant Firewall Control and Logging Improvements
Additional Firewall Control and Logging capabilities have been added for scenarios where an organization's roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization's tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...
Zscaler Incident Receiver Configuration Enhancement
Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...
Administrator Scope Department Limit
When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...
Enhancements to the IoT Report
The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...
Increase in Query Limit for Sandbox Report API
The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...
Logs for Source and Destination IP Countries
You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...
Update to Cloud Service API
The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...
Enhancement to Posture Page in Advanced SSPM
The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...
Enhancements to Assets Tab of the Control Panel in Advanced SSPM
The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...
Update to Cloud Service API: Data Center Exclusion
The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...
Support for Case-Sensitive Logging for Select Domains
Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...
Real-Time DLP Support for Files and Messages for Webex
Zscaler supports real-time Data Loss Prevention (DLP) for messages and file attachments sent via Webex Teams. To learn more, see Step-by-Step Configuration Guide for Webex Teams Re...
Optical Character Recognition Support for Outbound Email DLP
The Zscaler service supports optical character recognition (OCR) for Outbound Email DLP. You can enable OCR settings on the DLP Advanced Settings page in the ZIA Admin Portal (Administration > DLP Advanced Settings) for inline DLP, SaaS Security API, and Outbound Email DLP. <p...
Advanced SaaS Security Posture Management Support for Zoom
You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting...
Extranet Application Support
To access Extranet Application Support, contact your Zscaler Account team. Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished wit...
Added Request Methods in URL Filtering Rules
Zscaler supports the following new HTTP request methods in URL Filtering rules: • PROPFIND • PROPPATCH • COPY • MOVE • MKCOL • LOCK • UNLOCK • PATCH If the OTHER method is already selected, these new requ...
Configure Atlassian Label for Data at Rest Scanning DLP Policy
You can now apply an Atlassian Label when configuring the Data at Rest Scanning DLP Policy in the Add DLP Rule window. This action is only applicable for Atlassian Confluence users. To access this feature, go to the Add DLP Rule window (Policy > Data at Rest Scanning) and choose...
Enhancement to Posture Controls Report in Advanced SSPM
When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...
Added File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Excel Add-On (.xla) • Open Document Files (.odt) • Public Key File (.pub) • Binary Files (.bin) The File Type Control and DLP pol...
Advanced SaaS Security Posture Management Support for ShareFile
You can configure Advanced SaaS Security Posture Management (SSPM) for ShareFile tenants. Select the SSPM Scan checkbox when onboarding a ShareFile tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by...
Advanced SaaS Security Posture Management Support for Slack
You can configure Advanced SaaS Security Posture Management (SSPM) for Slack tenants. Select the SSPM Scan checkbox when onboarding a Slack tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selectin...
Advanced Sandbox Submission API Quota
With Advanced Sandbox, organizations have by default a quota of 100 API file submissions per day. If you are interested in raising the API file submission limit, contact your Zscaler Account Team or Zscaler Support. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" tar...
Custom Bandwidth Classes Limits
You can add up to 245 custom bandwidth classes (Administration > Bandwidth Classes) for Cloud Applications in the ZIA Admin Portal. To learn more, see Adding Bandwidth Classes and <a href="https://help.zscal...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries to detect personally identifiable information (PII): • Addresses (Japan) • First Names (Japan) • Last Names (Japan) • Full Names (Japan) To...
DLP Support for United States Driver's Licenses
Driver's License (United States) predefined DLP dictionaries now support 2-letter state codes for all US states (e.g., WA for Washington or CA for California) as part of high confidence phrases. See image.</...
Improvements to the Incident Receiver JSON Metadata File
To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Inline Web DLP policy scan metadata for policy violations has been updated with the following new fields: • "fileSize": The size of the file that violated the DLP policy • <...
Increase in the Number of Custom Domains Allowed per Domain Profile
The number of custom domains allowed per domain profile has been increased from 32 to 1,024. To learn more, see Ranges & Limitations and <a href="https://help.zscaler.com/zia/about-email-profiles"...
Instance Discovery Report
The Instance Discovery Report provides visibility about the different instances accessed by the users at the various levels of hierarchy, such as Organization, Project, and Resource Type for Google Cloud Platform (GCP). The Instance Discovery Report includes the following e...
Outbound Email Data Loss Prevention for Gmail
You can use Zscaler Outbound Email Data Loss Prevention (DLP) policies with your Gmail server to prevent the exfiltration of sensitive data by enforcing policy rules on email content sent to external domains, including content in subject lines, body text, and attachments. As part...
Site Review Enhancement
The Zscaler's Site Review shows the cloud application for the site that is looked up. As part of this change, the Cloud Application column is added to Step 2. Request Review on the Site Review page. A cloud application is shown in the Cloud Application col...
Support for Email Subdomains
You can choose whether to include subdomains as part of your email domain profiles (e.g., blog.example.com is a subdomain of example.com). When you include subdomains (Administration > Email Profiles > Domain Profiles), the Zscaler service automatically evaluates subdomains as pa...
Update to Cloud Service API
The "GET /pacFiles" endpoint is updated with new request parameters such as "pageSize" and "page" to support pagination. The default value of "pageSize" is 100 and the request retrieves up to 100 PAC files at a time. To learn more, see the <a href...
Expanded File Type Support for File Type Control
The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Outlook Mac Data (.olm) • Microsoft Publisher Files (.pub) • Microsoft TNEF file (.tnef) • LZH Archive (.lzh, .lha) • CPIO File (.cpio)...
Expanded File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Microsoft Software Installer (msi) • Windows Batch File (bat) • Windows Script File (wsf) See image. To learn more, see <a href="https://help.z...
Enhancements to Endpoint DLP
Optical Character Recognition (OCR) SupportThe Zscaler service supports OCR for Endpoint DLP to scan PNG, JPEG, TIFF, and BMP files for sensitive text data. This functionality does not require configuration and is automatically available based on whether your subscription includes the ZS...
Additional URL Category for File Type Control and Sandbox Policies
In the ZIA Admin Portal, on the File Type Control page (Policy > File Type Control) and on the Sandbox Policy page (Policy > Sandbox), you have the option of selecting Newly Registered and Observed Domains in the Miscellaneous section for URL Categories. <a class="image-ico...
Cloud Applications Update in NSS
Zscaler has updated the names of select cloud applications. The updates synchronize the cloud application names across Web Insights and NSS and Cloud NSS web log feeds. To verify and address any impacts related to the updates, Zscaler recommends that admins review the following:<...
Update to Audit Logs
Audit logs include a new Trace ID value that is generated for transactions associated with ZIA API requests made through Zscaler OneAPI. See i...
Update to Cloud Service API: End User Notification Endpoints
The cloud service API includes the following new endpoints to retrieve information about browser-based end user notifications (EUNs) and to update the EUN configuration: • "GET /eun" • "PUT /eun" To learn more, see the <a href="https://help.zscaler...
Update to DNS Gateways
DNS Gateways support a customized URL path for DNS servers that use the DNS over HTTP (DoH) protocol. See image. To learn more, see <a href="https://help.zscaler.com/zia/adding-dns-gateways" target="_bl...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Malware Protection Policy • <a href="#advanced-threat...
Service - zscalerthree.net
Support for New Workday Filters and Prompts
You can use a new filter Last Functionally Updated to easily identify recently modified records when creating custom reports in Workday. Additionally, the prompts Starting Prompt and Ending Prompt fields provide greater control and precision when defining report parameters. <p...
Updates to Malware Protection Policy Endpoints
You can update the Malware Protection policy and retrieve the Malware Protection policy for an organization using the following endpoints: • "GET /malwarePolicy" <li data-list-item-id="e83742e3c2bff0a63...
Updates to NSS Collector Server Endpoints
You can add, update, and delete NSS Collector servers and retrieve a list of all configured NSS Collector servers for an organization using the following endpoints: • "GET /nssCollectors" <li data-list-...
Updates to Secure Browsing and Votiro CDR Endpoints
You can retrieve a list of all supported browsers and their versions and update the Smart Browser Isolation policy settings using the following endpoints: • "GET /browserControlSettings/supportedBrowserVersions</...
Updates to the IPS Control Policy Endpoints
You can create, update, delete, and retrieve custom IPS signature rules using the following endpoints: • "GET /ipsSignatureRules" • "POST /ip...
Additional Support for Predefined DLP Dictionaries in Endpoint DLP
The following predefined Data Loss Prevention (DLP) dictionaries are now supported for use in Endpoint DLP policy rules: • Addresses (Japan) • First Names (J...
Gen AI Prompt Configuration for QuillBot and Google AI
Zscaler's Gen AI prompt configuration is extended to the QuillBot and Google AI generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen...
Policy Level Gen AI Prompt Configuration
You can capture end user prompts for generative AI applications from the Cloud Application Control policy. This allows granular control of Gen AI prompt configuration. As part of this update, the Capture Prompts option is added to the Add/Edit AI & ML Rule window (Policies > Acce...
Enabling Incident Forwarding for Slack Chats
Zscaler is now forwarding Slack chat-based DLP policy incidents to the Zscaler Incident Response and Zscaler Workflow Automation along with already supported file-based violations. These incidents are also sent to Web Insights and Logs and to the respective DLP policy's auditor. To lea...
Enhancement to Cloud Application Instances
The cloud application instances feature is extended to new cloud applications. You can create cloud application instances for the following cloud applications: • Google Gemini <li dat...
Expanded SSPM Controls for Google Workspace
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Google Workspace with 24 new SSPM controls, providing deeper visibility and stronger security posture assessment. The Cloud Identity license must be assigned to the Google Workspace Admin onboarding...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries: • Argentina Uniform Bank Code: Detect Leakage of CBU • Cambodian National ID: Detect Leakage...
Support for Collaboration Scope for Microsoft Teams
When creating a DLP rule for Microsoft Teams, you can define the collaboration scope as External, Internal, or Any to scan messages and attachments in channels containing external, internal, or any (internal or external) members. <a class="image-icon" href="#collab-scope-dl...
Add or Remove NTP Servers Using CLI
You can add or remove custom NTP servers from the configuration files using CLI commands. This prevents syntax errors and duplicate entries in the configuration files. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-internet-saas-ntp-server-synchron...
Default Rules for Advanced Sandbox
If your organization is subscribed to the Advanced Sandbox package, the following default rules are available: • Sandbox_Docs_Trusted • Sandbox_Docs_Archives • Sandbox_Exes_We...
DLP Rule Name Support for Web DLP Reports and Insights
Users can schedule Web DLP incident reports by DLP Rule Name to improve visibility and monitor incident counts in the Zscaler Admin Console: Data Type DLP Rule Name is introduced in the Interactive Reports widgets and Web Insights. <a class="image-icon" href="#dlp-rul...
Document Classification and Logging for Email DLP Insights
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Email DLP Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classific...
Enhancements to Predefined O365 One Click rule in SSL/TLS Inspection Policy
You can choose Evaluate Other Policies or Bypass Other Policies under the Do Not Inspect action in the O365 One Click predefined rule in the SSL/TLS Inspection Policy. This allows you to configure the predefined O365 One Click rule to either evaluate other policies (i.e., URL Fil...
Exclude Selected URL Classes & Categories from NSS Feeds
Filters to include or exclude selected URL classes, URL categories, and URL super categories have been added to NSS and Cloud NSS feeds for web logs. When configuring a feed, you can select the respective URL classes and categories and include them in the logs by default or choos...
Instance Discovery Report Support for Azure
You can view the Instance Discovery Report for Microsoft Azure; this application supports three levels of discovery: • Domain • Tenant <li data-list-item...
New Network Applications in Firewall Control
The Zscaler service extends support to identify two new network applications, namely Kafka (Application Service category) and Zalo (Instant Messaging category). You can view these apps on the Network Applications page and configure them in Firewall Filtering rules to identify and...
NSS Support for Admin Audit, ZIdentity Authentication, and ZIdentity SCIM Logs
The following enhancements are available for the NSS Feeds and Cloud NSS Feeds: • New log types, ZIdentity Authentication and ZIdentity SCIM, are added to the NSS for Web type. These log types provide support for the ZIdentity Authent...
Support for Cloud NSS Feeds for Alerts
You can configure a separate Cloud NSS feed for alerts, enabling you to monitor your Cloud NSS feeds for data lag, data loss, and the connection to your cloud-based security information and event management (SIEM) system. <a class="image-icon" href="#img-cloud-nss-alert-fee...
Support for Smartsheet as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Smartsheet as an API-based platform to provide visibility into posture misconfigurations. You can onboard a Smartsheet tenant from the 3rd-Party App Governance Admin Portal. See image. To...
Enhancement to Atlassian Integration in 3rd-Party App Governance
The Add Integration window for Atlassian in 3rd-Party App Governance is enhanced to allow you to enter the Atlassian subdomain and API token while adding the integration. This reduces the number of steps and simplifies the integration process to improve the user experience. <p...
API Session Timeout
When configuring advanced settings (Policies > Common Configuration > Advanced > Advanced Settings), you can specify how long API-initiated sessions can be inactive before they are forced to reauthenticate. The timeout duration can range from 5 to 20 minutes. <a class="imag...
Subdocument Type Support in Data Discovery Report
The Data Discovery Report is enhanced to include subdocument type support, providing enhanced visibility via an interactive bubble chart for ML categories. This chart utilizes nested bubbles to represent granular subdocument types, such as tax forms and legal contracts. By drilli...
Update to Workload Groups Endpoints
You can delete a list of workload groups for an organization using the "DELETE /workloadGroups" endpoint. To learn more, go to "DELETE /workloadGroups" from Workload Groups. To learn more about...
Client Browser for Zero Trust Browser
Zero Trust Browser has been updated with several significant changes to provide seamless and secure enterprise access from any browser. The solution consists of three primary components: a browser extension that handles web-based security and access, a lightweight agent that enforces device postu...
Enhancement to Advanced Threat Protection Policy
Advanced Threat Protection now enables users to allow the Web Proxy Auto-Discovery (WPAD) protocol from external sources to automatically discover proxy settings by locating PAC files via DHCP or DNS queries. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-threat-pro...
Support for Microsoft Copilot Readiness Assessment
Organizations face a significant security risk when users inadvertently overshare or mishandle sensitive internal files. The integration of AI tools, such as Microsoft Copilot, intensifies this risk, as these tools can access information within the improperly shared files, leadin...
Cloud Custom IPS Enhancements
Custom IPS is supported on Zscaler's public cloud, allowing you to create and deploy custom IPS signature rules without requiring any additional infrastructure (previously required a Private Service Edge deployment). You can inspect traffic transiting the Zscaler cloud again...
Support for Workday Tenant RaaS-based API Access
Workday tenants now support RaaS-based API access which enables secure, programmatic retrieval of data and management through web services. Existing Workday tenants need to be reauthenticated by editing the tenant and revalidating. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Support in SaaS Security Data at Rest DLP Policy for Quarantine of Sensitive Content in Microsoft Teams
The SaaS Security Data at Rest Scanning policy supports a new option to quarantine sensitive content in Microsoft Teams. You can specify a tombstone message that end users see when messages or files in Microsoft Teams are quarantined. <a class="image-icon" href="#ZIA-Webex-...
Enhancement to Gen AI Prompt Configuration
The generative AI prompt configuration is extended to the Grammarly application. As part of this change, the Grammarly option is added to the Policy > URL & Cloud App Control > Advanced Policy Settings page. <a class="image-ic...
Outbound Email DLP Quarantine with Release or Delete Emails in Workflow Automation
Zscaler now supports the Quarantine action when configuring Outbound Email DLP policies for Microsoft Exchange. When Quarantine is selected, emails that match policy criteria are quarantined directly in Microsoft Exchange. To use the Quarantine feature, go to Policy > Email DLP a...
Advanced SSPM Support for Lucidchart
Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...
Support for Zendesk as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...
Advanced SaaS Security Posture Management Support for Oracle Financials Cloud
You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...
Document Classification and Logging for SaaS Security API, Email, and Endpoint DLP
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of d...
Expanded SSPM Controls for Microsoft Copilot
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Microsoft Copilot with 15 new SSPM controls, providing deeper visibility and stronger security posture assessment....
New Bandwidth Control Fields for Transactions
Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...
Application Investigation in Endpoint Data Scan
Zscaler's Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization's application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....
DLP Operational in Endpoint Data Scan
The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint's status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...
Enhancement to Firewall Policies Endpoints
A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...
Enhancements to Admin Role Management
On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...
Exact Data Matching in Endpoint Data Scan
Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...
Expanded SSPM Controls for Salesforce
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....
Filtering by User Group in Endpoint Data Scan
Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...
Share Files Externally in Endpoint Data Scan
Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...
SSL Inspection and SSL Policy Renamed to SSL/TLS Inspection and SSL/TLS Policy
The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...
Support for Certificate-based Authentication with Microsoft Applications for a Custom Zscaler Connector
When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...
Support for CIDR and Regex on Network Share DLP Resources
The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...
Support for Network Type on Endpoint DLP Policy Rules
The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...
Updates to Recipient Email Profile Endpoints
You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...
Introducing Flexible Permission Selection for SSPM Connectors
The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...
Enhancements to Endpoint DLP for macOS
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...
Advanced SaaS Security Posture Management Support for JumpCloud
You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...
Insights Logs Improvements & Enhancements
The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...
Security Fixes
Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....
Enhanced Flexibility in the URL Filtering Policy Rule Creation
You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...
Sandbox Verdict Logging
Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...
DLP and File Type Support for MSIX Files
The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...
Logs for MCP Transactions
The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...
Advanced SSPM Support for Airtable
Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...
Advanced SSPM Support for Bitwarden
Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...
Advanced SSPM Support for Sentry
Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for OneLogin as an API-Based Platform in Advanced SSPM
Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...
Enhancement to Zscaler Cloud Performance Test Tool
The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...
Granular Control for Atlassian AI Application
You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...
Regex Patterns in Custom URL Categories
The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...
Sandboxing Password-Protected PDF Files for Isolation
Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...
Support for Adjustable Polling Intervals
When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...
Support for Number of Collaborators for File Sharing Apps in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...
Support for Quarantine File to Desired Location for File Sharing Apps
The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...
Deprecation of SSPM Policies for Microsoft 365
The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...
Enhanced Logging of Collaborator Group Members
This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...
Enhancement to Virtual Service Edges
The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...
Gen AI Prompt Obfuscation
Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...
Increased AWS Account IDs in Tenant Profiles
You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...
Logs for Email Received and Sent Time
The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...
Pattern Requirements for Custom DLP Dictionaries
For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...
Updates to Firewall Dashboard and Insights
On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...
Expanded File Type Support for Sandbox
The Zscaler Sandbox now supports the Optical Disc Image (iso) file type. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e...
Enhancement to Extranet Application Support
Extranet Application Support can be configured bidirectionally, allowing partners to access your organization's resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...
NSS Support for Hyper-V
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...
NSS Support for Nutanix
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...
Update to Admin Audit Logs and Event Logs API Endpoints
When you request report generation using "POST /auditlogEntryReport" or "POST /eventlogEntryReport", it returns an HTTP "200 OK" status code with the "statusId" in the response (previously returned "204" status code). This "statusId</cod...
Enhancements to 3rd-Party App Governance and Advanced SSPM
The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...
Security Fixes
Proper validation of user input in the ZIA Admin Portal no longer allows an authenticated administrator to initiate back end functions through specific input fields in limited scenarios (CVE-2026-22567)....
Automatic Local Language Translation for Isolation in ZIA
Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user's browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...
Original URL for Isolation Profiles in ZIA
Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...
Visual Indicator for Turbo Mode in Isolation for ZIA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Apply MIP Label as Manual Remediation Action in SaaS Security Assets
For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...
Gen AI Prompt Configuration for Claude and Mistral
Zscaler's Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...
Create VM Instance using the Virtual Service Edge Amazon Web Services Terraform Modules
You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...
Additional Logging of Users Performing Actions on File
You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...
Enhancement to Filters in 3rd-Party App Governance and Advanced SSPM
In the App Inventory and User Inventory, and on the Posture page, the filter options that don't currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...
Support for GitHub User Email Enrichment in 3rd-Party App Governance
The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...
Support for Google Workspace OU Segregation
You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...
Updates to 3rd-Party App Governance API
The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users' email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...
Support for Sublocation Scopes
You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...
Enhancements to Endpoint DLP for Windows
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...
Enhancements to IPv6
The IPv6 infrastructure is enhanced to receive IPv6 traffic directly from remote users, forwarding traffic through Zscaler Client Connector, when the Enable IPv6 Resolution for Zscaler Domains field is enabled in the <a href="https://help.zscaler.com/zscaler-client-connector/about-platform-settin...
Enhancements to Private Service Edge Support for IPv6
ZIA Private Service Edge supports IPv6 traffic directly from remote users (forwarding traffic through Zscaler Client Connector or PAC files), when the Enable IPv6 Resolution for Zscaler Domains field is enabled in the <a href="https://help.zscaler.com/zscaler-client-connector/about-platform-setti...
JWT Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...
JWT Authentication Support for Workloads on Management Portal for Partners
The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...
Support for Enhanced US Driver's License Dictionary and Sub-Dictionaries
The Zscaler service supports the Enhanced Driver's License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...
Support for New SSPM Controls for GitHub
The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....
Web EUN for DNS Control Policy
The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...
Updates to SaaS Security Endpoints
You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...
Create VM Instance using the Virtual Service Edge Azure Terraform Modules
You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....
Enhancement to Custom Views in 3rd-Party App Governance
When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...
Zscaler Client Connector EUNs for Firewall, DNS, and IPS Policies
Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...
Automatic Session Restore for Isolation
Isolated sessions now automatically restore their web pages if they time out on a user's device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...
Original URL of Website Name in Isolation
The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...
Support for Adaptive Access Engine
Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...
New AI/ML Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for Custom File Types in DLP and File Type Control Policies
You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...
Advanced SaaS Security Posture Management Support for Docusign
Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...
Enhancement to SafeSearch
SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...
File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...
New Network Applications in Firewall Control
Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...
Shadow IT Report Enhancements
You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...
Support for New SaaS Application Tenant
Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...
Support for Quarantine File to Desired Location
The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...
Document Classification and Logging
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...
Support for New SSPM Controls for Snowflake
The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....
Logs for Post-Quantum Cryptography Visibility
Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...
Support for Expandable Limit for Users, Groups, Locations, & Departments in Policies
The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...
Async Location Download
For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...
Enhancement to the IP Destination Groups Endpoint
A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...
Gen AI Application Category in NSS Feeds for SaaS Security Logs
Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...
Support for Expandable Limit for Users, Groups, Locations, & Departments per Rule
The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...
Update to Cloud Nanolog Streaming Service (NSS) Endpoints
The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...
Updates to Virtual Service Edge Endpoints
You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...
Updates to Workload Groups Endpoints
You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...
Strict Checking of Popular Date Formats in EDM
To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Content Location Match Criteria for Web DLP Rules
You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...
OpenOffice File Type Support for DLP
The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...
SSL Inspection for IoT Devices
You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...
Gen AI Security Report Enhancements
The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...
Support for Step-Up Authentication
Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...
Source Countries for the URL Filtering Rules
You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...
Enhancements to App Panel and Control Panel
A Notes tab is added to the App Panel in 3rd-Party App Governance and the Control Panel in Advanced SaaS Security Posture Management (SSPM). This tab allows you to communicate with and leave notes for multiple other users. You can add notes to each app or control and also comment...
New Endpoints for 3rd-Party App Governance
The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...
Improvements to the Zscaler Incident Receiver JSON Metadata File
To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...
Logs for SSL Inspection Policy Rule Name
You can filter and view logs to learn which specific SSL Inspection policy r...
Support for Cloud-to-Cloud Forwarding in DLP
You can now forward information about transactions that violate various Data Loss Prevention (DLP) incidents directly to your appliances you've defined in the ZIA Admin Portal by going to Administration > Data Loss Prevention and selecting Cloud-to-Cloud Forwarding. <a...
Third-Party URL Category Lookup
Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...
Search for Configuration Changes in Audit Logs
You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...
Updated Search for Firewall Filtering Rules
The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...
Updates to End User Subscription Agreement (EUSA) Endpoints
The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...
SaaS Security DLP Policies Support Folder Level Changes
When a folder's permissions are modified or a folder is shared with a new collaborator, files previously in violation of the SaaS Security DLP policy rules in the folder are rescanned against those rules. This feature is presently being rolled out to Microsoft OneDrive and SharePoint applica...
New EDM Data Types
When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...
Support for Device Groups in Forwarding Control
In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...
Multifile Support for Isolation in ZIA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
Support for Collaborator Groups
You can filter and view logs for External Collaborator Group and Internal Collaborator Group for the File Sharing Applications category. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights LogsFilters and colum...
Improvements to the Users Page
Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...
Support for Correlated View of App Users and DLP File Access
A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...
Support for Detecting Internal Apps
Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...
Support for Excessive Data Permissions Finding for GitHub Apps
A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...
Support for SaaS Application Tenants Label Management
You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...
Support for SaaS Dashboard in Advanced SSPM
You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...
Add Comments for ATP Blocked Malicious URLs
You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...
Customizable User Confirmation Templates
You can now create and manage multiple user confirmation templates for enhanced policy-level customization in the ZIA Admin Portal by going to Administration > Notification Templates > User Confirmation and clicking Add Custom Message. When configuring Endpoint DLP or Inline Web...
Enhancement to EDM Match Count
The Zscaler Data Loss Prevention (DLP) Exact Data Match (EDM) dictionary search score total "matchCount" has been enhanced to be based on the number of unique sets of matches found in the content. Previously, "matchCount" was determined by the number o...
Enhancements to Cybersecurity Insights
You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...
Logs for Allowed File Type Rule
You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...
Update to Web Insights for Bandwidth Control
Web Insights includes additional information for Bandwidth Control with the new filter Bandwidth by Data Center. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-data-types-and-filters...
Downloading Policies
On the Print All Policies page (Administration > Print All Policies), you can download your organization's configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...
Location Groups Filter in NSS Feeds
A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...
Update to Firewall and Forwarding Rules
In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...
EDM and DLP Support for New PII Dictionaries
The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...
Index Tool Single Sign-On
Single sign-on (SSO) can be configured for the ZIA Index Tool when adding or editing an Index Tool configuration. See image. To learn more, see...
SaaS Security Data at Rest Scanning DLP Redaction Support
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy for file sharing applications supports redacting sensitive data in supported file types. To use this functionality, you first create a redaction profile that specifies whether the Zscaler service uses an as...
SaaS Security Data at Rest Scanning DLP Support for Trusted Users and Trusted Domains
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports specifying trusted users (i.e., users with email addresses outside your organization) and trusted domains (i.e., domains outside your organization) as part of your policy rules. The Zscaler service...
Custom Browser EUN Support for File Type Control Policy
The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Enhancement to Posture Management Page
The Remediate option is removed from the policy drawer and Asset Summary tab on the Posture Management page. This option is available only if you subscribed to the Advanced SSPM service. See image. To learn more, see <a...
Expanded Onboarding Options for Salesforce
The Zscaler service supports custom, client-side connector onboarding for access to both sandbox and production Salesforce tenants. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access Sal...
Multiple Sandbox API Token Support
Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...
New Macros Available for DLP Notification Templates
Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...
Support for EDM and IDM in Outbound Email DLP Policies
The Zscaler service supports using Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries and engines in your Outbound Email Data Loss Prevention (DLP) policy rules. See image. To le...
Support for Filtering for Advanced Threat Protection
Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...
Support for Parent DLP Dictionaries and Sub-Dictionaries
The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...
Updates to Cloud Service API: SaaS Security Endpoints
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • SaaS Security API To learn more about each endpoint, see th...
Support for Microsoft as an IdP in 3rd-Party App Governance
Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...
Tenancy Restriction Support for Amazon Web Services CLI
Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...
Ability to Set an Endpoint DLP Exception Rule To Take No Action
You can apply the None action to exception rules in Endpoint Data Loss Prevention (DLP) to exclude specific activities that match exception rule criteria from being reported (i.e., you might want to exclude specific users or groups from reporting incidents). <a class="image...
Endpoint DLP Support for Predefined Dictionaries
The Zscaler service now supports the following existing predefined Data Loss Prevention (DLP) dictionaries for Endpoint DLP: • CNPJ Number (Brazil) • Mexico Unique Population Registration Code • National Economic Registry Number...
Exclude Selected Applications from NSS Feeds
A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...
Increase in the Default Number of Allowed File Type Control Policy Rules
The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....
Support for New SaaS Security Application Tenant
The SaaS Security Data at Rest Scanning DLP and Malware policies support configuring tenants for Zoom, a collaboration application. See image. To learn more, see <a href="https://help.zscaler.com/zia/ab...
Support for Quarantine Tombstone Template in the Assets Report
You can now choose the Tombstone Template when quarantining files to the user root folder in the Assets Report (Analytics > SaaS Security > Assets). See image. To learn more, see <a href="https://help.zscaler.co...
Support for User Groups and Departments in Device Control Policy
Administrators can now define Device Control rules criteria (Analytics > Endpoint Data Scan > Device Control) based on User Groups and Departments. See image. To learn more, see <a href="https://help.zscaler.com/z...
Update to Cloud Service API: Enhancement to Location Group Endpoint
A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...
Update to Custom IPS Signature Rules CSV Import
When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("'''") instead of double quotes ("""). This update has been made...
Update to Zscaler Client Connector-based Notifications
You can embed links and add line breaks in the custom messages for Zscaler Client Connector-based End User Notifications (EUNs) (Administration > End User Notifications > Client Connector) and User Confirmation notifications (Administration > Notification Templates > User Confirm...
Updates to Cloud Service API: Browser Control Policy
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • Browser Control Policy To learn more about each endpoint, see the...
SaaS Security Posture Management Support for Webex Teams
You can configure the SaaS Security Posture Management (SSPM) Scan for Webex Teams tenants. Select the SSPM Scan checkbox when onboarding a Webex Teams tenant to enable the SSPM scan capability for the specific tenant. S...
Support for Dedicated IP and Geolocalization IP
The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...
Gen AI Prompt Configuration for Writer and Deepseek
Zscaler's Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...
Gen AI Prompt Configuration for Grok AI
Zscaler's Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...
Support for Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...
Advanced SaaS Security Posture Management Support for Workday
You can configure Advanced SaaS Security Posture Management (SSPM) for Workday tenants. Select the SSPM Scan checkbox when onboarding a Workday tenant to enable the Advanced SSPM scan capability for the specific tenant....
Expanded File Type Support for File Type Control and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...
File Type Control Enhancements
You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...
Microphone and Camera Functionality for Isolation Profiles in ZIA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
SCIM-Based User Lookup For Outbound Email DLP
Zscaler Outbound Email DLP supports System for Cross-domain Identity Management (SCIM)-based user lookup to map email addresses with ZIA login names. To learn more, see <a href="https://help.zscaler.com/zia/step-step-configuration-guide-zscaler-outbound-email-dlp#prerequisites" target="_bla...
Support for SaaS Security API Data at Rest Scanning DLP Policy Rules without Content Inspection
To enable this feature for your organization, contact Zscaler Support. On the Data at Rest Scanning page (Policy > Saas Security > Data at Rest Scanning), you can create Data at Rest Scanning Data Loss Prevention (DLP) policies without content matching. <...
Support for Site Groups in SaaS Application Tenants and DLP Policy
SaaS Application Tenants (Administration > SaaS Application Tenants > Manage SaaS Application Components) supports the management of SharePoint tenant Sites and Site Groups. In the Components tab, you can view a list of the SharePoint sites that are available under the selected S...
Support for Unified Onboarding of SaaS Application Tenants
You can onboard, edit, and delete new Software as a Service (SaaS) application tenants enabled with 3rd-Party App Governance or the Advanced SaaS Security Posture Management (SSPM) feature from the Add SaaS Application Tenant page in the ZIA Admin Portal. You can continue editing...
Support for Risk Explainability in 3rd-Party App Governance and Advanced SSPM
On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...
Cloud Application Updates
As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...
Enhancements to Admin Role Management
The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Update to Cloud Service API: Cloud Application Instance Endpoints
The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...
Update to Cloud Service API: User Endpoint Rate Limit
The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...
Updates to Cloud Service API: Service Edges
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...
Updates to the Add UEBA Alerts Page
The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...
Instance Discovery Report Enhancements
The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...
Zoom in Tenant Profile
The Tenant Profiles feature supports Zoom. This allows granular control of actions (e.g., disable file transfer in meetings, disable recording locally on the device, etc.) in Zoom. See image. To learn more, see <a href="htt...
HTTP Header Control
The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...
Added Alert for Unknown and Suspicious C2 Traffic
You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...
ChatGPT in Tenant Profile
The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Enhancements to Endpoint Data Scan
The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan): Nearby SharingZscaler Device Control is enhanced to prevent nearby sharing between endpoints and devices that are close by. The Nearby Sharing rule restricts the us...
Update to Zscaler Client Connector-Based Notifications
Zscaler Client Connector-based End User Notifications (EUNs) and user confirmation messages for Inline Web DLP and Cloud App Control policies can be enabled without having an Endpoint DLP subscription. These policy EUNs are supported (without requiring Endpoint DLP) on the following Zscaler...
WebSocket Protocol Type in DLP Rules
You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...
Update to Sandbox Scanning Portal URL
The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...
Email Notification Support for Policies in 3rd-Party App Governance
When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...
Support for Viewer Role in 3rd-Party App Governance
You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...
Email Notification Support for Revoking or Banning Apps in 3rd-Party App Governance
When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...
Auditor Email Notifications for Outbound Email DLP
You can configure notification templates so that email notifications are sent automatically to specified auditors when outbound email transactions trigger Outbound Email DLP rules. On the Notification Templates page (Administration > Notification Templates > DLP), you can c...
Configure External Trusted Domain & User Profiles in Tenant Onboarding
SaaS Application tenant onboarding for SaaS Security API now supports configuring external trusted domains and users. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-email-profiles" target="_bla...
Support for Number of Collaborators for File Sharing Applications in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as a scoping criteria for SharePoint and OneDrive to monitor file sharing among collaborators. Administrators can choose a range for the number of...
Changes to Policy Action Reasons in Web Insights and NSS Reports
The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...
Developer Tools URL Category
The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...
Enhancements to the SaaS Security Scan Configuration
You can refresh the status of a scheduled SaaS Security DLP or malware scan by clicking the Refresh icon next to the status of an ongoing scan on the SaaS Security Scan Configuration page. See image. To learn more,...
Hex-Encoded Requested Domain Field in NSS Feeds
The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...
New Predefined DLP Engines Available
The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...
Support for MIP Labels for PowerPoint Files in Data at Rest Scanning DLP Policy
For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...
UCaaS One Click Configuration Support for Talkdesk
Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...
Support for New SaaS Application Tenants
Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboardi...
Support for Number of Collaborators in DLP Policy
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...
Update to Cloud Service API
To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...
Update to Cloud Service API
The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...
Updates to Cloud Service API
The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...
DLP Support for New PII Dictionaries
The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...
Expanded Python File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....
Zscaler EUN Web Page for DNS Control Policy
Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
Enhancement to Secure Browsing
You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...
Isolation of Miscellaneous and Unknown Category in ZIA
Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...
Update to Application Service Groups
The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...
Remote Assistance Notification
The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...
Update to DNS Control Policy
The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...
Multiple VM Sandbox Report Analysis
For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...
DLP and EDM Support for PII
The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...
Enhancement to HTTP/2 in SSL Inspection Policy
The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...
Tenant-to-Tenant Firewall Control and Logging Improvements
Additional Firewall Control and Logging capabilities have been added for scenarios where an organization's roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization's tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...
Zscaler Incident Receiver Configuration Enhancement
Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...
Administrator Scope Department Limit
When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...
Enhancements to the IoT Report
The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...
Increase in Query Limit for Sandbox Report API
The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...
Logs for Source and Destination IP Countries
You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...
Real-Time DLP Support for Files and Messages for Webex
Zscaler supports real-time Data Loss Prevention (DLP) for messages and file attachments sent via Webex Teams. To learn more, see Step-by-Step Configuration Guide for Webex Teams Re...
Update to Cloud Service API
The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...
Support for Case-Sensitive Logging for Select Domains
Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...
Enhancement to Posture Page in Advanced SSPM
The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...
Enhancements to Assets Tab of the Control Panel in Advanced SSPM
The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...
Update to Cloud Service API: Data Center Exclusion
The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...
Configure Atlassian Label for Data at Rest Scanning DLP Policy
You can now apply an Atlassian Label when configuring the Data at Rest Scanning DLP Policy in the Add DLP Rule window. This action is only applicable for Atlassian Confluence users. To access this feature, go to the Add DLP Rule window (Policy > Data at Rest Scanning) and choose...
Optical Character Recognition Support for Outbound Email DLP
The Zscaler service supports optical character recognition (OCR) for Outbound Email DLP. You can enable OCR settings on the DLP Advanced Settings page in the ZIA Admin Portal (Administration > DLP Advanced Settings) for inline DLP, SaaS Security API, and Outbound Email DLP. <p...
Added File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Excel Add-On (.xla) • Open Document Files (.odt) • Public Key File (.pub) • Binary Files (.bin) The File Type Control and DLP pol...
Added Request Methods in URL Filtering Rules
Zscaler supports the following new HTTP request methods in URL Filtering rules: • PROPFIND • PROPPATCH • COPY • MOVE • MKCOL • LOCK • UNLOCK • PATCH If the OTHER method is already selected, these new requ...
Advanced SaaS Security Posture Management Support for ShareFile
You can configure Advanced SaaS Security Posture Management (SSPM) for ShareFile tenants. Select the SSPM Scan checkbox when onboarding a ShareFile tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by...
Advanced SaaS Security Posture Management Support for Slack
You can configure Advanced SaaS Security Posture Management (SSPM) for Slack tenants. Select the SSPM Scan checkbox when onboarding a Slack tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selectin...
Advanced SaaS Security Posture Management Support for Zoom
You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting...
Advanced Sandbox Submission API Quota
With Advanced Sandbox, organizations have by default a quota of 100 API file submissions per day. If you are interested in raising the API file submission limit, contact your Zscaler Account Team or Zscaler Support. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" tar...
Custom Bandwidth Classes Limits
You can add up to 245 custom bandwidth classes (Administration > Bandwidth Classes) for Cloud Applications in the ZIA Admin Portal. To learn more, see Adding Bandwidth Classes and <a href="https://help.zscal...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries to detect personally identifiable information (PII): • Addresses (Japan) • First Names (Japan) • Last Names (Japan) • Full Names (Japan) To...
DLP Support for United States Driver's Licenses
Driver's License (United States) predefined DLP dictionaries now support 2-letter state codes for all US states (e.g., WA for Washington or CA for California) as part of high confidence phrases. See image.</...
Increase in the Number of Custom Domains Allowed per Domain Profile
The number of custom domains allowed per domain profile has been increased from 32 to 1,024. To learn more, see Ranges & Limitations and <a href="https://help.zscaler.com/zia/about-email-profiles"...
Instance Discovery Report
The Instance Discovery Report provides visibility about the different instances accessed by the users at the various levels of hierarchy, such as Organization, Project, and Resource Type for Google Cloud Platform (GCP). The Instance Discovery Report includes the following e...
Outbound Email Data Loss Prevention for Gmail
You can use Zscaler Outbound Email Data Loss Prevention (DLP) policies with your Gmail server to prevent the exfiltration of sensitive data by enforcing policy rules on email content sent to external domains, including content in subject lines, body text, and attachments. As part...
Site Review Enhancement
The Zscaler's Site Review shows the cloud application for the site that is looked up. As part of this change, the Cloud Application column is added to Step 2. Request Review on the Site Review page. A cloud application is shown in the Cloud Application col...
Support for Email Subdomains
You can choose whether to include subdomains as part of your email domain profiles (e.g., blog.example.com is a subdomain of example.com). When you include subdomains (Administration > Email Profiles > Domain Profiles), the Zscaler service automatically evaluates subdomains as pa...
Update to Cloud Service API
The "GET /pacFiles" endpoint is updated with new request parameters such as "pageSize" and "page" to support pagination. The default value of "pageSize" is 100 and the request retrieves up to 100 PAC files at a time. To learn more, see the <a href...
Expanded File Type Support for File Type Control
The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Outlook Mac Data (.olm) • Microsoft Publisher Files (.pub) • Microsoft TNEF file (.tnef) • LZH Archive (.lzh, .lha) • CPIO File (.cpio)...
Enhancement to Posture Controls Report in Advanced SSPM
When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...
Additional URL Category for File Type Control and Sandbox Policies
In the ZIA Admin Portal, on the File Type Control page (Policy > File Type Control) and on the Sandbox Policy page (Policy > Sandbox), you have the option of selecting Newly Registered and Observed Domains in the Miscellaneous section for URL Categories. <a class="image-ico...
Cloud Applications Update in NSS
Zscaler has updated the names of select cloud applications. The updates synchronize the cloud application names across Web Insights and NSS and Cloud NSS web log feeds. To verify and address any impacts related to the updates, Zscaler recommends that admins review the following:<...
Update to Audit Logs
Audit logs include a new Trace ID value that is generated for transactions associated with ZIA API requests made through Zscaler OneAPI. See i...
Update to DNS Gateways
DNS Gateways support a customized URL path for DNS servers that use the DNS over HTTP (DoH) protocol. See image. To learn more, see <a href="https://help.zscaler.com/zia/adding-dns-gateways" target="_bl...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Malware Protection Policy • <a href="#advanced-threat...
DLP Support for New ML-Based Dictionaries
The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....
Expanded File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Microsoft Software Installer (msi) • Windows Batch File (bat) • Windows Script File (wsf) See image. To learn more, see <a href="https://help.z...
Enhancements to Endpoint DLP
Optical Character Recognition (OCR) SupportThe Zscaler service supports OCR for Endpoint DLP to scan PNG, JPEG, TIFF, and BMP files for sensitive text data. This functionality does not require configuration and is automatically available based on whether your subscription includes the ZS...
Extranet Application Support
To access Extranet Application Support, contact your Zscaler Account team. Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished wit...
Service - zscloud.net
Increased File Size Support for Advanced Detections
With the Advanced Detections package for Advanced Sandbox, you can analyze EXE and DLL files with sizes up to 200 MB. To learn more, see About Sandbox....
Support for AI/ML Detection Source
The Zscaler Admin Console is enhanced with the ability to view the AI/ML detection source for your Internet & SaaS (ZIA) traffic. The following updates are available: Web Insights LogsThe AI/ML Detection Source filter and column are added to the Web Insights Logs p...
Support for DLP Scan Timeout Identifiers in Web Insights Logs
You can filter and view logs for specific DLP identifiers of transactions that were exempted from policy enforcement due to a scan timeout. As part of the update, the following changes are available in the Zscaler Admin Console: Web Insights LogsThe filter an...
Support for Restoring Quarantined Files in Salesforce
You can now restore quarantined Salesforce files to their original location with the Restore remediation action on the SaaS Security Assets page. See image. This action is available only for files initially quarantined...
Third-Party Proxies and Gateways Limits
You can add up to 256 proxies and proxy gateways for third-party proxy services (Infrastructure > Internet & SaaS > Network Policies > Proxies & Gateways) in the Zscaler Admin Console. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-enti...
Additional Support for Predefined DLP Dictionaries in Endpoint DLP
The following predefined Data Loss Prevention (DLP) dictionaries are now supported for use in Endpoint DLP policy rules: • Addresses (Japan) • First Names (J...
Enhancement to Cloud Application Instances
The cloud application instances feature is extended to new cloud applications. You can create cloud application instances for the following cloud applications: • Google Gemini <li dat...
Instance Discovery Report Support for Azure
You can view the Instance Discovery Report for Microsoft Azure; this application supports three levels of discovery: • Domain • Tenant <li data-list-item...
Updates to Malware Protection Policy Endpoints
You can update the Malware Protection policy and retrieve the Malware Protection policy for an organization using the following endpoints: • "GET /malwarePolicy" <li data-list-item-id="e83742e3c2bff0a63...
Updates to NSS Collector Server Endpoints
You can add, update, and delete NSS Collector servers and retrieve a list of all configured NSS Collector servers for an organization using the following endpoints: • "GET /nssCollectors" <li data-list-...
Updates to Secure Browsing and Votiro CDR Endpoints
You can retrieve a list of all supported browsers and their versions and update the Smart Browser Isolation policy settings using the following endpoints: • "GET /browserControlSettings/supportedBrowserVersions</...
Updates to the IPS Control Policy Endpoints
You can create, update, delete, and retrieve custom IPS signature rules using the following endpoints: • "GET /ipsSignatureRules" • "POST /ip...
Support for New Workday Filters and Prompts
You can use a new filter Last Functionally Updated to easily identify recently modified records when creating custom reports in Workday. Additionally, the prompts Starting Prompt and Ending Prompt fields provide greater control and precision when defining report parameters. <p...
Enabling Incident Forwarding for Slack Chats
Zscaler is now forwarding Slack chat-based DLP policy incidents to the Zscaler Incident Response and Zscaler Workflow Automation along with already supported file-based violations. These incidents are also sent to Web Insights and Logs and to the respective DLP policy's auditor. To lea...
Expanded SSPM Controls for Google Workspace
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Google Workspace with 24 new SSPM controls, providing deeper visibility and stronger security posture assessment. The Cloud Identity license must be assigned to the Google Workspace Admin onboarding...
Gen AI Prompt Configuration for QuillBot and Google AI
Zscaler's Gen AI prompt configuration is extended to the QuillBot and Google AI generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen...
Policy Level Gen AI Prompt Configuration
You can capture end user prompts for generative AI applications from the Cloud Application Control policy. This allows granular control of Gen AI prompt configuration. As part of this update, the Capture Prompts option is added to the Add/Edit AI & ML Rule window (Policies > Acce...
NSS Support for Admin Audit, ZIdentity Authentication, and ZIdentity SCIM Logs
The following enhancements are available for the NSS Feeds and Cloud NSS Feeds: • New log types, ZIdentity Authentication and ZIdentity SCIM, are added to the NSS for Web type. These log types provide support for the ZIdentity Authent...
DLP Support for New PII Dictionaries
The following are new predefined DLP dictionaries: • Argentina Uniform Bank Code: Detect Leakage of CBU • Cambodian National ID: Detect Leakage...
Support for Collaboration Scope for Microsoft Teams
When creating a DLP rule for Microsoft Teams, you can define the collaboration scope as External, Internal, or Any to scan messages and attachments in channels containing external, internal, or any (internal or external) members. <a class="image-icon" href="#collab-scope-dl...
Support for Smartsheet as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Smartsheet as an API-based platform to provide visibility into posture misconfigurations. You can onboard a Smartsheet tenant from the 3rd-Party App Governance Admin Portal. See image. To...
Enhancement to Atlassian Integration in 3rd-Party App Governance
The Add Integration window for Atlassian in 3rd-Party App Governance is enhanced to allow you to enter the Atlassian subdomain and API token while adding the integration. This reduces the number of steps and simplifies the integration process to improve the user experience. <p...
Add or Remove NTP Servers Using CLI
You can add or remove custom NTP servers from the configuration files using CLI commands. This prevents syntax errors and duplicate entries in the configuration files. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-internet-saas-ntp-server-synchron...
Default Rules for Advanced Sandbox
If your organization is subscribed to the Advanced Sandbox package, the following default rules are available: • Sandbox_Docs_Trusted • Sandbox_Docs_Archives • Sandbox_Exes_We...
DLP Rule Name Support for Web DLP Reports and Insights
Users can schedule Web DLP incident reports by DLP Rule Name to improve visibility and monitor incident counts in the Zscaler Admin Console: Data Type DLP Rule Name is introduced in the Interactive Reports widgets and Web Insights. <a class="image-icon" href="#dlp-rul...
Document Classification and Logging for Email DLP Insights
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Email DLP Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classific...
Enhancements to Predefined O365 One Click rule in SSL/TLS Inspection Policy
You can choose Evaluate Other Policies or Bypass Other Policies under the Do Not Inspect action in the O365 One Click predefined rule in the SSL/TLS Inspection Policy. This allows you to configure the predefined O365 One Click rule to either evaluate other policies (i.e., URL Fil...
Exclude Selected URL Classes & Categories from NSS Feeds
Filters to include or exclude selected URL classes, URL categories, and URL super categories have been added to NSS and Cloud NSS feeds for web logs. When configuring a feed, you can select the respective URL classes and categories and include them in the logs by default or choos...
New Network Applications in Firewall Control
The Zscaler service extends support to identify two new network applications, namely Kafka (Application Service category) and Zalo (Instant Messaging category). You can view these apps on the Network Applications page and configure them in Firewall Filtering rules to identify and...
Support for Cloud NSS Feeds for Alerts
You can configure a separate Cloud NSS feed for alerts, enabling you to monitor your Cloud NSS feeds for data lag, data loss, and the connection to your cloud-based security information and event management (SIEM) system. <a class="image-icon" href="#img-cloud-nss-alert-fee...
API Session Timeout
When configuring advanced settings (Policies > Common Configuration > Advanced > Advanced Settings), you can specify how long API-initiated sessions can be inactive before they are forced to reauthenticate. The timeout duration can range from 5 to 20 minutes. <a class="imag...
Subdocument Type Support in Data Discovery Report
The Data Discovery Report is enhanced to include subdocument type support, providing enhanced visibility via an interactive bubble chart for ML categories. This chart utilizes nested bubbles to represent granular subdocument types, such as tax forms and legal contracts. By drilli...
Update to Workload Groups Endpoints
You can delete a list of workload groups for an organization using the "DELETE /workloadGroups" endpoint. To learn more, go to "DELETE /workloadGroups" from Workload Groups. To learn more about...
Enhancement to Advanced Threat Protection Policy
Advanced Threat Protection now enables users to allow the Web Proxy Auto-Discovery (WPAD) protocol from external sources to automatically discover proxy settings by locating PAC files via DHCP or DNS queries. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-threat-pro...
Outbound Email DLP Quarantine with Release or Delete Emails in Workflow Automation
Zscaler now supports the Quarantine action when configuring Outbound Email DLP policies for Microsoft Exchange. When Quarantine is selected, emails that match policy criteria are quarantined directly in Microsoft Exchange. To use the Quarantine feature, go to Policy > Email DLP a...
Advanced SSPM Support for Lucidchart
Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...
Support for Zendesk as an API-Based Platform in Advanced SSPM
Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...
Document Classification and Logging for SaaS Security API, Email, and Endpoint DLP
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of d...
Enhancement to Gen AI Prompt Configuration
The generative AI prompt configuration is extended to the Grammarly application. As part of this change, the Grammarly option is added to the Policy > URL & Cloud App Control > Advanced Policy Settings page. <a class="image-ic...
Expanded SSPM Controls for Microsoft Copilot
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Microsoft Copilot with 15 new SSPM controls, providing deeper visibility and stronger security posture assessment....
Support for Microsoft Copilot Readiness Assessment
Organizations face a significant security risk when users inadvertently overshare or mishandle sensitive internal files. The integration of AI tools, such as Microsoft Copilot, intensifies this risk, as these tools can access information within the improperly shared files, leadin...
Cloud Custom IPS Enhancements
Custom IPS is supported on Zscaler's public cloud, allowing you to create and deploy custom IPS signature rules without requiring any additional infrastructure (previously required a Private Service Edge deployment). You can inspect traffic transiting the Zscaler cloud again...
Support for Workday Tenant RaaS-based API Access
Workday tenants now support RaaS-based API access which enables secure, programmatic retrieval of data and management through web services. Existing Workday tenants need to be reauthenticated by editing the tenant and revalidating. To learn more, see <a href="https://help.zscaler.com/zia/ad...
Support in SaaS Security Data at Rest DLP Policy for Quarantine of Sensitive Content in Microsoft Teams
The SaaS Security Data at Rest Scanning policy supports a new option to quarantine sensitive content in Microsoft Teams. You can specify a tombstone message that end users see when messages or files in Microsoft Teams are quarantined. <a class="image-icon" href="#ZIA-Webex-...
Advanced SaaS Security Posture Management Support for Oracle Financials Cloud
You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...
Application Investigation in Endpoint Data Scan
Zscaler's Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization's application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....
DLP Operational in Endpoint Data Scan
The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint's status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...
Exact Data Matching in Endpoint Data Scan
Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...
Filtering by User Group in Endpoint Data Scan
Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...
New Bandwidth Control Fields for Transactions
Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...
Share Files Externally in Endpoint Data Scan
Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...
Support for CIDR and Regex on Network Share DLP Resources
The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...
Support for Network Type on Endpoint DLP Policy Rules
The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...
Enhancement to Firewall Policies Endpoints
A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...
Enhancements to Admin Role Management
On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...
Expanded SSPM Controls for Salesforce
Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....
SSL Inspection and SSL Policy Renamed to SSL/TLS Inspection and SSL/TLS Policy
The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...
Support for Certificate-based Authentication with Microsoft Applications for a Custom Zscaler Connector
When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...
Updates to Recipient Email Profile Endpoints
You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...
Introducing Flexible Permission Selection for SSPM Connectors
The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...
Enhancements to Endpoint DLP for macOS
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...
Security Fixes
Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....
Advanced SaaS Security Posture Management Support for JumpCloud
You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...
Increased AWS Account IDs in Tenant Profiles
You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...
Insights Logs Improvements & Enhancements
The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...
Advanced SSPM Support for Airtable
Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...
Advanced SSPM Support for Bitwarden
Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...
Advanced SSPM Support for Sentry
Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...
Support for OneLogin as an API-Based Platform in Advanced SSPM
Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...
DLP and File Type Support for MSIX Files
The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...
Logs for MCP Transactions
The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...
Enhanced Flexibility in the URL Filtering Policy Rule Creation
You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...
Enhancement to Zscaler Cloud Performance Test Tool
The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...
Regex Patterns in Custom URL Categories
The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...
Sandbox Verdict Logging
Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...
Expanded File Type Support for Sandbox
The Zscaler Sandbox now supports the Optical Disc Image (iso) file type. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e...
Enhancement to Extranet Application Support
Extranet Application Support can be configured bidirectionally, allowing partners to access your organization's resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...
Sandboxing Password-Protected PDF Files for Isolation
Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...
NSS Support for Hyper-V
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...
NSS Support for Nutanix
Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...
Enhancements to 3rd-Party App Governance and Advanced SSPM
The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...
Support for Adjustable Polling Intervals
When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...
Support for Number of Collaborators for File Sharing Apps in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...
Support for Quarantine File to Desired Location for File Sharing Apps
The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...
Deprecation of SSPM Policies for Microsoft 365
The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...
Enhanced Logging of Collaborator Group Members
This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...
Enhancement to URL Filtering Policy Page
On the URL Filtering Policy page (Policy > URL & Cloud App Control > URL Filtering Policy), the URL Filtering rules are paginated with up to 100 rules displayed per page. See image. You can filter and search for URL Filteri...
Enhancement to Virtual Service Edges
The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...
Gen AI Prompt Obfuscation
Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...
Granular Control for Atlassian AI Application
You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...
Logs for Email Received and Sent Time
The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Pattern Requirements for Custom DLP Dictionaries
For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...
Update to Admin Audit Logs and Event Logs API Endpoints
When you request report generation using "POST /auditlogEntryReport" or "POST /eventlogEntryReport", it returns an HTTP "200 OK" status code with the "statusId" in the response (previously returned "204" status code). This "statusId</cod...
Automatic Local Language Translation for Isolation in ZIA
Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user's browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...
Original URL for Isolation Profiles in ZIA
Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...
Visual Indicator for Turbo Mode in Isolation for ZIA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Updates to Firewall Dashboard and Insights
On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...
Create VM Instance using the Virtual Service Edge Amazon Web Services Terraform Modules
You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...
Additional Logging of Users Performing Actions on File
You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...
Gen AI Prompt Configuration for Claude and Mistral
Zscaler's Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...
Enhancement to Filters in 3rd-Party App Governance and Advanced SSPM
In the App Inventory and User Inventory, and on the Posture page, the filter options that don't currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...
Support for GitHub User Email Enrichment in 3rd-Party App Governance
The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...
Support for Google Workspace OU Segregation
You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...
Updates to 3rd-Party App Governance API
The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users' email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...
Enhancements to Endpoint DLP for Windows
The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...
Support for New SSPM Controls for GitHub
The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....
Apply MIP Label as Manual Remediation Action in SaaS Security Assets
For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...
Support for Sublocation Scopes
You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...
Traffic Capture for NDR
The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...
Web EUN for DNS Control Policy
The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...
JWT Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...
JWT Authentication Support for Workloads on Management Portal for Partners
The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...
Support for Enhanced US Driver's License Dictionary and Sub-Dictionaries
The Zscaler service supports the Enhanced Driver's License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...
Updates to SaaS Security Endpoints
You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...
Create VM Instance using the Virtual Service Edge Azure Terraform Modules
You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....
Enhancement to Custom Views in 3rd-Party App Governance
When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...
Support for Adaptive Access Engine
Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...
Zscaler Client Connector EUNs for Firewall, DNS, and IPS Policies
Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...
Automatic Session Restore for Isolation
Isolated sessions now automatically restore their web pages if they time out on a user's device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...
Original URL of Website Name in Isolation
The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...
New AI/ML Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
New Network Applications in Firewall Control
Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...
Support for New SSPM Controls for Snowflake
The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....
Logs for Post-Quantum Cryptography Visibility
Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...
Support for Quarantine File to Desired Location
The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...
Support for Custom File Types in DLP and File Type Control Policies
You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...
Support for Custom File Types in File Type Policies and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...
Document Classification and Logging
AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...
Enhancement to SafeSearch
SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...
File Type Support for File Type Control & DLP
The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...
Shadow IT Report Enhancements
You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Advanced SaaS Security Posture Management Support for Docusign
Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...
SSL Inspection for IoT Devices
You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...
Support for New SaaS Application Tenant
Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...
Strict Checking of Popular Date Formats in EDM
To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...
Content Location Match Criteria for Web DLP Rules
You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...
Async Location Download
For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...
Enhancement to the IP Destination Groups Endpoint
A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...
Gen AI Application Category in NSS Feeds for SaaS Security Logs
Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...
Source Countries for the URL Filtering Rules
You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...
Support for Cloud-to-Cloud Forwarding in DLP
You can now forward information about transactions that violate various Data Loss Prevention (DLP) incidents directly to your appliances you've defined in the ZIA Admin Portal by going to Administration > Data Loss Prevention and selecting Cloud-to-Cloud Forwarding. <a...
Support for Expandable Limit for Users, Groups, Locations, & Departments in Policies
The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...
Support for Expandable Limit for Users, Groups, Locations, & Departments per Rule
The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...
Update to Cloud Nanolog Streaming Service (NSS) Endpoints
The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...
Updates to Virtual Service Edge Endpoints
You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...
Updates to Workload Groups Endpoints
You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...
Enhancements to App Panel and Control Panel
A Notes tab is added to the App Panel in 3rd-Party App Governance and the Control Panel in Advanced SaaS Security Posture Management (SSPM). This tab allows you to communicate with and leave notes for multiple other users. You can add notes to each app or control and also comment...
New Endpoints for 3rd-Party App Governance
The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...
Gen AI Security Report Enhancements
The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...
Improvements to the Zscaler Incident Receiver JSON Metadata File
To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...
Logs for SSL Inspection Policy Rule Name
You can filter and view logs to learn which specific SSL Inspection policy r...
Third-Party URL Category Lookup
Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...
OpenOffice File Type Support for DLP
The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...
Support for Step-Up Authentication
Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...
Search for Configuration Changes in Audit Logs
You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...
Updated Search for Firewall Filtering Rules
The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...
Updates to End User Subscription Agreement (EUSA) Endpoints
The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...
SaaS Security DLP Policies Support Folder Level Changes
When a folder's permissions are modified or a folder is shared with a new collaborator, files previously in violation of the SaaS Security DLP policy rules in the folder are rescanned against those rules. This feature is presently being rolled out to Microsoft OneDrive and SharePoint applica...
Multifile Support for Isolation in ZIA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
New EDM Data Types
When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...
Support for Device Groups in Forwarding Control
In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...
Support for Collaborator Groups
You can filter and view logs for External Collaborator Group and Internal Collaborator Group for the File Sharing Applications category. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights LogsFilters and colum...
Support for Number of Collaborators for Google Drive in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...
Improvements to the Users Page
Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...
Support for Correlated View of App Users and DLP File Access
A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...
Support for Detecting Internal Apps
Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...
Support for Excessive Data Permissions Finding for GitHub Apps
A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...
Support for SaaS Application Tenants Label Management
You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...
Support for SaaS Dashboard in Advanced SSPM
You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...
Add Comments for ATP Blocked Malicious URLs
You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...
Customizable User Confirmation Templates
You can now create and manage multiple user confirmation templates for enhanced policy-level customization in the ZIA Admin Portal by going to Administration > Notification Templates > User Confirmation and clicking Add Custom Message. When configuring Endpoint DLP or Inline Web...
Enhancement to EDM Match Count
The Zscaler Data Loss Prevention (DLP) Exact Data Match (EDM) dictionary search score total "matchCount" has been enhanced to be based on the number of unique sets of matches found in the content. Previously, "matchCount" was determined by the number o...
Enhancements to Cybersecurity Insights
You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...
Logs for Allowed File Type Rule
You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Downloading Policies
On the Print All Policies page (Administration > Print All Policies), you can download your organization's configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...
Location Groups Filter in NSS Feeds
A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...
Update to Firewall and Forwarding Rules
In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...
EDM and DLP Support for New PII Dictionaries
The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...
Index Tool Single Sign-On
Single sign-on (SSO) can be configured for the ZIA Index Tool when adding or editing an Index Tool configuration. See image. To learn more, see...
Custom Browser EUN Support for File Type Control Policy
The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...
SaaS Security Data at Rest Scanning DLP Redaction Support
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy for file sharing applications supports redacting sensitive data in supported file types. To use this functionality, you first create a redaction profile that specifies whether the Zscaler service uses an as...
SaaS Security Data at Rest Scanning DLP Support for Trusted Users and Trusted Domains
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports specifying trusted users (i.e., users with email addresses outside your organization) and trusted domains (i.e., domains outside your organization) as part of your policy rules. The Zscaler service...
Support for Microsoft as an IdP in 3rd-Party App Governance
Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...
Update to Web Insights for Bandwidth Control
Web Insights includes additional information for Bandwidth Control with the new filter Bandwidth by Data Center. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-data-types-and-filters...
Ability to Set an Endpoint DLP Exception Rule To Take No Action
You can apply the None action to exception rules in Endpoint Data Loss Prevention (DLP) to exclude specific activities that match exception rule criteria from being reported (i.e., you might want to exclude specific users or groups from reporting incidents). <a class="image...
DLP Support for New ML-Based Dictionaries
The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....
Endpoint DLP Support for Predefined Dictionaries
The Zscaler service now supports the following existing predefined Data Loss Prevention (DLP) dictionaries for Endpoint DLP: • CNPJ Number (Brazil) • Mexico Unique Population Registration Code • National Economic Registry Number...
Enhancement to Posture Management Page
The Remediate option is removed from the policy drawer and Asset Summary tab on the Posture Management page. This option is available only if you subscribed to the Advanced SSPM service. See image. To learn more, see <a...
Expanded Onboarding Options for Salesforce
The Zscaler service supports custom, client-side connector onboarding for access to both sandbox and production Salesforce tenants. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access Sal...
Multiple Sandbox API Token Support
Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...
New Macros Available for DLP Notification Templates
Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...
Support for EDM and IDM in Outbound Email DLP Policies
The Zscaler service supports using Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries and engines in your Outbound Email Data Loss Prevention (DLP) policy rules. See image. To le...
Support for Filtering for Advanced Threat Protection
Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...
Support for Parent DLP Dictionaries and Sub-Dictionaries
The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...
Support for User Groups and Departments in Device Control Policy
Administrators can now define Device Control rules criteria (Analytics > Endpoint Data Scan > Device Control) based on User Groups and Departments. See image. To learn more, see <a href="https://help.zscaler.com/z...
Update to Zscaler Client Connector-based Notifications
You can embed links and add line breaks in the custom messages for Zscaler Client Connector-based End User Notifications (EUNs) (Administration > End User Notifications > Client Connector) and User Confirmation notifications (Administration > Notification Templates > User Confirm...
Updates to Cloud Service API: SaaS Security Endpoints
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • SaaS Security API To learn more about each endpoint, see th...
Tenancy Restriction Support for Amazon Web Services CLI
Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...
SCIM-Based User Lookup For Outbound Email DLP
Zscaler Outbound Email DLP supports System for Cross-domain Identity Management (SCIM)-based user lookup to map email addresses with ZIA login names. To learn more, see <a href="https://help.zscaler.com/zia/step-step-configuration-guide-zscaler-outbound-email-dlp#prerequisites" target="_bla...
Advanced SaaS Security Posture Management Support for Workday
You can configure Advanced SaaS Security Posture Management (SSPM) for Workday tenants. Select the SSPM Scan checkbox when onboarding a Workday tenant to enable the Advanced SSPM scan capability for the specific tenant....
Exclude Selected Applications from NSS Feeds
A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...
Increase in the Default Number of Allowed File Type Control Policy Rules
The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....
Support for Dedicated IP and Geolocalization IP
The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...
Support for New SaaS Security Application Tenant
The SaaS Security Data at Rest Scanning DLP and Malware policies support configuring tenants for Zoom, a collaboration application. See image. To learn more, see <a href="https://help.zscaler.com/zia/ab...
Support for Quarantine Tombstone Template in the Assets Report
You can now choose the Tombstone Template when quarantining files to the user root folder in the Assets Report (Analytics > SaaS Security > Assets). See image. To learn more, see <a href="https://help.zscaler.co...
Update to Cloud Service API: Enhancement to Location Group Endpoint
A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...
Update to Custom IPS Signature Rules CSV Import
When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("'''") instead of double quotes ("""). This update has been made...
Updates to Cloud Service API: Browser Control Policy
The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • Browser Control Policy To learn more about each endpoint, see the...
Gen AI Prompt Configuration for Writer and Deepseek
Zscaler's Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...
SaaS Security Posture Management Support for Webex Teams
You can configure the SaaS Security Posture Management (SSPM) Scan for Webex Teams tenants. Select the SSPM Scan checkbox when onboarding a Webex Teams tenant to enable the SSPM scan capability for the specific tenant. S...
Support for Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...
Gen AI Prompt Configuration for Grok AI
Zscaler's Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...
Support for Unified Onboarding of SaaS Application Tenants
You can onboard, edit, and delete new Software as a Service (SaaS) application tenants enabled with 3rd-Party App Governance or the Advanced SaaS Security Posture Management (SSPM) feature from the Add SaaS Application Tenant page in the ZIA Admin Portal. You can continue editing...
Support for Risk Explainability in 3rd-Party App Governance and Advanced SSPM
On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...
Cloud Application Updates
As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...
Expanded File Type Support for File Type Control and DLP
The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...
File Type Control Enhancements
You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...
Microphone and Camera Functionality for Isolation Profiles in ZIA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
New Cloud Applications
New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...
Support for SaaS Security API Data at Rest Scanning DLP Policy Rules without Content Inspection
To enable this feature for your organization, contact Zscaler Support. On the Data at Rest Scanning page (Policy > Saas Security > Data at Rest Scanning), you can create Data at Rest Scanning Data Loss Prevention (DLP) policies without content matching. <...
Support for Site Groups in SaaS Application Tenants and DLP Policy
SaaS Application Tenants (Administration > SaaS Application Tenants > Manage SaaS Application Components) supports the management of SharePoint tenant Sites and Site Groups. In the Components tab, you can view a list of the SharePoint sites that are available under the selected S...
Instance Discovery Report Enhancements
The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...
Zoom in Tenant Profile
The Tenant Profiles feature supports Zoom. This allows granular control of actions (e.g., disable file transfer in meetings, disable recording locally on the device, etc.) in Zoom. See image. To learn more, see <a href="htt...
Enhancements to Admin Role Management
The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...
Update to Cloud Service API: Cloud Application Instance Endpoints
The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...
Update to Cloud Service API: User Endpoint Rate Limit
The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...
Updates to Cloud Service API: Service Edges
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...
Updates to the Add UEBA Alerts Page
The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...
ChatGPT in Tenant Profile
The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...
HTTP Header Control
The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...
Enhancements to Endpoint Data Scan
The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan): Nearby SharingZscaler Device Control is enhanced to prevent nearby sharing between endpoints and devices that are close by. The Nearby Sharing rule restricts the us...
Update to Zscaler Client Connector-Based Notifications
Zscaler Client Connector-based End User Notifications (EUNs) and user confirmation messages for Inline Web DLP and Cloud App Control policies can be enabled without having an Endpoint DLP subscription. These policy EUNs are supported (without requiring Endpoint DLP) on the following Zscaler...
Added Alert for Unknown and Suspicious C2 Traffic
You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...
WebSocket Protocol Type in DLP Rules
You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...
Update to Sandbox Scanning Portal URL
The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...
Email Notification Support for Policies in 3rd-Party App Governance
When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...
Support for Viewer Role in 3rd-Party App Governance
You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...
Email Notification Support for Revoking or Banning Apps in 3rd-Party App Governance
When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...
Auditor Email Notifications for Outbound Email DLP
You can configure notification templates so that email notifications are sent automatically to specified auditors when outbound email transactions trigger Outbound Email DLP rules. On the Notification Templates page (Administration > Notification Templates > DLP), you can c...
Configure External Trusted Domain & User Profiles in Tenant Onboarding
SaaS Application tenant onboarding for SaaS Security API now supports configuring external trusted domains and users. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-email-profiles" target="_bla...
Support for Number of Collaborators for File Sharing Applications in DLP
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as a scoping criteria for SharePoint and OneDrive to monitor file sharing among collaborators. Administrators can choose a range for the number of...
Developer Tools URL Category
The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...
Enhancements to the SaaS Security Scan Configuration
You can refresh the status of a scheduled SaaS Security DLP or malware scan by clicking the Refresh icon next to the status of an ongoing scan on the SaaS Security Scan Configuration page. See image. To learn more,...
New Predefined DLP Engines Available
The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...
Support for MIP Labels for PowerPoint Files in Data at Rest Scanning DLP Policy
For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...
UCaaS One Click Configuration Support for Talkdesk
Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...
Changes to Policy Action Reasons in Web Insights and NSS Reports
The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...
Hex-Encoded Requested Domain Field in NSS Feeds
The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...
Support for New SaaS Application Tenants
Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboardi...
Support for Number of Collaborators in DLP Policy
The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...
Update to Cloud Service API
The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...
Update to Cloud Service API
To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...
Updates to Cloud Service API
The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...
Expanded Python File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....
Zscaler EUN Web Page for DNS Control Policy
Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...
DLP Support for New PII Dictionaries
The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
Enhancement to Secure Browsing
You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...
Isolation of Miscellaneous and Unknown Category in ZIA
Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...
Update to Application Service Groups
The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...
Multiple VM Sandbox Report Analysis
For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...
Remote Assistance Notification
The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...
DLP and EDM Support for PII
The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...
Enhancement to HTTP/2 in SSL Inspection Policy
The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...
Tenant-to-Tenant Firewall Control and Logging Improvements
Additional Firewall Control and Logging capabilities have been added for scenarios where an organization's roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization's tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...
Update to DNS Control Policy
The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...
Zscaler Incident Receiver Configuration Enhancement
Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...
Enhancement to Posture Page in Advanced SSPM
The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...
Administrator Scope Department Limit
When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...
Enhancements to Assets Tab of the Control Panel in Advanced SSPM
The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...
Enhancements to the IoT Report
The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...
Increase in Query Limit for Sandbox Report API
The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...
Logs for Source and Destination IP Countries
You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...
Update to Cloud Service API
The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...
Update to Cloud Service API: Data Center Exclusion
The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...
Support for Case-Sensitive Logging for Select Domains
Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...
Real-Time DLP Support for Files and Messages for Webex
Zscaler supports real-time Data Loss Prevention (DLP) for messages and file attachments sent via Webex Teams. To learn more, see Step-by-Step Configuration Guide for Webex Teams Re...
Update to DNS Gateways
DNS Gateways support a customized URL path for DNS servers that use the DNS over HTTP (DoH) protocol. See image. To learn more, see <a href="https://help.zscaler.com/zia/adding-dns-gateways" target="_bl...
Enhancement to Posture Controls Report in Advanced SSPM
When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...
Advanced SaaS Security Posture Management Support for Zoom
You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting...
Expanded File Type Support for File Type Control
The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Outlook Mac Data (.olm) • Microsoft Publisher Files (.pub) • Microsoft TNEF file (.tnef) • LZH Archive (.lzh, .lha) • CPIO File (.cpio)...
Expanded File Type Support for Sandbox
The Zscaler Sandbox supports additional file types: • Microsoft Software Installer (msi) • Windows Batch File (bat) • Windows Script File (wsf) See image. To learn more, see <a href="https://help.z...
Enhancements to Endpoint DLP
Optical Character Recognition (OCR) SupportThe Zscaler service supports OCR for Endpoint DLP to scan PNG, JPEG, TIFF, and BMP files for sensitive text data. This functionality does not require configuration and is automatically available based on whether your subscription includes the ZS...
Extranet Application Support
To access Extranet Application Support, contact your Zscaler Account team. Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished wit...
Service - zscalerbeta.net
Visual Indicator for Turbo Mode in Isolation for ZIA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Automatic Session Restore for Isolation
Isolated sessions now automatically restore their web pages if they time out on a user's device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...
Original URL of Website Name in Isolation
The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...
Multifile Support for Isolation in ZIA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
Zscaler Endpoint DLP - Windows
Endpoint DLP 26.02.1.18 Windows Enhancements and Fixes
• Support for Japanese predefined DLP dictionaries (i.e., Addresses (Japan), First Names (Japan), Full Names (Japan), Last Names (Japan)). To learn more, see <a href="https://help.zscaler.com/zi...
Endpoint DLP 26.02.0.21 Windows Enhancements and Fixes
• Supports setting a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). Endpoints must be running Zscaler Client Connector version 4.8.600 or later (Windows) or versi...
Zscaler Endpoint DLP - macOS
Endpoint DLP macOS 26.2.1.1439 Enhancements and Fixes
• Support for Japanese predefined DLP dictionaries (i.e., Addresses (Japan), First Names (Japan), Full Names (Japan), Last Names (Japan)). To learn more, see <a href="https://help.zscaler.com/zi...
Endpoint DLP 26.2.0.1416 macOS Enhancements and Fixes
• Supports setting a network type (i.e., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). Endpoints must be running Zscaler Client Connector version 4.8.600 or later (Windows) or versi...
Private Access (ZPA)
Service - private.zscaler.com
Manager Software Updates
A recommended update was released that includes updated App Connector and Private Service Edge for Private Access (ZPA) RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download t...
Agent Telemetry Status Changes
Several new statuses are available for filtering Agent Telemetry results. For agents, the following statuses are available: • Up to Date: The new agent upgrade version number is either greater than or equal to the agent version...
Rule Order for Microsegmentation Policies
Microsegmentation policy rules are now organized by order instead of by priority numbers. Admins can re-order rules at any time and as many times as needed. Any rule order changes are tracked in Event Logs. See image....
Automated Manager Software Updates for App Connectors and Network Connectors
An update was released to support automated updates to the Manager software service for App Connector and Network Connector. Automated Manager software updates are available with a Manager software version of 25.46.3 or later and an App Connector or Network Con...
Automated Operating System Updates
An update was released to support automated security updates to the RHEL 9 operating system (OS) for App Connector, Private Service Edge for Private Access (ZPA), Private Cloud Controller, and Network Connector. This includes security updates and full OS updates. <p class="not...
Hostname in VPN Connected Users
The client hostname was added to the VPN Connected Users page. See image. To learn more, see About VPN Connected Users. <div class="su...
Multiple Private Access Tenant Support with ZIdentity
An update was released to provide support for two Private Access (ZPA) tenants with a single ZIdentity tenant. Customers with more than one single Internet & SaaS (ZIA) and Private Access tenant can manage them in the Zscaler Admin Console. <a class="image-icon" href="#acco...
Tag Management for Defined Application Segments
Private Access (ZPA) supports Tag Management, which enables you to create, organize, and manage tags for classifying and grouping resources more effectively. Tag Management standardizes tagging across environments to simplify policy configuration and improve visibility into relat...
Enhancements to AI-Powered Recommendations
An update was released to provide the following enhancements to the AI-Powered Recommendations page: • Recommendations are sorted into intuitive categories for User Groups, Observed Users, and Application Type to improve discoverability and allow users to focus on releva...
Anti-Tamper Protection for the Microsegmentation Agent
Anti-tamper protection for the Microsegmentation agent ensures that the agent service (e.g., reporting, enforcement, and upgrades) can't be maliciously disabled or altered. This includes alterations attempted by an untrusted actor running with admin privileges....
Kubernetes Updates for Microsegmentation
Microsegmentation now extends support for Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE). Customers can install the Microsegmentation agent for these services to gain visibility to Kubernetes inventory and flow logs. To learn more <a href="https://help.zscaler.com/zpa/abo...
SLES 15 Support for Agent Installation in Microsegmentation
The Microsegmentation agent can now be installed on Suse Linux Enterprise Server 15. To learn more, see <a href="https://help.zscaler.com/zpa/installing-upgrading-agent-manager" target="_blank" data-entity-type="node" data-entity-uuid="1a276ceb-97ba-45d7-abf2-baba3ee1a843" data-entity-subst...
Client Browser for Zero Trust Browser
Zero Trust Browser has been updated with several significant changes to provide seamless and secure enterprise access from any browser. The solution consists of three primary components: a browser extension that handles web-based security and access, a lightweight agent that enforces device postu...
Support for Secondary DNS Servers in Network Segments
If users access an application via FQDN, you can assign a secondary DNS server as a backup in Network segments. This ensures DNS resolution remains close to the VPN Service Edge's physical location. This feature requires Zscaler Client Connector 4.9 or lat...
VPN (for Legacy Apps) Resolved Issue
A fix was released to address a misconfiguration in "/etc/logrotate.d/frr" that caused the logrotate service not to start for Network Connectors and VPN Service Edges....
Client Connector Trusted Network Criteria Option
You can select Client Connector Trusted Network as a criteria option for the timeout policy. Client Connector Trusted Network allows users who are working from secure locations to be designated as part of a trusted network. This results in fewer reauthentication requests for trusted network users...
Manager Software Updates
A recommended update was released that includes updated App Connector and Private Service Edge for Private Access (ZPA) RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download t...
Private Link Services
Private Access (ZPA) supports private link domains, allowing administrators to configure domain patterns that match private link CNAME records, including services such as Azure Private Link. This enables Private Access to correctly identify and route traffic to resources hosted behind private lin...
Provisioning Key Not Found Event Updates
Details for App Connector name, the time the App Connector was modified, and who modified the App Connector were added to the raw logs of the Provisioning Key Not Found event in Events Diagnostics. • V...
False Positive Rule Removals for OWASP Predefined Controls
False positive rules are being removed from the following OWASP_CRS control versions: • OWASP_CRS/4.8.0: 46 false positive rules • OWASP_CRS/3.3.5: 68 false positive rules • OWASP_CRS/3.3.0: 68 false positive rules Any AppProtection profiles with these rules confi...
VPN Service Edge Available in China
For organizations with the VPN (for Legacy Apps) service enabled, a VPN Service Edge is available in Beijing, China. This VPN Service Edge is only available to users in China to access applications in China. It should not be used to connect to applications outside of China, nor for users outside...
Application Type Classification for Application and User Group Relationships
A column for Application Types is available on the Application and User Group Relationships Usage page to provide visibility on application usage reporting. The application types are also available when viewing the CSV file of the downloaded reports. <a class="image-icon" h...
Updated GCP Images
Updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) images are available in the GCP Marketplace for App Connector, Private Service Edge, Private Cloud Controller, and Network Connector. To learn more, see <a href="https://help.zscaler.com/zpa/zpa-app-connector-software-by-platfor...
Agent Group and Custom Tags for ML Resource Group Recommendations in Microsegmentation
Machine learning (ML) resource group recommendations have been updated to include custom type tags and agent groups. See images. To learn more, see <a href="https://help.zscaler.com/zpa/about-ml-recommendations-resource...
Replacing or Migrating Existing Network Connectors with Network Connectors that Support Redundancy
For customers who are not yet running Network Connectors that support redundancy, Zscaler strongly recommends replacing or migrating existing Network Connectors with redundancy-capable Network Connectors. Network Connectors that support redundancy resolve the following failure scenarios: <...
Added Languages for International Keyboard Support for Privileged Remote Access
If you are using a privileged console with an RDP protocol for Privileged Remote Access (PRA), Zscaler has added support for additional keyboard languages: English (UK), Belgian French, Brazilian Portuguese, Swiss French, Swiss German, Hungarian, Italian, Norwegian, Spanish Latin American, Swedis...
Credential Agent Available for Privileged Remote Access
A new credential agent is available for Privileged Remote Access (PRA) that enables ZPA integration with external identity sources, including Active Directory and Microsoft Entra ID, for credential discovery. To learn more, see <a href="https://help.zscaler.com/zpa/release-upgrade-summary-2...
Credential Management for Privileged Remote Access
You can deploy a credential agent to automate the discovery, synchronization, and lifecycle management of privileged credentials for Privileged Remote Access (PRA) in the Zscaler Admin Console. After configuring the credential agent, you can: • Automatically discover credentials using LD...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download the Manager software f...
Support for VPN Tunnels Connected from ZPA Private Service Edges
This release includes an update that supports VPN tunnels for users connected to ZPA Private Service Edges. With this update, Zscaler Client Connector users connected to ZPA Private Service Edges use public VPN Service Edges provisioned for the tenant in the Zscaler cloud. To learn more, se...
OAuth 2.0 Enrollment Support for App Connectors
An update was released to support OAuth 2.0 enrollment for App Connectors. OAuth 2.0 is the recommended method for enrollment for ZPA, but provisioning key enrollment is also supported. To use OAuth 2.0, the OAuth server FQDN "zpa-oauth.private.zscaler.com" must be all...
Access Policies for VPN (for Legacy Apps)
VPN (for Legacy Apps) provides access policy rules that can allow or block network traffic on VPN Service Edges. To create a rule, you need to define the source and destination IP addresses as well as the protocol used. An address book consists of Classless Inter-Domain Routing (...
Agent Age-Out for Microsegmentation
You can now configure a timer for the automatic age-out of disconnected agents for individual agent groups. When the timer is enabled, you can set the duration of days, hours, or minutes before access expires....
Kubernetes Clusters for Microsegmentation
Microsegmentation now provides visibility to resources such as deployments, statefulsets, replicasets, and daemonsets. When you deploy agents, you can view network flows in the Zscaler Private Access (ZPA) Admin Portal....
Tag Management for Microsegmentation
You can now use tags to annotate resources with metadata that can be used when defining membership criteria for resource groups. You can create namespaces, tag keys, and tag groups and assign them to managed resources. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-resource-...
Automated Manager Software Updates for Private Service Edges and Private Cloud Controller
An update was released to support automated updates to the Manager software and software updates for ZPA Private Service Edge and Private Cloud Controller. Automated Manager software updates are available with a Manager software version of 25.46.3 or later and...
VPN Service Edge Software Update
This release fixes an intermittent issue with VPN redundancy where upgrading the VPN Service Edge caused it to lose the Border Gateway Protocol (BGP) override configuration file upon restart, which resulted in the BGP neighborship between the Network Connector and VPN Service Edge dropping until...
Extranet Client Type Support
A new client type and criteria for Extranet is supported when configuring an access policy. The Extranet client type and criteria allow admins to assign an extranet to an application segment to provide a defined set of partners, and supports both location and sublocation for extranet traffic. The...
Application Tagging Support
An update was released to support adding more metadata for tagging applications to provide a more granular grouping and access management strategy. To learn more, see Tag Management for Defined Application Segments....
Using the Application Map for Microsegmentation
The Application Map for Microsegmentation is a visual representation of your network data and how it all works together. The interactive graph provides widgets for resource group, Public Internet, and VPC/VNET data that can aid in policy configuration and general resource mainten...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can downlo...
Platform Filter for App Connectors and Private Service Edges
A Platform filter is available on the App Connectors and Private Service Edges pages so you can search for obsolete versions of CentOS 7 (el7) or find the package OS version for Red Hat Enterprise Linux 8 or 9 (el8 or el9). See image.</a...
Support for Machine Tunnel Widget on Users Dashboard
You can configure your Private Access Users dashboard to include a widget that displays the top 10 users of machine tunnels for a selected time frame. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-use...
Updated GCP Image for Private Cloud Controller
An updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) image is available for Private Cloud Controller. To learn more, see Private Cloud Controller Software by Platform....
Resource Type Update for Microsegmentation Machine Learning Recommendations
The following new resource types were added to the audit logs for machine learning (ML) recommendations resource groups in Microsegmentation: • Microsegmentation Namespace • Microsegmentation Recommended Resource Tag • Microsegmentation Resource • Microsegmentation Tag...
Visual Indicator for Turbo Mode in Isolation for ZPA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Application Catalog for Microsegmentation
Admins can view a list of applications in Microsegmentation by navigating to Tag Management > Application Catalog. This gives admins insight into the applications found running on their virtual machines (VMs), and shows how the applications are used to generate the machine-learni...
Auto-Tagging for ML Recommendations in Microsegmentation
Microsegmentation supports machine learning (ML) recommendations for resources based on the behavior logged in existing flows. The ML recommendations suggest specific tags to add to a resource or multiple resources. The ML-recommended tags appear in the Criteria section when configuring a resourc...
CIDR and IP Address Ranges for Resource Group Configuration in Microsegmentation
Classless Inter-Domain Routing (CIDR) and IP address ranges are now available as dynamic criteria environment options when configuring resource groups in Microsegmentation. You can access these options by navigating to Add Resource Group > Criteria > Dynamic Membership > Environm...
Multiple LAN IP Address and Subnet Support in VPN (for Legacy Apps)
When adding or editing a Network segment, you can add up to 64 LAN IP addresses and subnets to a segment. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-network-segments" target="_blank...
Logging Activity Custom Range
Logging activity allows users to select a custom range with a start date beyond 14 days. Contact Zscaler Support to enable this feature for your organization. To learn more, see <a href="https://help.zscaler.com/zpa/accessing-user-activity-diagnostics" target="_blank" data-entity-type="node...
Update to Server Groups in AI-Powered Recommendations
When adding application segments to AI-Powered Recommendations, server groups are prepopulated and multiple groups can be selected. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-ai-powere...
VPN (for Legacy Apps) Update
An update is available for VPN (for Legacy Apps) that allows you to configure a version profile to associate a Network Connector with the default, previous, newest, or custom release on the Network Connector Groups page. For example, you can upgrade all Network Connector groups t...
VPN for Legacy Apps Preview Available to ZPA Customers
VPN for Legacy Apps Preview is now available. Contact your Zscaler Account team to purchase this add-on or start a 30-day trial. ZPA can natively support a secondary Layer 3 network-based VPN tunnel for applications and services (e.g., VoIP or server-to-client) that require Layer 3 IP-based...
Enhanced Support for Microtenants and Business Continuity
This release supports hosting ZPA Private Service Edges and Private Cloud Controllers in each Microtenant, and ensures that users are redirected to ZPA Private Service Edges from their respective Microtenant. To learn more, see <a href="https://help.zscaler.com/zpa/understanding-business-co...
Updated ZPA Private Service Edge OVA Images
Updated Red Hat Enterprise Linux 9 ZPA Private Service Edge images are available to support the upcoming release of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment. The following updated images are available: • Nutanix • VMware To l...
Updated GCP Image for Network Connector
An updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) image is available for Network Connector. To learn more, see Network Connector Software by Platform....
Updated GCP Image for Private Service Edge
An updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) image is available for ZPA Private Service Edge. To learn more, see ZPA Private Service Edge Software by Platform....
Private Cloud Controller and Network Connector Support for Usage Metrics
The Notifications and events diagnostics services support Private Cloud Controllers and Network Connectors for the following events: • Bandwidth Utilization Exceeded Limit • CPU Exceeded Limit • Disk Space Exceeded Limit • File Descriptors Exhausted • Source Port...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download the Manager software f...
Resolved Issues
A fix was released to address a validation issue when using the 14 Days preset date range in the User Activity diagnostics. To learn more, see Accessing User Activity Diagnostics....
Agent Manager Status and Version for Microsegmentation
The Agent Manager Status and Agent Manager Version are available to view in the Agent table, as well as the expanded Agent Details section for each agent. See image. To learn more, see <a href="https://help....
App Connector GCP and Azure Image Support for Automated OS Security Updates, ZPA Manager Software Updates, and OAuth 2.0 Enrollment Support
Updated Red Hat Enterprise Linux 9 App Connector images are available to support upcoming releases of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment support. The following updated images are available: • Google Cloud Platform • Microsoft Azure...
AWS Prebuilt Image Support for Network Connector
A new Network Connector image is available for Amazon Web Services (AWS) that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule f...
VPN Service Edge Software Update
An update was released to fix an issue where VPN Service Edge encountered an error condition when a large number of network segments were configured. To learn more, see About VPN Service Edges....
App Connector AWS Image Support for Automated OS Security Updates, ZPA Manager Software Updates, and OAuth 2.0 Enrollment Support
An updated Red Hat Enterprise Linux 9 App Connector AWS image is available to support upcoming releases of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment support. To learn more, see <a href="https://help.zscaler.com/zpa/zpa-app-connector-software-by-pl...
Events and Notifications Enhancements
The Notifications service supports Network Connectors when configuring a notification. The following events are supported for Network Connectors: • Last Component Disconnected • <sp...
App Connector OVA Image Support for Automated OS Security Updates, ZPA Manager Software Updates, and OAuth 2.0 Enrollment Support
Updated Red Hat Enterprise Linux 9 App Connector OVA images are available to support upcoming releases of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment support. The following updated images are available: • Nutanix AHV • VMware To...
VPN Service Edge Software Update
An update was released to fix an issue where the VPN Service Edge dropped packets with asymmetric routing. To learn more, see About VPN Service Edges....
Resolved Issues
Multiple fixes for agent version zms-1.6.3 have been released to address several issues. Zscaler recommends upgrading to this agent version to avoid any disruption to traffic due to these issues: • An issue was fixed in the agent where customers would continue to see flow logs from agent...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download the Manager software f...
Filtered Reports for Application and User Group Relationships
You can download reports for filtered application segments on the Application and User Group Relationships insights page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-application-a...
GCP Prebuilt Image Support for Network Connector
A new Network Connector image is available for Google Cloud Platform (GCP) that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule...
High Availability and Redundancy in VPN (for Legacy Apps)
VPN (for Legacy Apps) uses Border Gateway Protocol (BGP) to ensure high availability and fault tolerance by providing alternate paths to reach applications during Network Connector node failures and Network Connector to VPN Service Edge path or link failures. If a failure occurs...
Agent Connection Status Log Updates for Microsegmentation
The Agent Connection Status Logs have been updated to specify the different reasons why an agent failed to deploy or upgrade. To learn more, see About Agent Connection Status Logs....
Agent Groups for Resource Group Environment in Microsegmentation
When configuring resource groups, you can add an Agent Group as an option for Dynamic Criteria. This is listed under a new category named ZMS. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-...
API Discovery for AppProtection
API Discovery Insights provides you with deeper insight into API logs and API users for AppProtection. The analytics for API Discovery Insights can be viewed on the AppProtection Diagnostics page using the API Insight filter. API Discovery is supported on the <a href="https://help.zscaler.com/zpa...
Custom Timestamp Tool for Analytics in Microsegmentation
A customizable timestamp selector tool has been added for the Analytics Logs tables in Microsegmentation. This is available for Flow Logs, Agent Telemetry, Agent Connection Status Logs, and Event Logs. See image. <p...
Initial Target Version in Microsegmentation
You can specify the initial target version of the agent for an agent group. This means that whenever you start the agent, it automatically checks to see if it needs to update itself to the target version you specify, and apply the update if needed. <a class="image-icon" hre...
Manual Agent Upgrade Option for Microsegmentation
You can manually upgrade your agents either individually or by initiating an Agent Group upgrade. You can find the Upgrade Now button in the Actions column of the Agents page or Agent Groups page. See image. To lear...
Backup Support for Private Cloud Controllers
Users can schedule a maximum of 100 backup copies of the configuration and policy downloaded by Private Cloud Controllers to improve reliability and availability. You can restore a backup using a script. See image. To learn mor...
Business Continuity Updates
Business Continuity includes the following updates: • A manual override is available to force Private Cloud Controllers, Private Service Edges, and App Connectors into Business Continuity mode. This option is available when editing a Private Cloud. <a class="ima...
Private Cloud Controller Support for Remote Troubleshooting
You can create sessions for Private Cloud Controllers for remote troubleshooting on the Support Information page of the ZPA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zpa/accessing-and-...
Support for Private Cloud Controllers in the Notifications Service
The Notifications service supports Private Cloud Controllers when configuring a notification. The following events are supported for Private Cloud Controllers: • Control Connection Disconnected • CPU Starvation • Enrollment Completed • Invalid System Li...
Default Filter Operator in Diagnostics
You can configure the default filter operator in the diagnostics settings. See image. To learn more, see Configuring Diagnos...
Deleting Disabled IdP Configurations for ZIdentity Admin Migration
Disabled admin IdP configurations that are migrated to ZIdentity will be permanently deleted after 30 days after migration. This only applies to admins that are subscribed to ZIdentity for users. See image. To learn...
Source IP Address Filter in User Activity Diagnostics
You can filter by Source IP Address in the user activity diagnostics. See image. To learn more, see Accessing User Activ...
Scheduled VPN Service Edge Software Updates
This release includes the following enhancements for scheduling updates for VPN Service Edges: • When adding a VPN Service Edge, you can schedule when a VPN Service Edge software update occurs to avoid service interruptions.</sp...
Azure Prebuilt Image Support for Network Connector
A new Network Connector image is available for Microsoft Azure that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule for VPN red...
Extranet Support in Access Policies
An update was released to support using Extranet as the client type in Access Policies. To learn more, see Extranet Client Type S...
Manager Software Updates
A recommended update was released that ensures that if an OS upgrade is successful, and any underlying libraries that might be used by the Manager software are changed, the Manager software immediately restarts to make sure that there aren't any dependency errors. This release also includes...
Resolved Issues
Resolved a rare root password expiration condition for 2024.11 and 2024.12 images when upgrading to the latest Manager software release. To learn more, see Understanding the Manager Software....
Notifications Service Updates
The following updates were made to the notifications service: • The Disk Space Exceeded Limit event threshold was increased from 1024 MB to 2048 MB. • The Enrollment Certificate Expired and Enrollment Failed events were added for App Connectors and ZPA Private Service Edges. </...
Privileged Approval Request Email Notifications
When you add or edit a privileged portal for Privileged Remote Access (PRA), you can add email addresses to notify administrators when a privileged approval request has been created, approved, and rejected. To use this feature, you must have an access policy that allows privileged approvals and a...
Manager Software Updates
A recommended update was released that ensures that if an OS upgrade is successful, and any underlying libraries that might be used by the Manager software are changed, the Manager software immediately restarts to make sure that there aren't any dependency errors. This release also includes...
VMware Prebuilt Image Update for Network Connector
An updated Network Connector image is available for VMware that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule for VPN redunda...
Discovered Application Segments Update for Usage Insights
Discovered Host Count reports provide insight into the top 10 application segments by discovered host count, and are visible on the Application Segments Usage page. See image. In addition, a Discovered...
Repository Update to Upgrade the Host OS to RHEL 9.6
A repository update that enhances virtual images is available for App Connectors, ZPA Private Service Edges, and Private Cloud Controllers. This update allows the host operating system (OS) to upgrade from Red Hat Enterprise Linux (RHEL) 9.4 and 9.5 to RHEL 9.6. To learn more, see <a href="...
SAML & SCIM Support for Usage Insights
You can select SAML and SCIM attributes in the Settings drawer of the Application and User Group Relationships page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-applic...
AI-Powered Recommendations Updates
The Recommended Configuration drawer includes the following updates: • The Users tab and Attributes tab for observed users includes a Total Users or Group Size column that lets you compare the number of observed users in the recommendation to the total number of users.</...
Disk Space Exceeded Limit Update in Events Diagnostics
An update was released that increases the Disk Space Exceeded Limit event threshold from 1024 MB to 2048 MB in Events Diagnostics. See image. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-and-manag...
AppProtection API Protection Update
The following updates were made to the AppProtection API Protection feature: • API Protection is included when configuring an application segment, by default. • Some API Protection controls were moved to OWASP Predefined controls and ThreatLabZ controls. • New filters were ad...
Enhanced Capabilities for API Protection
An update was released to support enhanced visibility and controls for API Protection. To learn more, see Configuring AppProtection Profiles....
Amazon Web Services Image Update for App Connector
A new AWS image is available for App Connector to support upcoming automated Manager software and OS security updates. To learn more, see App Connector Deployment Guide for Amazon Web Servi...
Network Tag-Based Resource Groups for Microsegmentation
When configuring a resource group for Microsegmentation and adding cloud tags, you can now select the key "Exists." This allows the results to show if the tag itself exists at all or not, instead of matching that key to a value. When selected, the value field for the key is disab...
New Session Status Codes for Disconnections
If an App Connector or ZPA Private Service Edge was disconnected because of a planned restart, a redirect session status code is available on the User Activity Diagnostics page. To learn more, see <a href="https://help.zscaler.com/zpa/understanding-connector-software-updates" target="_blank...
LAN IP Addresses and Subnets in VPN (for Legacy Apps)
This release includes an update to support adding LAN IP addresses and subnets for VPN (for Legacy Apps) network segments. To learn more, see <a href="https://help.zscaler.com/zpa/release-upgrade-summary-2025?applicable_category=private.zscaler.com&deployment_date=2025-12-11&id=1534080" tar...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide-linux" target="_blank" dat...
Multimatch Validation for Application Segments
When Multimatch is enabled, a Multimatch Validation window appears for you to review any impacted application segments and conflicting features. Depending on the application segments selected, you might need to do one of the following: • Edit an application segment and disable unsupporte...
Cloud Service API Updates to Enable Multimatch in Bulk
The cloud service API includes the following new endpoints to extend programmatic access for application segment Multimatch: • "POST /customers/{customerId}/application/multimatchUnsupportedReferences" • "PUT /customers/144118148382064640/application/bulkUpdateMulti...
Resolved Issues
A fix was released to update how data is processed for the Peak Zscaler Client Connector Redirections to Private Service Edges widget and the Zscaler Client Connector Redirections to Private Service Edges activity monitor widget in the Private Cloud Controllers dashboard. To learn more, see...
Update to AI-Powered Recommendations by Confidence % Widget
The AI-Powered Recommendations by Confidence % widget was updated to AI-Powered Recommendations by Attack Surface Reduction % in the Applications dashboard. See image. To learn more, see <a href="https://help.zsc...
Kubernetes and OpenShift Enhancements for App Connector
This release provides the following updates for usability, security, and cross-platform compatibility improvements for the App Connector Helm charts: • Improved container security includes fine-grained capability control options (minimal, full, custom). If "CAP_NET_RAW" is...
Multifile Support for Isolation in ZPA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
AWS and Azure Image Support for Private Cloud Controllers
A new Red Hat Enterprise Linux 9 Private Cloud Controller image is available in the AWS Marketplace and Microsoft Azure Marketplace. To learn more, see Private Cloud Controller Software by Plat...
Docker Image Updates
New Red Hat Enterprise Linux 9 App Connector and ZPA Private Service Edge images are available for Docker. This release includes: • Auto-updates for security patches during every container start or restart using "micro-dnf". • New Docker deployments that automatically in...
Provisioning Key Hardening in the ZPA Admin Portal
When creating a provisioning key for ZPA features such as App Connectors, Private Service Edges, Private Cloud Controllers, Network Connectors, or Machine Tunnels, you can choose to hide the provisioning key so it doesn't appear in the ZPA Admin Portal and can't be copied or downloaded...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZPA features and functionalities: • API Keys • Authentication • <a href="#clientToClie...
Event Logs for Agents and Resources
Microsegmentation now shows event logs for agent and resource diagnostics data. You can view a timestamp and priority level based on each log's information. See image. To learn more, see <a href="https://help.zscaler.c...
Managing Ignored ML Recommendations in Microsegmentation
You can now edit the list of ignored Machine Learning (ML) Recommendations for resource groups in Microsegmentation. This allows you to review the list of previously ignored recommendations and have the option to accept them. To learn more, see <a href="https://help.zscaler.com/zpa/about-ml...
ML Recommendations Dashboard Widget for Microsegmentation
The Overview Dashboard has a new widget to show Machine Learning (ML) Resource Group Recommendations for Microsegmentation. It provides a quick glimpse of enablement status and how many recommendations have been generated. See image.<...
Application Segments Usage
You can view or download Application Segments Usage reports from the ZPA Admin Portal to review insights into which application segments are actively used, and to provide visibility into which user groups are accessing the applications. Application Segments Usage reports are on...
Usage Insights
Usage Insights provides you with actionable insights into an organization's usage patterns between users and applications. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-usage-insights" ta...
AI-Powered Recommendations Updates
The following updates for AI-powered recommendations are available: • When adding an application segment from an AI-powered recommendation, you can create an access policy rule at the Policies step. The rule is added to the middle of the rule order. Click Edit Policy...
Increased Limit for Privileged Consoles
You can have a maximum total of 9,000 privileged consoles per Privileged Remote Access (PRA) Portal. To learn more, see <a href="https://help.zscaler.com/zpa/ranges-limitations" target="_blank" data-entity-type="node" data-entity-uuid="02379419-8fc4-4f23-bd6d-c71ca17061d3" data-entity-subst...
VMware and Nutanix Images Available for App Connector
New VMware and Nutanix images are available for App Connector to support upcoming automated Manager software and OS security updates. To learn more, see App Connector Deployment Guide for VMwa...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide-linux" target="_blank" dat...
Custom Controls Negative Match
When you define custom control parameters for AppProtection, you can select negative value operator options (Does not match, Does not contain, Does not start with, Does not end with, and Does not exist) and the positive value operator option (Exists). When you select the request method, you can c...
Removal of Executive Insights App
An update was released to remove the Executive Insights App from the ZPA Admin Portal. The Executive Insights App is supported in the ZIA Admin Portal and requires a subscription with Zscaler Internet Access (ZIA). To learn more, see <a href="https://help.zscaler.com/zia/accessing-and-using...
Agent Admin Status Inheritance for Microsegmentation
Agent Admin Status is enhanced to reflect if it is based on inheritance from the agent group that it is a part of, or set individually at the agent level, overriding the selection. See image. <a class...
Google Compute Engine Support for Microsegmentation
Google Compute Engine support has been added when configuring agent groups. Agents can now discover metadata like cloud region, project name, and VPC name for workloads when running in Google Cloud. See image. <div class...
Microsegmentation Overview Dashboard
Microsegmentation now has an Overview Dashboard that provides the current status of your environment. This dashboard introduces two new widgets that show percentages of Protected-to-Unprotected Resources and Protected-to-Unprotected Resource Groups. Additionally, it contains the...
API Discovery for API Protection
An update was released to support API Discovery for API Protection. To learn more, see API Discovery for AppProtection....
Manager Software Updates
A recommended update was released that includes updated App Connector, ZPA Private Service Edge, and Private Cloud Controller RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for App Connectors, ZPA Private Service Edges, and Private Cloud Control...
OS Software Updates
An update was released to support automated updates to the App Connector, Private Service Edge for Private Access (ZPA), Private Cloud Controller, and Network Connector RHEL 9 operating systems. This includes security updates and full OS updates. To learn more, see <a href="https://help.zsc...
Support for Automated Manager Software Updates in App Connectors and Network Connectors
An update was released to support automated updates to the Manager software service for App Connector and Network Connector. To learn more, see Automated Manager Software Updates for App Connector and Network Connector. Manager softw...
Support for Automated Manager Software Updates in Private Service Edges and Private Cloud Controllers
An update was released to support automated updates to the Manager software service for ZPA Private Service Edge and Private Cloud Controller. To learn more, see <a href="https://help.zscaler.com/zpa/release-upgrade-summary-2026?applicable_category=private.zscaler.com&deplo...
Support for Existing IdPs in Business Continuity
Existing IdP configurations can be used to authenticate users during Business Continuity. See image. To learn more, see Confi...
Updated Status Code for Web Browser Client Type Timeout
When the ZPA service blocks a Web Browser request because the timeout policy requires the user to authenticate, an SE: Timeout policy blocked access status code appears. To learn more, see Ranges & Limitations.</p...
ZPA Hosting Detection for App Connectors
An update was released that allows ZPA to automatically detect data center hosting information, or you can enter it manually. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-connectors" t...
Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity cloud is a fully managed Private Cloud solution that is built on the isolated and dedicated Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) infrastructures. This ensures consistent cyber and data protection during critical failure events. For...
Viewing Where Your Apps Are Served
View hosting provider and analytical details of the App Connectors that have been serving your applications for the last quarter on the Where Are My Apps Being Served From? page. This insight allows you to understand where your applications are hosted because App Connectors...
Client Platform and Hostname in the LSS and Cloud Service API
Client platform and hostname details are available in the User Activity transaction logs when configuring a log receiver. Additionally, these fields are returned by the format field when managing Log Streaming Service (LSS) configurations using the cloud service API. <a cla...
STIG VM Private Service Edge Image for Nutanix
A Red Hat Enterprise Linux 9 Private Service Edge image that supports Security Technical Implementation Guide (STIG) is available for Nutanix. To learn more, see ZPA Private Service Edge Sof...
Resolved Issues
A fix was released to address an issue where extra braces in the JSON log format for Log Streaming Service (LSS) prevented logs from going to the SIEM. To learn more, see <a href="https://help.zscaler.com/zpa/about-log-streaming-service" target="_blank" data-entity-type="node" data-entity-u...
Credentials Diagnostics for Privileged Remote Access (PRA)
You can view analytics for privileged credentials on the Credentials Diagnostics page, including the total amount of privileged credentials and how many are currently in use. The privileged credentials based on protocol type are also displayed. To learn more, see <a href="h...
Updates to Approval Requests for Privileged Remote Access (PRA)
The following updates have been made to approval requests for Privileged Remote Access (PRA): • You can approve and reject approval requests in the ZPA Admin Portal, similar to how you review approval requests in the PRA Portal. • The Requests Diagnostics page name...
Disable Pop-Up Message to User
An update was released that renamed the Message to User field to Pop-Up Message to User when configuring or editing an access policy. As part of this update, the ability to disable the Pop-Up Message to User field is supported. This field only appears when the Rule Action is set to Block Access.<...
Cloud Service API Support for Onboarding Customers
The cloud service API includes the following new endpoints for administrator management, administrator role management, and client settings management: • "GET /mgmtconfig/v1/admin/customers/{customerId}/administrators/{adminId}" • "GET /mgmtconfig/v1/admin/customers...
Last Component Disconnected Event Priority Update
The priority for the Last Component Disconnected event in the events diagnostics and notifications service was updated from Low to High. This only applies to newly created events for App Connectors and ZPA Private Service Edges after May 9, 2025. To learn more, see <a href="https://help.zsc...
OWASP Predefined Controls Update
The OWASP predefined controls were updated to support version OWASP_CRS/4.8.0. By default, the version is set to OWASP_CRS/4.8.0 on the OWASP Predefined Controls page and the AppProtection Profiles page. The OWASP_CRS/4.8.0 version is supported on <a href="https://help.zscaler.com/zpa/app-connect...
Audit Log Updates for Microsegmentation Recommended Resource Groups
A new resource type for Microsegmentation Managed Recommended Resource Group was added to the Audit Logs. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-ml-recommendation...
Number of API Keys with This Role
A new column was added to the Roles page to track the number of API keys per assigned role. See image. To learn more, see About Roles. <div...
VPN (for Legacy Apps) Network Connector RPM Package
Zscaler has released a Network Connector RPM package that contains only the installation packages and privileges required by the Network Connector. VPN (for Legacy Apps) customers who previously installed the App Connector RPM package that included the Network Connector dependencies should uninst...
Chrome Enterprise Browser Diagnostics
You can view Chrome Enterprise browser analytics and policy log data on the Chrome Enterprise Browser Diagnostics page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/accessing-ch...
Evaluate Access with Chrome Posture Profiles
ZPA integrates with Google's Chrome Enterprise browser to utilize its device posture signals, enabling more granular security controls (Browser Version, Operating System, OS Firewall status, etc.) and enhanced visibility for clientless access to private applications via ZPA...
Flow Dashboard Update in Microsegmentation
The Flow dashboard is enhanced to include policy decisions in the widgets, with the addition of new widgets for blocked flow records. The categories are divided into the Top Permitted Talkers, Top Blocked Talkers, Top Permitted Listeners, Top Blocked Listeners, Top Permitted Agen...
Installation Directory Update for Microsegmentation Linux Agent
The installation directory for the Linux agent in Microsegmentation has changed from "/opt/zscaler" to "/opt/zscaler/zms". This change also affects the location of the provisioning key, which is now copied to "/opt/zscaler/zms/var". For existing agents on version...
ML Recommendations for Resource Groups in Microsegmentation
Machine-learning (ML) recommendations are available for configuring resource groups in Microsegmentation. The recommendations are based off of analyzed resources that have multiple similarities, such as cloud user-defined tags, cloud environment metadata, and host data. Each ML r...
VMware Image Available for Network Connectors
A new Network Connector image is available for VMware. To learn more, see Network Connector Software by Platform....
VMware Image Available for Private Cloud Controller
A new Red Hat Enterprise Linux 9 Private Cloud Controller image is available for VMware. To learn more, see Private Cloud Controller Deployment Guide for VMware Platforms an...
Application Load Balancing and High Availability
Load balancing allows applications to be weighted between individual server groups or designated in dedicated passive groups for high availability. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configu...
AppProtection Update
AppProtection updates to provide improved payload support for API formats (JSON and XML payloads) are available....
ZPA API Application Load Balancing Configuration
Applications can be updated to assign weights between individual server groups or designated in dedicated passive groups via the ZPA cloud service API. To learn more, see the ZPA API Develope...
Manager Software Updates
A recommended update was released that includes updated App Connector, ZPA Private Service Edge, and Private Cloud Controller RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide...
Enhancing Security for Third-Party Clientless Access with ZPA and Chrome Enterprise Browser Integration
ZPA now integrates with the Chrome Enterprise browser to enhance security access to private applications using Browser Access. By leveraging Chrome's device posture signals, ZPA enforces granular security controls to manage clientless (third-party or contractor access) to private application...
Filter Resources by Status for Microsegmentation
Microsegmentation resources can be filtered by Active or Inactive status. See image. To learn more, see About Resources. <div class="s...
Flow Log Filters for Direction and Resource Group Name in Microsegmentation
Microsegmentation flow logs can be filtered by Inbound or Outbound traffic direction and by Resource Group Name. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-flow-logs" ta...
Ubuntu Linux Support for Microsegmentation
Microsegmentation supports Ubuntu Linux devices for the following versions: • 16.04.7 • 18.04 LTS • 20.04 LTS • 22.04 LTS • 24.04 LTS...
Update to Agent Groups Filter for Upgrade Status for Microsegmentation
Microsegmentation agent groups have a new Upgrade Status filter option called Completed With Failures. This option allows you to filter which agent groups completed the latest version upgrade, but had failures occur. You can click the Upgrade Status for the agent group to expand...
Alert for Disconnected App Connectors
If any App Connectors have been disconnected for one year or more, an alert appears when you log in to the ZPA Admin Portal. Click the number of disconnected App Connectors to open the App Connectors page, which is filtered by the disconnected App Connectors so you can review or delete them. <...
API Keys Page Update
An update was released to remove the ZPA API Portal link from the API Keys page. To learn more, see About API Key Management....
VPN (for Legacy Apps)
ZPA can natively support a secondary Layer 3 network-based VPN tunnel for applications and services (e.g., VoIP or server-to-client) that require Layer 3 IP-based connectivity consistent with its Zero Trust security architecture and inside-out connection. From a single client for users and a sing...
STIG VM Image Updates for Microsoft Azure
Red Hat Enterprise Linux 9 App Connector and Private Service Edge images that support Security Technical Implementation Guide (STIG) without requirements to disable password expiration are available for Microsoft Azure. The Azure STIG-hardened images released on December 12, 2024, required the pa...
Update to Automatic Certificate Generation
An update to automatic certificate generation for AppProtection is available. By enabling AppProtection for an application segment and selecting an AppProtection enrollment (CA) certificate, you can automatically generate certificates to support AppProtection TLS inspection. To learn more,...
AppProtection Control Exceptions
When configuring an AppProtection profile, you can add exceptions to OWASP predefined controls. After you create exceptions, you can review the exceptions under the OWASP predefined controls they are assigned to on the AppProtection Profile page. To learn more, see <a href="https://help.zsc...
Client Connector for VDI Support
ZPA supports a new client type called Client Connector for VDI. Client Connector for VDI is a lightweight client for multi-session VDI environments. Admins can view and configure user-level ZPA policies to protect their multi-session ZPA users. To learn more, see <a href="https://help.zscal...
ZPA API Support for Multi-Session VDI
A new client type is available in the ZPA cloud service API to support multi-session VDI. To learn more, see the API Developer & Reference Guide, <a href="https://help.zscaler.com/zpa/configurin...
STIG VM Image Update for Nutanix
A Red Hat Enterprise Linux 9 App Connector image that supports Security Technical Implementation Guide (STIG) without requirements to disable password expiration is available for Nutanix. The Nutanix STIG-hardened image that was released on December 12, 2024, required the password to be disabled....
STIG VM Image Updates for VMware
Red Hat Enterprise Linux 9 App Connector and Private Service Edge images that support Security Technical Implementation Guide (STIG) without requirements to disable password expiration are available for VMware. The VMware STIG-hardened images that were released on December 12, 2024, required the...
Business Continuity Support
ZPA Business Continuity ensures continued access to applications for users in events where the reachability or availability of the ZPA cloud is affected. ZPA Business Continuity requires Business Continuity Settings, Private Clouds, and Private Cloud Controllers to be configured in the ZPA Admin...
LSS Support for Private Cloud Controllers
An update was released in the Log Streaming Service (LSS) to provide stats for Private Cloud Controller status and metrics. The new log types can be selected when configuring a log receiver. <p class="mt-...
Microphone and Camera Functionality for Isolation Profiles in ZPA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
Role-Based Access Control for ZPA API
Granular role-based access control (RBAC) for ZPA API is available. You can select predefined roles or custom roles for API keys when adding them in the API Keys page of the ZPA Admin Portal. To enforce RBAC on all publicly available ZPA API operations, create a predefined or custom role in the Z...
STIG VM Image Updates for AWS and GCP
Red Hat Enterprise Linux 9 App Connector and Private Service Edge images that support Security Technical Implementation Guide (STIG) without requirements to disable password expiration are available for Amazon Web Services (AWS) and Google Cloud Platform (GCP). AWS and GCP STIG-hardened images re...
Microsegmentation Admin Config Resource Type Update
A new resource type for Microsegmentation Admin Config was added to the Audit Logs page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-audit-logs#resourceTy...
Disconnect Time UX Improvement for App Connectors
Resolved a UX issue in the ZPA Admin Portal where the App Connector disconnect time appeared as zero. To learn more, see Accessing App Connector Status Diagnostics....
Extranet Application Support Available on Cloud & Branch Connectors
Extranet Application Support is available on ZPA Cloud Connectors and Branch Connectors. To learn more, see About Extranet, About Cloud Con...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8.x, and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide-linux" target="_blan...
Platform Information Available for User Activity Log
An update was made to support the platform where Zscaler Client Connector is installed in the User Activity Logs. To learn more, see Accessing User Activity Diagnostics....
Managed Browser Access and Portal Certificates
You can publish Browser Access applications, user portals, and Privileged Remote Access (PRA) Portals with Zscaler-managed certificates and DNS. This reduces the need to create and renew custom certificates. You can also publish links from a user portal in a PRA privileged portal to provide...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZPA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
Credential Pooling for Privileged Remote Access (PRA)
You can assign multiple privileged credentials within a privileged credentials policy using a privileged credential pool. When you create a privileged credential pool, you can include one or more privileged credentials. This allows users to simultaneously access the same privileged console, but w...
Generating AI-Powered Recommendations for Application Segments
ZPA allows you to generate AI-powered recommendations for application segments. You can view the time when the recommendations were last generated and the next time the recommendations will be available. See image. To learn m...
My Approvals in the PRA Portal
You can create and manage privileged approval requests, approve existing privileged approvals, and reject existing privileged approvals in the Privileged Remote Access (PRA) Portal. You can view the analytics for the privileged approval requests on the Requests page in the ZPA Admin Portal. This...
User Platform Filter for Activity Logs
A new diagnostics user activity filter was introduced to support filtering user activity by client platform (i.e., Windows, macOS, Linux, Android, or iOS). To learn more, see <a href="https://help.zscaler.com/zpa/accessing-user-activity-diagnostics" target="_blank" title="Accessing User Act...
Increased Administrators Limit
The maximum limit of administrators per organization has increased to 5,000. To learn more, see Ranges & Limitations....
Azure Virtual Machine Support for Microsegmentation
Agents deployed in Azure virtual machines provide visibility into the Azure cloud environment, including user-defined tags. The Azure environment variables and user-defined tags can be used to configure resource groups....
Enforcement Flow Logs Enhancements for Microsegmentation
Microsegmentation flow logs are enhanced to include fields and filters for policy information, such as Action, Rule Name, and Enforcement Reason. See image. <a class="ck-anchor" id="Flow-Logs...
Log Streaming Service Support for Microsegmentation
Microsegmentation policy enforcement flow logs can be sent to an admin's external SIEM via the ZPA Log Streaming Service (LSS) for archival and analysis. Microsegmentation audit logs are already streamed via LSS as part of ZPA audit logs....
Microsegmentation Policy Enforcement
Admins can create Layer 3 and Layer 4 Microsegmentation enforcement policies to protect east-west traffic in both cloud and data center environments. Global policy enforcement settings such as enablement and default policy selection can be found in the ZPA Admin Portal under Micr...
Policy Map in Microsegmentation
The Policy Map provides a read-only graphical view of Microsegmentation policy configurations. Admins can view policies that are configured for particular AppZones by selecting from the AppZone drop-down menu. They can also see a bird's-eye view of what other policies might...
Resource Group Configuration for Microsegmentation
Resource groups are the anchor for configuring Microsegmentation enforcement policies. Admins can create resource groups based on a combination of the resources added to them and a mix of dynamic criteria, including hosts, environments, and cloud tag data. Resource groups can be...
ZPA API Log Streaming Service (LSS) Support for Microsegmentation
LSS support for Microsegmentation is available in the ZPA API when creating or updating LSS configurations using the "zms_flow_log" log type. To learn more, see Managing...
App Segment Multimatch Rule Processing
Multimatch is a feature that allows an application request to match multiple application segments. When Multimatch is enabled, policy evaluation is applied to multiple application segments, whereas the policy evaluation is applied to a single application segment for the default b...
Pattern Matching for Application Segments
Admins can define applications with patterns within application segments. Pattern matching allows the policy evaluation to be used with hostname patterns instead of exact fully qualified domain names (FQDNs). The same functionality is supported via the ZPA cloud service API. To learn more,...
Backup and Restore
You can create a backup of configuration settings in the ZPA Admin Portal. After a backup is created, you can restore a backup and return to the previous configuration. See image. In addition, the followin...
Transaction ID in Audit Logs
An update was released to include a Transaction ID column on the Audit Logs page of the ZPA Admin Portal. A Transaction ID, created by the OneAPI framework, is the unique identifier that binds multiple related API requests to assist in troubleshooting API request issues. <a...
Quarterly Business Review Reports
View or download Quarterly Business Review (QBR) reports from the ZPA Admin Portal to review insights into how Zscaler helps protect your network. The reports provide emerging traffic trends of private application usage across your organization. <a class="image-icon" href="...
Manager Software Updates
A recommended update was released that includes updated App Connector and Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8.x, and 9.x. If you have IMDSv2 set to Required, the Manager software update is highly recommended. The Manager software version is 24.692.9. You ca...
Invalid System Listen IP Address Configuration for Events and Notifications
An update was released to add system metrics to the events diagnostics and notification management service for invalid listen IP address configurations on a ZPA Private Service Edge. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-and-managing-events-diagnostic...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8.x, and 9.x. The Manager software version is 24.692.8. You can download the Manager Software for <a href="https://help.zscaler.com/zpa/app-conne...
AI-Powered Recommendations Updates
The AI-Powered Recommendations page was updated to include: • User recommendations based on the SCIM groups if the SCIM groups are synced for application segments access. • A new column called Attack Surface Reduction that displays the percentage diffe...
Recommended Application Segments Renamed to AI-Powered Recommendations
An update was released that renamed Recommended Application Segments to AI-Powered Recommendations on the Application Segments page. The Description column was consolidated into the Grouping Reasons column. The Settings page is now a drawer located on the AI-Powered Recommendatio...
Application Segment Import for Merging Application Segment Data
Users can upload application data through Application Segment Import and merge the uploaded data to easily configure defined application segments. This allows granular application data to be imported in bulk and later used for different configurations depending on the type of application segment...
STIG Platform Image Support on Microsoft Azure
A new Red Hat Enterprise Linux 9 Private Service Edge image that supports Security Technical Implementation Guide (STIG) is available for Microsoft Azure. To learn more, see ZPA Private Serv...
Extranet Application Support
Extranet allows Zscaler customers to access a business partner's private application without needing to install an App Connector in the partner's environment or extend an IPSec tunnel from the customer's data center to the business partner's data center. Instead, a Zscaler cus...
Service - zpatwo.net
Manager Software Updates
A recommended update was released that includes updated App Connector and Private Service Edge for Private Access (ZPA) RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download t...
Agent Telemetry Status Changes
Several new statuses are available for filtering Agent Telemetry results. For agents, the following statuses are available: • Up to Date: The new agent upgrade version number is either greater than or equal to the agent version...
Rule Order for Microsegmentation Policies
Microsegmentation policy rules are now organized by order instead of by priority numbers. Admins can re-order rules at any time and as many times as needed. Any rule order changes are tracked in Event Logs. See image....
Automated Manager Software Updates for App Connectors and Network Connectors
An update was released to support automated updates to the Manager software service for App Connector and Network Connector. Automated Manager software updates are available with a Manager software version of 25.46.3 or later and an App Connector or Network Con...
Automated Operating System Updates
An update was released to support automated security updates to the RHEL 9 operating system (OS) for App Connector, Private Service Edge for Private Access (ZPA), Private Cloud Controller, and Network Connector. This includes security updates and full OS updates. <p class="not...
Hostname in VPN Connected Users
The client hostname was added to the VPN Connected Users page. See image. To learn more, see About VPN Connected Users. <div class="su...
Multiple Private Access Tenant Support with ZIdentity
An update was released to provide support for two Private Access (ZPA) tenants with a single ZIdentity tenant. Customers with more than one single Internet & SaaS (ZIA) and Private Access tenant can manage them in the Zscaler Admin Console. <a class="image-icon" href="#acco...
Tag Management for Defined Application Segments
Private Access (ZPA) supports Tag Management, which enables you to create, organize, and manage tags for classifying and grouping resources more effectively. Tag Management standardizes tagging across environments to simplify policy configuration and improve visibility into relat...
Enhancements to AI-Powered Recommendations
An update was released to provide the following enhancements to the AI-Powered Recommendations page: • Recommendations are sorted into intuitive categories for User Groups, Observed Users, and Application Type to improve discoverability and allow users to focus on releva...
Anti-Tamper Protection for the Microsegmentation Agent
Anti-tamper protection for the Microsegmentation agent ensures that the agent service (e.g., reporting, enforcement, and upgrades) can't be maliciously disabled or altered. This includes alterations attempted by an untrusted actor running with admin privileges....
Kubernetes Updates for Microsegmentation
Microsegmentation now extends support for Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE). Customers can install the Microsegmentation agent for these services to gain visibility to Kubernetes inventory and flow logs. To learn more <a href="https://help.zscaler.com/zpa/abo...
SLES 15 Support for Agent Installation in Microsegmentation
The Microsegmentation agent can now be installed on Suse Linux Enterprise Server 15. To learn more, see <a href="https://help.zscaler.com/zpa/installing-upgrading-agent-manager" target="_blank" data-entity-type="node" data-entity-uuid="1a276ceb-97ba-45d7-abf2-baba3ee1a843" data-entity-subst...
Client Browser for Zero Trust Browser
Zero Trust Browser has been updated with several significant changes to provide seamless and secure enterprise access from any browser. The solution consists of three primary components: a browser extension that handles web-based security and access, a lightweight agent that enforces device postu...
Support for Secondary DNS Servers in Network Segments
If users access an application via FQDN, you can assign a secondary DNS server as a backup in Network segments. This ensures DNS resolution remains close to the VPN Service Edge's physical location. This feature requires Zscaler Client Connector 4.9 or lat...
VPN (for Legacy Apps) Resolved Issue
A fix was released to address a misconfiguration in "/etc/logrotate.d/frr" that caused the logrotate service not to start for Network Connectors and VPN Service Edges....
Client Connector Trusted Network Criteria Option
You can select Client Connector Trusted Network as a criteria option for the timeout policy. Client Connector Trusted Network allows users who are working from secure locations to be designated as part of a trusted network. This results in fewer reauthentication requests for trusted network users...
Manager Software Updates
A recommended update was released that includes updated App Connector and Private Service Edge for Private Access (ZPA) RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download t...
Private Link Services
Private Access (ZPA) supports private link domains, allowing administrators to configure domain patterns that match private link CNAME records, including services such as Azure Private Link. This enables Private Access to correctly identify and route traffic to resources hosted behind private lin...
Provisioning Key Not Found Event Updates
Details for App Connector name, the time the App Connector was modified, and who modified the App Connector were added to the raw logs of the Provisioning Key Not Found event in Events Diagnostics. • V...
False Positive Rule Removals for OWASP Predefined Controls
False positive rules are being removed from the following OWASP_CRS control versions: • OWASP_CRS/4.8.0: 46 false positive rules • OWASP_CRS/3.3.5: 68 false positive rules • OWASP_CRS/3.3.0: 68 false positive rules Any AppProtection profiles with these rules confi...
VPN Service Edge Available in China
For organizations with the VPN (for Legacy Apps) service enabled, a VPN Service Edge is available in Beijing, China. This VPN Service Edge is only available to users in China to access applications in China. It should not be used to connect to applications outside of China, nor for users outside...
Application Type Classification for Application and User Group Relationships
A column for Application Types is available on the Application and User Group Relationships Usage page to provide visibility on application usage reporting. The application types are also available when viewing the CSV file of the downloaded reports. <a class="image-icon" h...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can downlo...
Updated GCP Images
Updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) images are available in the GCP Marketplace for App Connector, Private Service Edge, Private Cloud Controller, and Network Connector. To learn more, see <a href="https://help.zscaler.com/zpa/zpa-app-connector-software-by-platfor...
Agent Group and Custom Tags for ML Resource Group Recommendations in Microsegmentation
Machine learning (ML) resource group recommendations have been updated to include custom type tags and agent groups. See images. To learn more, see <a href="https://help.zscaler.com/zpa/about-ml-recommendations-resource...
Replacing or Migrating Existing Network Connectors with Network Connectors that Support Redundancy
For customers who are not yet running Network Connectors that support redundancy, Zscaler strongly recommends replacing or migrating existing Network Connectors with redundancy-capable Network Connectors. Network Connectors that support redundancy resolve the following failure scenarios: <...
Added Languages for International Keyboard Support for Privileged Remote Access
If you are using a privileged console with an RDP protocol for Privileged Remote Access (PRA), Zscaler has added support for additional keyboard languages: English (UK), Belgian French, Brazilian Portuguese, Swiss French, Swiss German, Hungarian, Italian, Norwegian, Spanish Latin American, Swedis...
Credential Agent Available for Privileged Remote Access
A new credential agent is available for Privileged Remote Access (PRA) that enables ZPA integration with external identity sources, including Active Directory and Microsoft Entra ID, for credential discovery. To learn more, see <a href="https://help.zscaler.com/zpa/release-upgrade-summary-2...
Credential Management for Privileged Remote Access
You can deploy a credential agent to automate the discovery, synchronization, and lifecycle management of privileged credentials for Privileged Remote Access (PRA) in the Zscaler Admin Console. After configuring the credential agent, you can: • Automatically discover credentials using LD...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download the Manager software f...
Support for VPN Tunnels Connected from ZPA Private Service Edges
This release includes an update that supports VPN tunnels for users connected to ZPA Private Service Edges. With this update, Zscaler Client Connector users connected to ZPA Private Service Edges use public VPN Service Edges provisioned for the tenant in the Zscaler cloud. To learn more, se...
OAuth 2.0 Enrollment Support for App Connectors
An update was released to support OAuth 2.0 enrollment for App Connectors. OAuth 2.0 is the recommended method for enrollment for ZPA, but provisioning key enrollment is also supported. To use OAuth 2.0, the OAuth server FQDN "zpa-oauth.private.zscaler.com" must be all...
Access Policies for VPN (for Legacy Apps)
VPN (for Legacy Apps) provides access policy rules that can allow or block network traffic on VPN Service Edges. To create a rule, you need to define the source and destination IP addresses as well as the protocol used. An address book consists of Classless Inter-Domain Routing (...
Agent Age-Out for Microsegmentation
You can now configure a timer for the automatic age-out of disconnected agents for individual agent groups. When the timer is enabled, you can set the duration of days, hours, or minutes before access expires....
Kubernetes Clusters for Microsegmentation
Microsegmentation now provides visibility to resources such as deployments, statefulsets, replicasets, and daemonsets. When you deploy agents, you can view network flows in the Zscaler Private Access (ZPA) Admin Portal....
Tag Management for Microsegmentation
You can now use tags to annotate resources with metadata that can be used when defining membership criteria for resource groups. You can create namespaces, tag keys, and tag groups and assign them to managed resources. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-resource-...
Automated Manager Software Updates for Private Service Edges and Private Cloud Controller
An update was released to support automated updates to the Manager software and software updates for ZPA Private Service Edge and Private Cloud Controller. Automated Manager software updates are available with a Manager software version of 25.46.3 or later and...
VPN Service Edge Software Update
This release fixes an intermittent issue with VPN redundancy where upgrading the VPN Service Edge caused it to lose the Border Gateway Protocol (BGP) override configuration file upon restart, which resulted in the BGP neighborship between the Network Connector and VPN Service Edge dropping until...
Extranet Client Type Support
A new client type and criteria for Extranet is supported when configuring an access policy. The Extranet client type and criteria allow admins to assign an extranet to an application segment to provide a defined set of partners, and supports both location and sublocation for extranet traffic. The...
Application Tagging Support
An update was released to support adding more metadata for tagging applications to provide a more granular grouping and access management strategy. To learn more, see Tag Management for Defined Application Segments....
Using the Application Map for Microsegmentation
The Application Map for Microsegmentation is a visual representation of your network data and how it all works together. The interactive graph provides widgets for resource group, Public Internet, and VPC/VNET data that can aid in policy configuration and general resource mainten...
Platform Filter for App Connectors and Private Service Edges
A Platform filter is available on the App Connectors and Private Service Edges pages so you can search for obsolete versions of CentOS 7 (el7) or find the package OS version for Red Hat Enterprise Linux 8 or 9 (el8 or el9). See image.</a...
Support for Machine Tunnel Widget on Users Dashboard
You can configure your Private Access Users dashboard to include a widget that displays the top 10 users of machine tunnels for a selected time frame. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-use...
Updated GCP Image for Private Cloud Controller
An updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) image is available for Private Cloud Controller. To learn more, see Private Cloud Controller Software by Platform....
Resource Type Update for Microsegmentation Machine Learning Recommendations
The following new resource types were added to the audit logs for machine learning (ML) recommendations resource groups in Microsegmentation: • Microsegmentation Namespace • Microsegmentation Recommended Resource Tag • Microsegmentation Resource • Microsegmentation Tag...
Visual Indicator for Turbo Mode in Isolation for ZPA
If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...
Application Catalog for Microsegmentation
Admins can view a list of applications in Microsegmentation by navigating to Tag Management > Application Catalog. This gives admins insight into the applications found running on their virtual machines (VMs), and shows how the applications are used to generate the machine-learni...
Auto-Tagging for ML Recommendations in Microsegmentation
Microsegmentation supports machine learning (ML) recommendations for resources based on the behavior logged in existing flows. The ML recommendations suggest specific tags to add to a resource or multiple resources. The ML-recommended tags appear in the Criteria section when configuring a resourc...
CIDR and IP Address Ranges for Resource Group Configuration in Microsegmentation
Classless Inter-Domain Routing (CIDR) and IP address ranges are now available as dynamic criteria environment options when configuring resource groups in Microsegmentation. You can access these options by navigating to Add Resource Group > Criteria > Dynamic Membership > Environm...
Multiple LAN IP Address and Subnet Support in VPN (for Legacy Apps)
When adding or editing a Network segment, you can add up to 64 LAN IP addresses and subnets to a segment. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-network-segments" target="_blank...
Logging Activity Custom Range
Logging activity allows users to select a custom range with a start date beyond 14 days. Contact Zscaler Support to enable this feature for your organization. To learn more, see <a href="https://help.zscaler.com/zpa/accessing-user-activity-diagnostics" target="_blank" data-entity-type="node...
Update to Server Groups in AI-Powered Recommendations
When adding application segments to AI-Powered Recommendations, server groups are prepopulated and multiple groups can be selected. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-ai-powere...
VPN (for Legacy Apps) Update
An update is available for VPN (for Legacy Apps) that allows you to configure a version profile to associate a Network Connector with the default, previous, newest, or custom release on the Network Connector Groups page. For example, you can upgrade all Network Connector groups t...
Enhanced Support for Microtenants and Business Continuity
This release supports hosting ZPA Private Service Edges and Private Cloud Controllers in each Microtenant, and ensures that users are redirected to ZPA Private Service Edges from their respective Microtenant. To learn more, see <a href="https://help.zscaler.com/zpa/understanding-business-co...
Updated ZPA Private Service Edge OVA Images
Updated Red Hat Enterprise Linux 9 ZPA Private Service Edge images are available to support the upcoming release of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment. The following updated images are available: • Nutanix • VMware To l...
Updated GCP Image for Network Connector
An updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) image is available for Network Connector. To learn more, see Network Connector Software by Platform....
Updated GCP Image for Private Service Edge
An updated Red Hat Enterprise Linux 9 Google Cloud Platform (GCP) image is available for ZPA Private Service Edge. To learn more, see ZPA Private Service Edge Software by Platform....
Private Cloud Controller and Network Connector Support for Usage Metrics
The Notifications and events diagnostics services support Private Cloud Controllers and Network Connectors for the following events: • Bandwidth Utilization Exceeded Limit • CPU Exceeded Limit • Disk Space Exceeded Limit • File Descriptors Exhausted • Source Port...
VPN for Legacy Apps Preview Available to ZPA Customers
VPN for Legacy Apps Preview is now available. Contact your Zscaler Account team to purchase this add-on or start a 30-day trial. ZPA can natively support a secondary Layer 3 network-based VPN tunnel for applications and services (e.g., VoIP or server-to-client) that require Layer 3 IP-based...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download the Manager software f...
Agent Manager Status and Version for Microsegmentation
The Agent Manager Status and Agent Manager Version are available to view in the Agent table, as well as the expanded Agent Details section for each agent. See image. To learn more, see <a href="https://help....
App Connector GCP and Azure Image Support for Automated OS Security Updates, ZPA Manager Software Updates, and OAuth 2.0 Enrollment Support
Updated Red Hat Enterprise Linux 9 App Connector images are available to support upcoming releases of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment support. The following updated images are available: • Google Cloud Platform • Microsoft Azure...
AWS Prebuilt Image Support for Network Connector
A new Network Connector image is available for Amazon Web Services (AWS) that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule f...
Resolved Issues
A fix was released to address a validation issue when using the 14 Days preset date range in the User Activity diagnostics. To learn more, see Accessing User Activity Diagnostics....
VPN Service Edge Software Update
An update was released to fix an issue where VPN Service Edge encountered an error condition when a large number of network segments were configured. To learn more, see About VPN Service Edges....
App Connector AWS Image Support for Automated OS Security Updates, ZPA Manager Software Updates, and OAuth 2.0 Enrollment Support
An updated Red Hat Enterprise Linux 9 App Connector AWS image is available to support upcoming releases of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment support. To learn more, see <a href="https://help.zscaler.com/zpa/zpa-app-connector-software-by-pl...
Events and Notifications Enhancements
The Notifications service supports Network Connectors when configuring a notification. The following events are supported for Network Connectors: • Last Component Disconnected • <sp...
App Connector OVA Image Support for Automated OS Security Updates, ZPA Manager Software Updates, and OAuth 2.0 Enrollment Support
Updated Red Hat Enterprise Linux 9 App Connector OVA images are available to support upcoming releases of automated OS security updates, ZPA Manager software updates, and OAuth 2.0 enrollment support. The following updated images are available: • Nutanix AHV • VMware To...
VPN Service Edge Software Update
An update was released to fix an issue where the VPN Service Edge dropped packets with asymmetric routing. To learn more, see About VPN Service Edges....
Resolved Issues
Multiple fixes for agent version zms-1.6.3 have been released to address several issues. Zscaler recommends upgrading to this agent version to avoid any disruption to traffic due to these issues: • An issue was fixed in the agent where customers would continue to see flow logs from agent...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x, and Private Cloud Controller and Network Connector RPM packages for Red Hat Enterprise Linux 9.x. You can download the Manager software f...
Filtered Reports for Application and User Group Relationships
You can download reports for filtered application segments on the Application and User Group Relationships insights page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-application-a...
GCP Prebuilt Image Support for Network Connector
A new Network Connector image is available for Google Cloud Platform (GCP) that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule...
High Availability and Redundancy in VPN (for Legacy Apps)
VPN (for Legacy Apps) uses Border Gateway Protocol (BGP) to ensure high availability and fault tolerance by providing alternate paths to reach applications during Network Connector node failures and Network Connector to VPN Service Edge path or link failures. If a failure occurs...
Agent Connection Status Log Updates for Microsegmentation
The Agent Connection Status Logs have been updated to specify the different reasons why an agent failed to deploy or upgrade. To learn more, see About Agent Connection Status Logs....
Agent Groups for Resource Group Environment in Microsegmentation
When configuring resource groups, you can add an Agent Group as an option for Dynamic Criteria. This is listed under a new category named ZMS. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-...
API Discovery for AppProtection
API Discovery Insights provides you with deeper insight into API logs and API users for AppProtection. The analytics for API Discovery Insights can be viewed on the AppProtection Diagnostics page using the API Insight filter. API Discovery is supported on the <a href="https://help.zscaler.com/zpa...
Custom Timestamp Tool for Analytics in Microsegmentation
A customizable timestamp selector tool has been added for the Analytics Logs tables in Microsegmentation. This is available for Flow Logs, Agent Telemetry, Agent Connection Status Logs, and Event Logs. See image. <p...
Initial Target Version in Microsegmentation
You can specify the initial target version of the agent for an agent group. This means that whenever you start the agent, it automatically checks to see if it needs to update itself to the target version you specify, and apply the update if needed. <a class="image-icon" hre...
Manual Agent Upgrade Option for Microsegmentation
You can manually upgrade your agents either individually or by initiating an Agent Group upgrade. You can find the Upgrade Now button in the Actions column of the Agents page or Agent Groups page. See image. To lear...
Backup Support for Private Cloud Controllers
Users can schedule a maximum of 100 backup copies of the configuration and policy downloaded by Private Cloud Controllers to improve reliability and availability. You can restore a backup using a script. See image. To learn mor...
Business Continuity Updates
Business Continuity includes the following updates: • A manual override is available to force Private Cloud Controllers, Private Service Edges, and App Connectors into Business Continuity mode. This option is available when editing a Private Cloud. <a class="ima...
Private Cloud Controller Support for Remote Troubleshooting
You can create sessions for Private Cloud Controllers for remote troubleshooting on the Support Information page of the ZPA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zpa/accessing-and-...
Support for Private Cloud Controllers in the Notifications Service
The Notifications service supports Private Cloud Controllers when configuring a notification. The following events are supported for Private Cloud Controllers: • Control Connection Disconnected • CPU Starvation • Enrollment Completed • Invalid System Li...
Default Filter Operator in Diagnostics
You can configure the default filter operator in the diagnostics settings. See image. To learn more, see Configuring Diagnos...
Deleting Disabled IdP Configurations for ZIdentity Admin Migration
Disabled admin IdP configurations that are migrated to ZIdentity will be permanently deleted after 30 days after migration. This only applies to admins that are subscribed to ZIdentity for users. See image. To learn...
Source IP Address Filter in User Activity Diagnostics
You can filter by Source IP Address in the user activity diagnostics. See image. To learn more, see Accessing User Activ...
Scheduled VPN Service Edge Software Updates
This release includes the following enhancements for scheduling updates for VPN Service Edges: • When adding a VPN Service Edge, you can schedule when a VPN Service Edge software update occurs to avoid service interruptions.</sp...
Azure Prebuilt Image Support for Network Connector
A new Network Connector image is available for Microsoft Azure that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule for VPN red...
Extranet Support in Access Policies
An update was released to support using Extranet as the client type in Access Policies. To learn more, see Extranet Client Type S...
Manager Software Updates
A recommended update was released that ensures that if an OS upgrade is successful, and any underlying libraries that might be used by the Manager software are changed, the Manager software immediately restarts to make sure that there aren't any dependency errors. This release also includes...
Resolved Issues
Resolved a rare root password expiration condition for 2024.11 and 2024.12 images when upgrading to the latest Manager software release. To learn more, see Understanding the Manager Software....
Notifications Service Updates
The following updates were made to the notifications service: • The Disk Space Exceeded Limit event threshold was increased from 1024 MB to 2048 MB. • The Enrollment Certificate Expired and Enrollment Failed events were added for App Connectors and ZPA Private Service Edges. </...
Privileged Approval Request Email Notifications
When you add or edit a privileged portal for Privileged Remote Access (PRA), you can add email addresses to notify administrators when a privileged approval request has been created, approved, and rejected. To use this feature, you must have an access policy that allows privileged approvals and a...
Manager Software Updates
A recommended update was released that ensures that if an OS upgrade is successful, and any underlying libraries that might be used by the Manager software are changed, the Manager software immediately restarts to make sure that there aren't any dependency errors. This release also includes...
VMware Prebuilt Image Update for Network Connector
An updated Network Connector image is available for VMware that includes support for upcoming VPN redundancy features. If you want to enable firewalld on a system running the Network Connector, you must perform additional steps to modify the firewall filter rule for VPN redunda...
Discovered Application Segments Update for Usage Insights
Discovered Host Count reports provide insight into the top 10 application segments by discovered host count, and are visible on the Application Segments Usage page. See image. In addition, a Discovered...
Repository Update to Upgrade the Host OS to RHEL 9.6
A repository update that enhances virtual images is available for App Connectors, ZPA Private Service Edges, and Private Cloud Controllers. This update allows the host operating system (OS) to upgrade from Red Hat Enterprise Linux (RHEL) 9.4 and 9.5 to RHEL 9.6. To learn more, see <a href="...
SAML & SCIM Support for Usage Insights
You can select SAML and SCIM attributes in the Settings drawer of the Application and User Group Relationships page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-applic...
AI-Powered Recommendations Updates
The Recommended Configuration drawer includes the following updates: • The Users tab and Attributes tab for observed users includes a Total Users or Group Size column that lets you compare the number of observed users in the recommendation to the total number of users.</...
Disk Space Exceeded Limit Update in Events Diagnostics
An update was released that increases the Disk Space Exceeded Limit event threshold from 1024 MB to 2048 MB in Events Diagnostics. See image. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-and-manag...
AppProtection API Protection Update
The following updates were made to the AppProtection API Protection feature: • API Protection is included when configuring an application segment, by default. • Some API Protection controls were moved to OWASP Predefined controls and ThreatLabZ controls. • New filters were ad...
Enhanced Capabilities for API Protection
An update was released to support enhanced visibility and controls for API Protection. To learn more, see Configuring AppProtection Profiles....
ZPA Cloud Launch for Microsegmentation
Zscaler has a production cloud (zpatwo.net) for Microsegmentation in Zscaler Private Access (ZPA). This cloud includes various features and enhancements. To learn more, see: • Admin Config resource type for audit logs</...
Multimatch Validation for Application Segments
When Multimatch is enabled, a Multimatch Validation window appears for you to review any impacted application segments and conflicting features. Depending on the application segments selected, you might need to do one of the following: • Edit an application segment and disable unsupporte...
Amazon Web Services Image Update for App Connector
A new AWS image is available for App Connector to support upcoming automated Manager software and OS security updates. To learn more, see App Connector Deployment Guide for Amazon Web Servi...
New Session Status Codes for Disconnections
If an App Connector or ZPA Private Service Edge was disconnected because of a planned restart, a redirect session status code is available on the User Activity Diagnostics page. To learn more, see <a href="https://help.zscaler.com/zpa/understanding-connector-software-updates" target="_blank...
LAN IP Addresses and Subnets in VPN (for Legacy Apps)
This release includes an update to support adding LAN IP addresses and subnets for VPN (for Legacy Apps) network segments. To learn more, see <a href="https://help.zscaler.com/zpa/release-upgrade-summary-2025?applicable_category=private.zscaler.com&deployment_date=2025-12-11&id=1534080" tar...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide-linux" target="_blank" dat...
Cloud Service API Updates to Enable Multimatch in Bulk
The cloud service API includes the following new endpoints to extend programmatic access for application segment Multimatch: • "POST /customers/{customerId}/application/multimatchUnsupportedReferences" • "PUT /customers/144118148382064640/application/bulkUpdateMulti...
Resolved Issues
A fix was released to update how data is processed for the Peak Zscaler Client Connector Redirections to Private Service Edges widget and the Zscaler Client Connector Redirections to Private Service Edges activity monitor widget in the Private Cloud Controllers dashboard. To learn more, see...
Update to AI-Powered Recommendations by Confidence % Widget
The AI-Powered Recommendations by Confidence % widget was updated to AI-Powered Recommendations by Attack Surface Reduction % in the Applications dashboard. See image. To learn more, see <a href="https://help.zsc...
Kubernetes and OpenShift Enhancements for App Connector
This release provides the following updates for usability, security, and cross-platform compatibility improvements for the App Connector Helm charts: • Improved container security includes fine-grained capability control options (minimal, full, custom). If "CAP_NET_RAW" is...
Multifile Support for Isolation in ZPA
Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....
AWS and Azure Image Support for Private Cloud Controllers
A new Red Hat Enterprise Linux 9 Private Cloud Controller image is available in the AWS Marketplace and Microsoft Azure Marketplace. To learn more, see Private Cloud Controller Software by Plat...
Docker Image Updates
New Red Hat Enterprise Linux 9 App Connector and ZPA Private Service Edge images are available for Docker. This release includes: • Auto-updates for security patches during every container start or restart using "micro-dnf". • New Docker deployments that automatically in...
Provisioning Key Hardening in the ZPA Admin Portal
When creating a provisioning key for ZPA features such as App Connectors, Private Service Edges, Private Cloud Controllers, Network Connectors, or Machine Tunnels, you can choose to hide the provisioning key so it doesn't appear in the ZPA Admin Portal and can't be copied or downloaded...
Updates to Cloud Service API
The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZPA features and functionalities: • API Keys • Authentication • <a href="#clientToClie...
Application Segments Usage
You can view or download Application Segments Usage reports from the ZPA Admin Portal to review insights into which application segments are actively used, and to provide visibility into which user groups are accessing the applications. Application Segments Usage reports are on...
Usage Insights
Usage Insights provides you with actionable insights into an organization's usage patterns between users and applications. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-usage-insights" ta...
AI-Powered Recommendations Updates
The following updates for AI-powered recommendations are available: • When adding an application segment from an AI-powered recommendation, you can create an access policy rule at the Policies step. The rule is added to the middle of the rule order. Click Edit Policy...
Increased Limit for Privileged Consoles
You can have a maximum total of 9,000 privileged consoles per Privileged Remote Access (PRA) Portal. To learn more, see <a href="https://help.zscaler.com/zpa/ranges-limitations" target="_blank" data-entity-type="node" data-entity-uuid="02379419-8fc4-4f23-bd6d-c71ca17061d3" data-entity-subst...
VMware and Nutanix Images Available for App Connector
New VMware and Nutanix images are available for App Connector to support upcoming automated Manager software and OS security updates. To learn more, see App Connector Deployment Guide for VMwa...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide-linux" target="_blank" dat...
Custom Controls Negative Match
When you define custom control parameters for AppProtection, you can select negative value operator options (Does not match, Does not contain, Does not start with, Does not end with, and Does not exist) and the positive value operator option (Exists). When you select the request method, you can c...
STIG VM Private Service Edge Image for Nutanix
A Red Hat Enterprise Linux 9 Private Service Edge image that supports Security Technical Implementation Guide (STIG) is available for Nutanix. To learn more, see ZPA Private Service Edge Sof...
Removal of Executive Insights App
An update was released to remove the Executive Insights App from the ZPA Admin Portal. The Executive Insights App is supported in the ZIA Admin Portal and requires a subscription with Zscaler Internet Access (ZIA). To learn more, see <a href="https://help.zscaler.com/zia/accessing-and-using...
API Discovery for API Protection
An update was released to support API Discovery for API Protection. To learn more, see API Discovery for AppProtection....
Manager Software Updates
A recommended update was released that includes updated App Connector, ZPA Private Service Edge, and Private Cloud Controller RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for App Connectors, ZPA Private Service Edges, and Private Cloud Control...
OS Software Updates
An update was released to support automated updates to the App Connector, Private Service Edge for Private Access (ZPA), Private Cloud Controller, and Network Connector RHEL 9 operating systems. This includes security updates and full OS updates. To learn more, see <a href="https://help.zsc...
Support for Automated Manager Software Updates in App Connectors and Network Connectors
An update was released to support automated updates to the Manager software service for App Connector and Network Connector. To learn more, see Automated Manager Software Updates for App Connector and Network Connector. Manager softw...
Support for Automated Manager Software Updates in Private Service Edges and Private Cloud Controllers
An update was released to support automated updates to the Manager software service for ZPA Private Service Edge and Private Cloud Controller. To learn more, see <a href="https://help.zscaler.com/zpa/release-upgrade-summary-2026?applicable_category=private.zscaler.com&deplo...
Support for Existing IdPs in Business Continuity
Existing IdP configurations can be used to authenticate users during Business Continuity. See image. To learn more, see Confi...
Updated Status Code for Web Browser Client Type Timeout
When the ZPA service blocks a Web Browser request because the timeout policy requires the user to authenticate, an SE: Timeout policy blocked access status code appears. To learn more, see Ranges & Limitations.</p...
ZPA Hosting Detection for App Connectors
An update was released that allows ZPA to automatically detect data center hosting information, or you can enter it manually. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configuring-connectors" t...
Zscaler-Managed Business Continuity Cloud
The Zscaler-managed Business Continuity cloud is a fully managed Private Cloud solution that is built on the isolated and dedicated Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) infrastructures. This ensures consistent cyber and data protection during critical failure events. For...
Viewing Where Your Apps Are Served
View hosting provider and analytical details of the App Connectors that have been serving your applications for the last quarter on the Where Are My Apps Being Served From? page. This insight allows you to understand where your applications are hosted because App Connectors...
Client Platform and Hostname in the LSS and Cloud Service API
Client platform and hostname details are available in the User Activity transaction logs when configuring a log receiver. Additionally, these fields are returned by the format field when managing Log Streaming Service (LSS) configurations using the cloud service API. <a cla...
Resolved Issues
A fix was released to address an issue where extra braces in the JSON log format for Log Streaming Service (LSS) prevented logs from going to the SIEM. To learn more, see <a href="https://help.zscaler.com/zpa/about-log-streaming-service" target="_blank" data-entity-type="node" data-entity-u...
Credentials Diagnostics for Privileged Remote Access (PRA)
You can view analytics for privileged credentials on the Credentials Diagnostics page, including the total amount of privileged credentials and how many are currently in use. The privileged credentials based on protocol type are also displayed. To learn more, see <a href="h...
Updates to Approval Requests for Privileged Remote Access (PRA)
The following updates have been made to approval requests for Privileged Remote Access (PRA): • You can approve and reject approval requests in the ZPA Admin Portal, similar to how you review approval requests in the PRA Portal. • The Requests Diagnostics page name...
Disable Pop-Up Message to User
An update was released that renamed the Message to User field to Pop-Up Message to User when configuring or editing an access policy. As part of this update, the ability to disable the Pop-Up Message to User field is supported. This field only appears when the Rule Action is set to Block Access.<...
Cloud Service API Support for Onboarding Customers
The cloud service API includes the following new endpoints for administrator management, administrator role management, and client settings management: • "GET /mgmtconfig/v1/admin/customers/{customerId}/administrators/{adminId}" • "GET /mgmtconfig/v1/admin/customers...
Last Component Disconnected Event Priority Update
The priority for the Last Component Disconnected event in the events diagnostics and notifications service was updated from Low to High. This only applies to newly created events for App Connectors and ZPA Private Service Edges after May 9, 2025. To learn more, see <a href="https://help.zsc...
OWASP Predefined Controls Update
The OWASP predefined controls were updated to support version OWASP_CRS/4.8.0. By default, the version is set to OWASP_CRS/4.8.0 on the OWASP Predefined Controls page and the AppProtection Profiles page. The OWASP_CRS/4.8.0 version is supported on <a href="https://help.zscaler.com/zpa/app-connect...
Number of API Keys with This Role
A new column was added to the Roles page to track the number of API keys per assigned role. See image. To learn more, see About Roles. <div...
Audit Log Updates for Microsegmentation Recommended Resource Groups
A new resource type for Microsegmentation Managed Recommended Resource Group was added to the Audit Logs. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-ml-recommendation...
VPN (for Legacy Apps) Network Connector RPM Package
Zscaler has released a Network Connector RPM package that contains only the installation packages and privileges required by the Network Connector. VPN (for Legacy Apps) customers who previously installed the App Connector RPM package that included the Network Connector dependencies should uninst...
Chrome Enterprise Browser Diagnostics
You can view Chrome Enterprise browser analytics and policy log data on the Chrome Enterprise Browser Diagnostics page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/accessing-ch...
Evaluate Access with Chrome Posture Profiles
ZPA integrates with Google's Chrome Enterprise browser to utilize its device posture signals, enabling more granular security controls (Browser Version, Operating System, OS Firewall status, etc.) and enhanced visibility for clientless access to private applications via ZPA...
VMware Image Available for Network Connectors
A new Network Connector image is available for VMware. To learn more, see Network Connector Software by Platform....
Application Load Balancing and High Availability
Load balancing allows applications to be weighted between individual server groups or designated in dedicated passive groups for high availability. See image. To learn more, see <a href="https://help.zscaler.com/zpa/configu...
AppProtection Update
AppProtection updates to provide improved payload support for API formats (JSON and XML payloads) are available....
Extranet Application Support
Extranet allows Zscaler customers to access a business partner's private application without needing to install an App Connector in the partner's environment or extend an IPSec tunnel from the customer's data center to the business partner's data center. Instead, a Zscaler cus...
ZPA API Application Load Balancing Configuration
Applications can be updated to assign weights between individual server groups or designated in dedicated passive groups via the ZPA cloud service API. To learn more, see the ZPA API Develope...
Manager Software Updates
A recommended update was released that includes updated App Connector, ZPA Private Service Edge, and Private Cloud Controller RPM packages for Red Hat Enterprise Linux 8.x and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide...
Enhancing Security for Third-Party Clientless Access with ZPA and Chrome Enterprise Browser Integration
ZPA now integrates with the Chrome Enterprise browser to enhance security access to private applications using Browser Access. By leveraging Chrome's device posture signals, ZPA enforces granular security controls to manage clientless (third-party or contractor access) to private application...
API Keys Page Update
An update was released to remove the ZPA API Portal link from the API Keys page. To learn more, see About API Key Management....
VPN (for Legacy Apps)
ZPA can natively support a secondary Layer 3 network-based VPN tunnel for applications and services (e.g., VoIP or server-to-client) that require Layer 3 IP-based connectivity consistent with its Zero Trust security architecture and inside-out connection. From a single client for users and a sing...
STIG VM Image Updates for Microsoft Azure
Red Hat Enterprise Linux 9 App Connector and Private Service Edge images that support Security Technical Implementation Guide (STIG) without requirements to disable password expiration are available for Microsoft Azure. The Azure STIG-hardened images released on December 12, 2024, required the pa...
Update to Automatic Certificate Generation
An update to automatic certificate generation for AppProtection is available. By enabling AppProtection for an application segment and selecting an AppProtection enrollment (CA) certificate, you can automatically generate certificates to support AppProtection TLS inspection. To learn more,...
AppProtection Control Exceptions
When configuring an AppProtection profile, you can add exceptions to OWASP predefined controls. After you create exceptions, you can review the exceptions under the OWASP predefined controls they are assigned to on the AppProtection Profile page. To learn more, see <a href="https://help.zsc...
Client Connector for VDI Support
ZPA supports a new client type called Client Connector for VDI. Client Connector for VDI is a lightweight client for multi-session VDI environments. Admins can view and configure user-level ZPA policies to protect their multi-session ZPA users. To learn more, see <a href="https://help.zscal...
ZPA API Support for Multi-Session VDI
A new client type is available in the ZPA cloud service API to support multi-session VDI. To learn more, see the API Developer & Reference Guide, <a href="https://help.zscaler.com/zpa/configurin...
STIG VM Image Update for Nutanix
A Red Hat Enterprise Linux 9 App Connector image that supports Security Technical Implementation Guide (STIG) without requirements to disable password expiration is available for Nutanix. The Nutanix STIG-hardened image that was released on December 12, 2024, required the password to be disabled....
STIG VM Image Updates for VMware
Red Hat Enterprise Linux 9 App Connector and Private Service Edge images that support Security Technical Implementation Guide (STIG) without requirements to disable password expiration are available for VMware. The VMware STIG-hardened images that were released on December 12, 2024, required the...
Business Continuity Support
ZPA Business Continuity ensures continued access to applications for users in events where the reachability or availability of the ZPA cloud is affected. ZPA Business Continuity requires Business Continuity Settings, Private Clouds, and Private Cloud Controllers to be configured in the ZPA Admin...
LSS Support for Private Cloud Controllers
An update was released in the Log Streaming Service (LSS) to provide stats for Private Cloud Controller status and metrics. The new log types can be selected when configuring a log receiver. <p class="mt-...
Microphone and Camera Functionality for Isolation Profiles in ZPA
Isolation allows microphone and camera functionality on the user's device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...
Role-Based Access Control for ZPA API
Granular role-based access control (RBAC) for ZPA API is available. You can select predefined roles or custom roles for API keys when adding them in the API Keys page of the ZPA Admin Portal. To enforce RBAC on all publicly available ZPA API operations, create a predefined or custom role in the Z...
STIG VM Image Updates for AWS and GCP
Red Hat Enterprise Linux 9 App Connector and Private Service Edge images that support Security Technical Implementation Guide (STIG) without requirements to disable password expiration are available for Amazon Web Services (AWS) and Google Cloud Platform (GCP). AWS and GCP STIG-hardened images re...
Microsegmentation Admin Config Resource Type Update
A new resource type for Microsegmentation Admin Config was added to the Audit Logs page. See image. To learn more, see <a href="https://help.zscaler.com/zpa/about-audit-logs#resourceTy...
Disconnect Time UX Improvement for App Connectors
Resolved a UX issue in the ZPA Admin Portal where the App Connector disconnect time appeared as zero. To learn more, see Accessing App Connector Status Diagnostics....
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8.x, and 9.x. You can download the Manager software for <a href="https://help.zscaler.com/zpa/app-connector-deployment-guide-linux" target="_blan...
Platform Information Available for User Activity Log
An update was made to support the platform where Zscaler Client Connector is installed in the User Activity Logs. To learn more, see Accessing User Activity Diagnostics....
Managed Browser Access and Portal Certificates
You can publish Browser Access applications, user portals, and Privileged Remote Access (PRA) Portals with Zscaler-managed certificates and DNS. This reduces the need to create and renew custom certificates. You can also publish links from a user portal in a PRA privileged portal to provide...
Cookie Persistence Renamed to Persistent State for Isolation Profiles
In ZPA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...
Credential Pooling for Privileged Remote Access (PRA)
You can assign multiple privileged credentials within a privileged credentials policy using a privileged credential pool. When you create a privileged credential pool, you can include one or more privileged credentials. This allows users to simultaneously access the same privileged console, but w...
Generating AI-Powered Recommendations for Application Segments
ZPA allows you to generate AI-powered recommendations for application segments. You can view the time when the recommendations were last generated and the next time the recommendations will be available. See image. To learn m...
My Approvals in the PRA Portal
You can create and manage privileged approval requests, approve existing privileged approvals, and reject existing privileged approvals in the Privileged Remote Access (PRA) Portal. You can view the analytics for the privileged approval requests on the Requests page in the ZPA Admin Portal. This...
User Platform Filter for Activity Logs
A new diagnostics user activity filter was introduced to support filtering user activity by client platform (i.e., Windows, macOS, Linux, Android, or iOS). To learn more, see <a href="https://help.zscaler.com/zpa/accessing-user-activity-diagnostics" target="_blank" title="Accessing User Act...
Increased Administrators Limit
The maximum limit of administrators per organization has increased to 5,000. To learn more, see Ranges & Limitations....
ZPA API Log Streaming Service (LSS) Support for Microsegmentation
LSS support for Microsegmentation is available in the ZPA API when creating or updating LSS configurations using the "zms_flow_log" log type. To learn more, see Managing...
App Segment Multimatch Rule Processing
Multimatch is a feature that allows an application request to match multiple application segments. When Multimatch is enabled, policy evaluation is applied to multiple application segments, whereas the policy evaluation is applied to a single application segment for the default b...
Pattern Matching for Application Segments
Admins can define applications with patterns within application segments. Pattern matching allows the policy evaluation to be used with hostname patterns instead of exact fully qualified domain names (FQDNs). The same functionality is supported via the ZPA cloud service API. To learn more,...
Backup and Restore
You can create a backup of configuration settings in the ZPA Admin Portal. After a backup is created, you can restore a backup and return to the previous configuration. See image. In addition, the followin...
Transaction ID in Audit Logs
An update was released to include a Transaction ID column on the Audit Logs page of the ZPA Admin Portal. A Transaction ID, created by the OneAPI framework, is the unique identifier that binds multiple related API requests to assist in troubleshooting API request issues. <a...
Quarterly Business Review Reports
View or download Quarterly Business Review (QBR) reports from the ZPA Admin Portal to review insights into how Zscaler helps protect your network. The reports provide emerging traffic trends of private application usage across your organization. <a class="image-icon" href="...
Manager Software Updates
A recommended update was released that includes updated App Connector and Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8.x, and 9.x. If you have IMDSv2 set to Required, the Manager software update is highly recommended. The Manager software version is 24.692.9. You ca...
Invalid System Listen IP Address Configuration for Events and Notifications
An update was released to add system metrics to the events diagnostics and notification management service for invalid listen IP address configurations on a ZPA Private Service Edge. To learn more, see <a href="https://help.zscaler.com/zpa/viewing-and-managing-events-diagnostic...
Manager Software Updates
A recommended update was released that includes updated App Connector and ZPA Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8.x, and 9.x. The Manager software version is 24.692.8. You can download the Manager Software for <a href="https://help.zscaler.com/zpa/app-conne...
AI-Powered Recommendations Updates
The AI-Powered Recommendations page was updated to include: • User recommendations based on the SCIM groups if the SCIM groups are synced for application segments access. • A new column called Attack Surface Reduction that displays the percentage diffe...
Recommended Application Segments Renamed to AI-Powered Recommendations
An update was released that renamed Recommended Application Segments to AI-Powered Recommendations on the Application Segments page. The Description column was consolidated into the Grouping Reasons column. The Settings page is now a drawer located on the AI-Powered Recommendatio...
Application Segment Import for Merging Application Segment Data
Users can upload application data through Application Segment Import and merge the uploaded data to easily configure defined application segments. This allows granular application data to be imported in bulk and later used for different configurations depending on the type of application segment...
STIG Platform Image Support on Microsoft Azure
A new Red Hat Enterprise Linux 9 Private Service Edge image that supports Security Technical Implementation Guide (STIG) is available for Microsoft Azure. To learn more, see ZPA Private Serv...
Private Service Edge - private.zscaler.com
Private Service Edge Version 26.53.4
An update was released for Private Service Edge for Private Access (ZPA) that includes bug fixes, optimizations, and version enhancements. Your Private Service Edge will be updated based on your software update schedule as configured per Private Service Edge group. To learn more, see <a hre...
Private Service Edge Version 26.52.4
This update resolves a rare issue that could cause Private Service Edge for Private Access (ZPA) processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your Private Service Edge will be updated based on your software update schedule as configured per...
Private Service Edge Version 26.52.3
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a...
Private Service Edge Version 25.50.4
An update was released for Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your Private Service Edges will be updated based on your software update schedule as configured per Private Service Edge group....
Private Service Edge Version 25.49.9
An update was released to resolve an issue where Private Service Edges failed to reconnect to the public cloud following a Business Continuity event (until a manual process restart was performed). This issue was only seen when the Private Cloud Controller was running a lower software version than...
ZPA Private Service Edge Version 25.49.5
This ZPA Private Service Edge version includes the following updates for Business Continuity: • Enhanced support for Microtenants and Business Continuity. • Private Cloud Controllers redirect users to the closest Private Service Edge regardless of the Private Cloud. Yo...
ZPA Private Service Edge Version 25.48.4
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="https://he...
ZPA Private Service Edge Version 25.47.3
An update was released for ZPA Private Service Edge that sends operating system logs to event logs if an OS update failed. • See example log. Your ZPA Private Service Edge will be updated based on your software update sched...
ZPA Private Service Edge Version 25.46.3
This ZPA Private Service Edge version includes the following updates: • An update was released for ZPA Private Service Edge that sends operating system logs to event logs if an OS update failed.• See ex...
ZPA Private Service Edge Version 25.46.2
This Private Service Edge version includes the following updates: • An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. • Support for setting Private Service Edge groups to be used exclusively for Bu...
ZPA Private Service Edge Version 25.45.1
An update was released for ZPA Private Service Edges that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="htt...
ZPA Private Service Edge Version 25.44.8
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="http...
ZPA Private Service Edge Version 25.44.7
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="http...
ZPA Private Service Edge Version 25.43.2
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a hre...
Private Service Edge Version 25.42.7
An update was released for ZPA Private Service Edge that resolves a policy update issue. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="https://help.zscaler.com/zpa/understand...
Private Service Edge Version 25.42.6
An update was released for ZPA Private Service Edge that resolves an issue where additional logging to syslog could cause the partition in "/var/log" to run out of space. To learn more, see <a class="url-external" href="https://trust.zscaler.com/private.zscaler.com/posts/22246" t...
ZPA Private Service Edge Version 25.42.5
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a hre...
ZPA Private Service Edge Version 24.692.9
An update was released to support fetching the AWS VM ID when IMDSv2 is enabled. This update is needed for IMDSv2 to work properly. Manager Software UpdatesA recommended update was released that includes updated Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8....
ZPA Private Service Edge Version 24.692.8
This ZPA Private Service Edge version includes the following updates: • An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. • An update was released for ZPA Private Service Edges to provide support for an event when...
Private Service Edge - zpatwo.net
Private Service Edge Version 26.53.4
An update was released for Private Service Edge for Private Access (ZPA) that includes bug fixes, optimizations, and version enhancements. Your Private Service Edge will be updated based on your software update schedule as configured per Private Service Edge group. To learn more, see <a hre...
Private Service Edge Version 26.52.4
This update resolves a rare issue that could cause Private Service Edge for Private Access (ZPA) processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your Private Service Edge will be updated based on your software update schedule as configured per...
Private Service Edge Version 26.52.3
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a...
Private Service Edge Version 25.50.4
An update was released for Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your Private Service Edges will be updated based on your software update schedule as configured per Private Service Edge group....
Private Service Edge Version 25.49.9
An update was released to resolve an issue where Private Service Edges failed to reconnect to the public cloud following a Business Continuity event (until a manual process restart was performed). This issue was only seen when the Private Cloud Controller was running a lower software version than...
ZPA Private Service Edge Version 25.49.5
This ZPA Private Service Edge version includes the following updates for Business Continuity: • Enhanced support for Microtenants and Business Continuity. • Private Cloud Controllers redirect users to the closest Private Service Edge regardless of the Private Cloud. Yo...
ZPA Private Service Edge Version 25.48.4
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="https://he...
ZPA Private Service Edge Version 25.47.3
An update was released for ZPA Private Service Edge that sends operating system logs to event logs if an OS update failed. • See example log. Your ZPA Private Service Edge will be updated based on your software update sched...
ZPA Private Service Edge Version 25.46.3
This ZPA Private Service Edge version includes the following updates: • An update was released for ZPA Private Service Edge that sends operating system logs to event logs if an OS update failed.• See ex...
ZPA Private Service Edge Version 25.46.2
This Private Service Edge version includes the following updates: • An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. • Support for setting Private Service Edge groups to be used exclusively for Bu...
ZPA Private Service Edge Version 25.45.1
An update was released for ZPA Private Service Edges that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="htt...
ZPA Private Service Edge Version 25.44.8
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="http...
ZPA Private Service Edge Version 25.44.7
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="http...
ZPA Private Service Edge Version 25.43.2
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a hre...
Private Service Edge Version 25.42.7
An update was released for ZPA Private Service Edge that resolves a policy update issue. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a href="https://help.zscaler.com/zpa/understand...
Private Service Edge Version 25.42.6
An update was released for ZPA Private Service Edge that resolves an issue where additional logging to syslog could cause the partition in "/var/log" to run out of space. To learn more, see <a class="url-external" href="https://trust.zscaler.com/private.zscaler.com/posts/22246" t...
ZPA Private Service Edge Version 25.42.5
An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. Your ZPA Private Service Edge will be updated based on your software update schedule as configured per ZPA Private Service Edge group. To learn more, see <a hre...
ZPA Private Service Edge Version 24.692.9
An update was released to support fetching the AWS VM ID when IMDSv2 is enabled. This update is needed for IMDSv2 to work properly. Manager Software UpdatesA recommended update was released that includes updated Private Service Edge RPM packages for Red Hat Enterprise Linux 7.x, 8....
ZPA Private Service Edge Version 24.692.8
This ZPA Private Service Edge version includes the following updates: • An update was released for ZPA Private Service Edge that includes bug fixes, optimizations, and version enhancements. • An update was released for ZPA Private Service Edges to provide support for an event when...
App Connector - private.zscaler.com
App Connector Version 26.53.4
An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/understanding...
App Connector Version 26.52.4
This update resolves a rare issue that could cause App Connector processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, s...
App Connector Version 26.52.3
An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/...
App Connector Version 25.50.4
An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zsca...
App Connector Version 25.49.11
This App Connector update resolves an issue where traffic was incorrectly blocked if a preprocessor control was disabled in the AppProtection security profile. This only affects customers with AppProtection enabled on specific App Connector groups. Your App Connectors will be updated based...
App Connector Version 25.49.9
An update was released to resolve an issue where App Connectors failed to reconnect to the public cloud following a Business Continuity event (until a manual process restart was performed). This issue was only seen when the Private Cloud Controller was running a lower software version than the Ap...
App Connector Version 25.49.4
This App Connector version provides the following updates: • A fix was released to address a socket usage issue with IMDS endpoint timeouts on AWS hosts. • Enhanced support for Microtenants and Business Continuity. Your App Connectors will be updated based...
App Connector Version 25.48.4
An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/understan...
App Connector Version 25.47.3
An update was released for ZPA App Connector that sends operating system logs to event logs if an OS update failed. • See example log. Your App Connectors will be updated based on your software update schedule as configured...
App Connector Version 25.46.3
An update was released for ZPA App Connector that sends operating system logs to event logs if an OS update failed. • See example log. Your App Connectors will be updated based on your software update schedule as configured...
App Connector Version 25.46.2
This ZPA App Connector version includes the following updates: • An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to support Kubernetes enhancements to improve container security. To learn more, see...
App Connector Version 25.45.1
An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/und...
App Connector Version 25.44.6
This ZPA App Connector release includes the following updates: • An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released for ZPA App Connector that adds configuration overrides for server inactivity tim...
App Connector Version 25.43.6
An update was released for ZPA App Connector that adds configuration overrides for server inactivity timeouts (slow and fast). Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.c...
App Connector Version 25.42.9
An update was released for ZPA App Connector that adds configuration overrides for server inactivity timeouts (slow and fast). Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.c...
App Connector Version 25.43.2
This App Connector version includes the following updates: • An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to support the OWASP predefined controls version OWASP_CRS/4.8.0. To learn more, see...
App Connector Version 25.42.8
An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/understan...
App Connector Version 25.42.6
An update was released for App Connector that resolves an issue where additional logging to syslog could cause the partition in "/var/log" to run out of space. To learn more, see <a class="url-external" href="https://trust.zscaler.com/private.zscaler.com/posts/22246" target="_bla...
App Connector Version 25.42.4
This App Connector version includes the following updates: • An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to improve JSON and XML parsing in the detection engine for AppProtection. To learn more,...
App Connector Version 24.692.9
An update was released to support fetching the AWS VM ID when IMDSv2 is enabled. This update is needed for IMDSv2 to work properly. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zsca...
App Connector Version 24.692.8
This ZPA App Connector version includes the following updates: • An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to the detection engine for AppProtection. To learn more, see <a href="https://help.z...
App Connector - zpatwo.net
App Connector Version 26.53.4
An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/understanding...
App Connector Version 26.52.4
This update resolves a rare issue that could cause App Connector processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, s...
App Connector Version 26.52.3
An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/...
App Connector Version 25.50.4
An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zsca...
App Connector Version 25.49.11
This App Connector update resolves an issue where traffic was incorrectly blocked if a preprocessor control was disabled in the AppProtection security profile. This only affects customers with AppProtection enabled on specific App Connector groups. Your App Connectors will be updated based...
App Connector Version 25.49.9
An update was released to resolve an issue where App Connectors failed to reconnect to the public cloud following a Business Continuity event (until a manual process restart was performed). This issue was only seen when the Private Cloud Controller was running a lower software version than the Ap...
App Connector Version 25.49.4
This App Connector version provides the following updates: • A fix was released to address a socket usage issue with IMDS endpoint timeouts on AWS hosts. • Enhanced support for Microtenants and Business Continuity. Your App Connectors will be updated based...
App Connector Version 25.48.4
An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/understan...
App Connector Version 25.47.3
An update was released for ZPA App Connector that sends operating system logs to event logs if an OS update failed. • See example log. Your App Connectors will be updated based on your software update schedule as configured...
App Connector Version 25.46.3
An update was released for ZPA App Connector that sends operating system logs to event logs if an OS update failed. • See example log. Your App Connectors will be updated based on your software update schedule as configured...
App Connector Version 25.46.2
This ZPA App Connector version includes the following updates: • An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to support Kubernetes enhancements to improve container security. To learn more, see...
App Connector Version 25.45.1
An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/und...
App Connector Version 25.44.6
This ZPA App Connector release includes the following updates: • An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released for ZPA App Connector that adds configuration overrides for server inactivity tim...
App Connector Version 25.43.6
An update was released for ZPA App Connector that adds configuration overrides for server inactivity timeouts (slow and fast). Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.c...
App Connector Version 25.42.9
An update was released for ZPA App Connector that adds configuration overrides for server inactivity timeouts (slow and fast). Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.c...
App Connector Version 25.43.2
This App Connector version includes the following updates: • An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to support the OWASP predefined controls version OWASP_CRS/4.8.0. To learn more, see...
App Connector Version 25.42.8
An update was released for ZPA App Connector that includes bug fixes, optimizations, and version enhancements. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/understan...
App Connector Version 25.42.6
An update was released for App Connector that resolves an issue where additional logging to syslog could cause the partition in "/var/log" to run out of space. To learn more, see <a class="url-external" href="https://trust.zscaler.com/private.zscaler.com/posts/22246" target="_bla...
App Connector Version 25.42.4
This App Connector version includes the following updates: • An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to improve JSON and XML parsing in the detection engine for AppProtection. To learn more,...
App Connector Version 24.692.9
An update was released to support fetching the AWS VM ID when IMDSv2 is enabled. This update is needed for IMDSv2 to work properly. Your App Connectors will be updated based on your software update schedule as configured per App Connector group. To learn more, see <a href="https://help.zsca...
App Connector Version 24.692.8
This ZPA App Connector version includes the following updates: • An update was released for App Connector that includes bug fixes, optimizations, and version enhancements. • An update was released to the detection engine for AppProtection. To learn more, see <a href="https://help.z...
Private Cloud Controller - private.zscaler.com
Private Cloud Controller Version 26.53.4
This Private Cloud Controller version provides the following updates: • An update ensures that a Private Cloud Controller disconnected from the Zero Trust Exchange (ZTE) for extended periods of time can seamlessly reconnect to the ZTE even if the Private Cloud Controller had outdated or...
Private Cloud Controller Version 26.52.4
This update resolves a rare issue that could cause Private Cloud Controller processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud C...
Private Cloud Controller Version 26.52.3
An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see <a href="https://h...
Private Cloud Controller Version 25.50.6
An update was released for Private Cloud Controller to support whitespaces in SAML responses when configuring a new identity provider (IdP). Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more,...
Private Cloud Controller Version 25.50.4
An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see <a href="https://h...
Private Cloud Controller Version 25.49.4
This Private Cloud Controller version includes the following updates: • Support for redirecting users to Private Service Edges in respective Microtenants. • Private Cloud Controllers redirect users to the closest Private Service Edge regardless of the Private Cloud. You...
Private Cloud Controller Version 25.48.4
An update was released for Private Cloud Controller to fix an issue where the Private Cloud Controller redirected users to the admin IdP SSO page instead of the user IdP SSO. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Clou...
Private Cloud Controller Version 25.47.3
This Private Cloud Controller version includes the following updates: • Operating system logs are sent to event logs if an OS update failed.• See example log. • An update was released for Private Cloud Controller...
Private Cloud Controller Version 25.46.3
An update was released for Private Cloud Controller that includes the following: • Operating system logs are sent to event logs if an OS update failed.• See example log. • The Private Cloud Controller redirects us...
Private Cloud Controller Version 25.46.2
This Private Cloud Controller version includes the following updates: • An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. • Support for forcing Private Cloud Controllers, App Connectors, and ZPA Pr...
Private Cloud Controller 25.45.2
This Private Cloud Controller software version addresses performance degradation observed during synchronization between Private Cloud Controllers when operating in disconnected mode from the Zero Trust Exchange (ZTE). Your Private Cloud Controller will be updated base...
Private Cloud Controller Version 25.45.1
An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see <a href="htt...
Private Cloud Controller Version 25.44.6
This Private Cloud Controller version includes the following updates: • An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. To learn more, see <a href="https://help.zscaler.com/zpa/understanding-business-continuity" target...
Private Cloud Controller Version 25.43.2
This release includes the following updates: • An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. • Support for redirection policies that use ZPA Private Service Edges when available over ZPA Public Service Edges. T...
Private Cloud Controller Version 25.42.4
An update was released for ZPA Private Cloud Controllers that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see...
Private Cloud Controller - zpatwo.net
Private Cloud Controller Version 26.53.4
This Private Cloud Controller version provides the following updates: • An update ensures that a Private Cloud Controller disconnected from the Zero Trust Exchange (ZTE) for extended periods of time can seamlessly reconnect to the ZTE even if the Private Cloud Controller had outdated or...
Private Cloud Controller Version 26.52.4
This update resolves a rare issue that could cause Private Cloud Controller processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud C...
Private Cloud Controller Version 26.52.3
An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see <a href="https://h...
Private Cloud Controller Version 25.50.6
An update was released for Private Cloud Controller to support whitespaces in SAML responses when configuring a new identity provider (IdP). Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more,...
Private Cloud Controller Version 25.50.4
An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see <a href="https://h...
Private Cloud Controller Version 25.49.4
This Private Cloud Controller version includes the following updates: • Support for redirecting users to Private Service Edges in respective Microtenants. • Private Cloud Controllers redirect users to the closest Private Service Edge regardless of the Private Cloud. You...
Private Cloud Controller Version 25.48.4
An update was released for Private Cloud Controller to fix an issue where the Private Cloud Controller redirected users to the admin IdP SSO page instead of the user IdP SSO. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Clou...
Private Cloud Controller Version 25.47.3
This Private Cloud Controller version includes the following updates: • Operating system logs are sent to event logs if an OS update failed.• See example log. • An update was released for Private Cloud Controller...
Private Cloud Controller Version 25.46.3
An update was released for Private Cloud Controller that includes the following: • Operating system logs are sent to event logs if an OS update failed.• See example log. • The Private Cloud Controller redirects us...
Private Cloud Controller Version 25.46.2
This Private Cloud Controller version includes the following updates: • An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. • Support for forcing Private Cloud Controllers, App Connectors, and ZPA Pr...
Private Cloud Controller 25.45.2
This Private Cloud Controller software version addresses performance degradation observed during synchronization between Private Cloud Controllers when operating in disconnected mode from the Zero Trust Exchange (ZTE). Your Private Cloud Controller will be updated base...
Private Cloud Controller Version 25.45.1
An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see <a href="htt...
Private Cloud Controller Version 25.44.6
This Private Cloud Controller version includes the following updates: • An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. To learn more, see <a href="https://help.zscaler.com/zpa/understanding-business-continuity" target...
Private Cloud Controller Version 25.43.2
This release includes the following updates: • An update was released for Private Cloud Controller that includes bug fixes, optimizations, and version enhancements. • Support for redirection policies that use ZPA Private Service Edges when available over ZPA Public Service Edges. T...
Private Cloud Controller Version 25.42.4
An update was released for ZPA Private Cloud Controllers that includes bug fixes, optimizations, and version enhancements. Your Private Cloud Controllers will be updated based on your software update schedule as configured per Private Cloud Controller group. To learn more, see...
Network Connector - private.zscaler.com
Network Connector Version 26.53.4
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/ne...
Network Connector Version 26.52.4
This update resolves a rare issue that could cause Network Connector processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To le...
Network Connector Version 26.52.3
This release of Network Connector includes a fix to remove temporary files that had a prefix of "zpath_popen_stderr_" from the "/tmp" directory on Network Connectors. To learn more, see <a href="https://help.zscaler.com/zpa/network-connector-deployment-guide-linux" target="_...
Network Connector Version 25.50.4
An update was released that includes Federal Information Processing Standards (FIPS) support for Network Connectors. Your Network Connector will be updated based on your software update schedule as configured per Network Con...
Network Connector Version 25.49.4
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/ne...
Network Connector Version 25.48.4
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn more, see the <a href="https://help.zscaler.com/zp...
Network Connector Version 25.47.3
An update was released for Network Connector that can send operating system logs to event logs if an OS update fails in future releases. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn m...
Network Connector Version 25.46.3
An update was released for Network Connector that can send operating system logs to event logs if an OS update fails in future releases. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn m...
Network Connector Version 25.46.2
This Network Connector version includes the following updates: • An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. • Support for high availability and redundancy for Network Connector node failures and Ne...
Network Connector Version 25.45.1
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connectors will be updated based on your software update schedule as configured per Network Connector group. To learn more, see <a href="https://help.zscaler.com...
Network Connector - zpatwo.net
Network Connector Version 26.53.4
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/ne...
Network Connector Version 26.52.4
This update resolves a rare issue that could cause Network Connector processes to experience degraded performance when a hypervisor host experienced CPU starvation. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To le...
Network Connector Version 26.52.3
This release of Network Connector includes a fix to remove temporary files that had a prefix of "zpath_popen_stderr_" from the "/tmp" directory on Network Connectors. To learn more, see <a href="https://help.zscaler.com/zpa/network-connector-deployment-guide-linux" target="_...
Network Connector Version 25.50.4
An update was released that includes Federal Information Processing Standards (FIPS) support for Network Connectors. Your Network Connector will be updated based on your software update schedule as configured per Network Con...
Network Connector Version 25.49.4
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn more, see <a href="https://help.zscaler.com/zpa/ne...
Network Connector Version 25.48.4
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn more, see the <a href="https://help.zscaler.com/zp...
Network Connector Version 25.47.3
An update was released for Network Connector that can send operating system logs to event logs if an OS update fails in future releases. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn m...
Network Connector Version 25.46.3
An update was released for Network Connector that can send operating system logs to event logs if an OS update fails in future releases. Your Network Connector will be updated based on your software update schedule as configured per Network Connector group. To learn m...
Network Connector Version 25.46.2
This Network Connector version includes the following updates: • An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. • Support for high availability and redundancy for Network Connector node failures and Ne...
Network Connector Version 25.45.1
An update was released for Network Connector that includes bug fixes, optimizations, and version enhancements. Your Network Connectors will be updated based on your software update schedule as configured per Network Connector group. To learn more, see <a href="https://help.zscaler.com...
Digital Experience Monitoring (ZDX)
Service - zdxcloud.net
Decline Button for Scripts
When you configure a script with an End-User Confirmation, you can opt to configure a Decline button for the end users. See image. Ensure the impacted devices, based on their OS, meet the minimum required or later <a href=...
Managed Monitoring
Hosted Monitoring was renamed to Managed Monitoring for clarification and better representation. See image. To learn more, see <a href="https://help.zscaler.com/zdx/understanding-managed-monitoring" target="_bla...
Network Intelligence Dashboard Enhancements
The Network Intelligence dashboard has the following enhancements: • Alternative views for User Experience & Network Insights: Configure your views to display the metrics for User Expe...
ZDX in Zscaler Experience Center
Zscaler Experience Center simplifies Zero Trust adoption and operations through an intuitive, unified admin experience in the Zscaler Admin Console. Zscaler Digital Experience (ZDX) is available in the Experience Center and delivers a horizontal platform experience across multipl...
Real User Monitoring
Real User Monitoring captures and analyzes user interactions with applications through their web browsers to create a comprehensive visibility into the application's digital experience. You can use Real User Monitoring to identify bottlenecks a user might encounter while the...
ZDX API Enhancements
The ZDX API includes the following endpoints: • "/snapshot/alert": Share a ZDX Snapshot for a given alert ID to evaluate alert details. • "/snapshot/user": Share a ZDX Snapshot for a given user ID to monitor user details about device and application use. <...
User Location Report
The system-generated report for User Location is available in the ZDX Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zdx/viewing-system-generated-reports" target="_blank" data-entity-t...
Session Timeout Duration
Configure the Session Timeout Duration to determine how long a user can access the ZDX Admin Portal in a session while being inactive. See image. To learn more, see <a href="https://help.zscaler.com/zdx/configuring-administrat...
Zoom Call Quality Monitoring Exclusion Criteria
Call Quality Monitoring for Zoom now supports exclusion criteria during tenant onboarding, allowing the collection of call quality data for all users except specified users or groups. New fields in the Monitoring Criteria section: • <s...
Support for IPv6 in ZDX
ZDX now supports IPv6 to include dual-stack (IPv4 and IPv6) or IPv6-only configurations. ZDX IPv6 visibility requires Zscaler Internet Access (ZIA) IPv6 to be enabled, as ZDX relies on ZIA to route and inspect IPv6 traffic for telemetry collection. To learn mor...
Remediation
Remediation in the Zscaler Admin Console allows IT admins to remotely configure specific scripts to run on Windows devices and schedule routine maintenance to address device issues. See image. Import PowerShell scripts or use p...
Collection Enhancements
Configure the following collections for your End User and Hosted Monitoring probes to organize probes and view their collection information (i.e., status, number of probes). • End User: Includes the following collections:<ul style="list-styl...
Incidents Dashboard Enhancements
The Incidents Dashboard supports end-to-end intermediate internet service provider (ISP) incidents. This release introduces a new incident subtype, clearer identification of where issues occur within the network path, richer metrics, and streamlined alerting and sharing workflows...
Server Processing Time and Zscaler Time to First Byte
Zscaler adds two Web probe metrics called Server Processing Time and Zscaler Time to First Byte (ZTTFB) on the User Details page so that you can monitor the digital experience of a user accessing an application. • Server Processing Time captures the duration from when th...
End-of-Support (EOS) and End-of-Life (EOL) Information on Software Inventory Page
View End-of-Support (EOS) and End-of-Life (EOL) information for your installed software directly on the Software Inventory page. See image. <i...
Network Intelligence Dashboard Enhancements
The Network Intelligence Dashboard has been enhanced with updated alerts, featuring clearer criteria and richer incident insights. Additionally, new Network Health summary widgets have been added to surface issues faster and provide greater clarity: • Network Ano...
Admin Scope Support for ZIdentity Admins
You can assign an admin scope to a ZIdentity admin that is configured as a ZDX Admin. See image. To learn more, see Managing ZDX Admins. <div clas...
Device Events Reports
The Device Events reports are available in the ZDX Admin Portal. View and monitor aggregated insights into common system and software crashes. See image. User Device Events detects several new events and categorizes them into d...
Device Health Dashboard
The Device Health dashboard provides a comprehensive view of struggling devices across an entire organization, department, user group, or location. See image. The Device Health dashboard includes hardware analysis...
Network Intelligence Dashboard
The Network Intelligence dashboard is a high-level visualization of your organization's network. ZDX runs Cloud Path probes to analyze and identify anomalies in the network's health that allow you to understand the underlying network issues across your organization. You...
Data Explorer End User Monitoring Enhancements with User Groups and Metric-Based Filters
End User Monitoring in Data Explorer supports User Groups and Metric-Based filters to refine data analysis and visualization. See image. To learn more, see <a href="https://help.zscaler.com/zdx/configuring-...
Enhanced Cloud Path Probe Configuration Options
Cloud Path probes include advanced configuration settings to improve network diagnostics and end-to-end performance measurements. You can specify the following options to enhance monitoring flexibility: • End-to-End Metrics Pro...
Data Explorer Hosted Monitoring Enhancements with Error Overlays and Companion Probes
Hosted monitoring in Data Explorer now supports error overlays and companion probe data visualization. See image. To learn more, see <a href="https://help.zscaler.com/zdx/configuring-data-explorer-views" target="_...
Data Explorer Hosted Monitoring Overlays
For Cloud Path probes in hosted monitoring, overlay support for percentile thresholds such as the 99th and 95th percentiles is available. These overlays provide insights into performance outliers and anomalies by highlighting worst-case and typical scenarios. <a class="imag...
Data Explorer Hosted Monitoring Multipath Visualization View
For Cloud Path probes in hosted monitoring, a multipath visualization view format is available. This format is in addition to the existing chart, scatter, tabular, and range formats. See image. To learn more, see <a...
Companion Probe
During a Zscaler Hosted probe configuration, you can pair a Cloud Path probe as a companion probe to the Web probe. When the Web probe resolves to an IP address, then the Cloud Path probe runs to the same IP address. See image.</p...
Alert Support for Any Incident Type
Configure an alert rule for any incident type in order to automatically be notified and securely monitor when impacted devices experience an incident. See image. To learn more, see <a href="https://help.zscaler.com/zdx/config...
Alert Support for Call Quality Metrics
Configure alerts to capture Call Quality metrics by selecting a Unified Communications as a Service (UCaaS) application to automatically receive notifications when there is a poor digital experience. You can configure an alert by selecting Call Quality or Network as a rule type a...
Software Patch Inventory
Software Patch Inventory allows you to identify the current distribution of software patches on user devices across your organization. See image. To learn more about the feature and its prerequisites, see <a...
UCaaS Application Support for ZDX Score Analysis
Analyzing ZDX scores on the User Details page using Analyze Score also supports Unified Communications as a Service (UCaaS) and Zscaler Private Access (ZPA)-enabled applications. See image. To learn more, see <a...
macOS Support for Hi-Fi Cloud Path Diagnostics Session
To start a Hi-Fi Cloud Path as a Diagnostics session in the ZDX Admin Portal, users with macOS devices require a minimum Zscaler Client Connector version 4.5.1 for macOS and ZDX Module version 4.4 for macOS. See image. To learn...
Wi-Fi Dashboard Enhancements
View a list of your impacted Wi-Fi access points on the Wi-Fi Dashboard page. Additionally, you can configure the Wi-Fi data collection to use signal strength and retransmission rate to identify low-performing Wi-Fi devices instead of the ZDX Score. <a class="image-icon" hr...
ZDX API Support in OneAPI
An update was released to support ZDX API in OneAPI. You can also sync ZDX API credentials for ZIdentity-enabled tenants with ZDX. If you are subscribed to ZIdentity and have it enabled for your tenant, API keys created in the ZIdentity Admin Portal appear on the API Keys page in the ZDX Admin Po...
Location of Stored ZDX Data
ZDX logs and data are now stored in Singapore in addition to the United States, the European Union (Western Europe, Netherlands) or Australia East (New South Wales). Contact your Zscaler Account team for details. To learn more about Zscaler's retention of logs and data, see <a href="ht...
Data Explorer Hosted Monitoring Range View
A range view format is available for customized Data Explorer hosted monitoring views, in addition to the chart, scatter, and tabular formats. See image. To learn more, see <a href="https://help.zscaler.com/zdx/configuri...
Device Incident Type for Windows Devices
The Device incident type provides comprehensive key metrics on anomalous behavior by detecting and analyzing trends in device usage for Windows devices. See image. To learn more, see <a href="https://help.zscaler.com/zdx/monito...
Probe Assignments Report
The system-generated report for Probe Assignments is available in the ZDX Admin Portal. See image. To learn more, see Viewing Sy...
SCIM Auto Provisioning for Admin Groups
You can enable SCIM Auto Provisioning to provide a user's group information as an admin group on the Administrator Management page. You can then manage admin groups on the Admin Groups page to associate roles and scopes that provide limitations and access to the ZDX Admin Po...
Data Explorer Hosted Monitoring Scattered View
A scattered view format is available for customized Data Explorer hosted monitoring views, in addition to the chart and tabular formats. See image. To learn more, see <a href="https://help.zscaler.com/zdx/configuring-dat...
User Domain Settings for ServiceNow
Configure the User Domain Settings in ServiceNow to update user records for emails or usernames with different logins. See image. To learn more, see <a href="https://help.zscaler.com/zdx/zdx-integration-servicenow" target="_bla...
Data Explorer Tabular View and Improved Filters for Hosted Monitoring
A tabular format is available for hosted monitoring Data Explorer views, in addition to the chart format. See image. <a class="ck-anchor" id="zdx-de-hosted-tabular-view" target="_blan...
Alert Rule Support for Custom Applications with Network Application Type
Configure an alert rule for a custom application that is a network application type. See image. To learn more, see <a href="https://help.zscaler.com/zdx/configuring-alert-rule" target="_blank" data-entity-type="node" data-entity...
Data Explorer Views for Hosted Monitoring
You can generate and analyze views for Zscaler hosted data in Data Explorer. See image. <img src="https:/...
ZPA Incidents
On the Incidents Dashboard, a new ZPA incident type provides comprehensive key metrics on Zscaler Private Access (ZPA) traffic at the Zscaler data center. The ZPA incident type includes the following subtypes: • ZPA Public Service Edge...
Data Explorer Tabular View
A tabular format is available for customized Data Explorer views, in addition to the chart format. See image. To learn more, see Conf...
Packet Capture Enhancements
The frame size limit for Packet Capture probing has been updated to 65,536 bytes. See image. <img src="https://help.zscaler.com/download...
Application Admin Scope
You can select Applications as an admin scope when configuring a ZDX Admin. See image. To learn more, see <a href="https://help.zscaler.com/zdx/managing-zdx-admins" target="_blank" data-entity-type="node" data-entity-uuid...
Dark Mode Selection
You can select Dark Mode as your Theme from the My Profile menu. See image. To learn more, see <a href="https://help.zscaler.com/zdx/customizing-your-admin-account-settings" target="_blank" data-entity-type="node" data-entity-uui...
Download CSV File of ZDX Admins
The Export option allows you to download a CSV file of ZDX Admins from the Administrators page. See image. To learn more, see <a href="https://help.zscaler.com/zdx/about-administrators" target="_blank" data-entity-type="node" d...
Full Cloud Path for ZDX Standard Subscriptions
The full Cloud Path is accessible in the Hop View and Command Line View for all ZDX subscriptions, including Standard subscriptions. See image....
Workflow Automation
Service - Zscaler Automation
Enhancement to the Export Incidents Feature
On the Incidents page, you can export the incidents that are displayed on the page to a CSV file. For incidents that have duplicate incidents, the CSV file lists the main incident ID along with each of the duplicate incident IDs in the Transaction ID field. The incident IDs are s...
Modification to the Duplicate Incident Logic
The duplicate incident logic is modified to not require the MD5 hash value for incidents resulting from rules without content inspection (i.e., the Engines attribute value is External DLP). To learn more, see <a href="https://help.zscaler.com/workflow-automation/understanding-duplicate-inci...
Workflow Automation Integration with SaaS Security Posture Management
Workflow Automation supports integration with SaaS Security Posture Management (SSPM). This integration enables you to configure workflows that automatically trigger tickets for SSPM controls and findings through a SaaS application ticketing system (i.e., ServiceNow). In SSPM, the workflows that...
Enhancement to the Incident Details Page
On the Incident Details page opened in a new tab from the Incidents page, you can perform actions on the incident on this page, and you can click the Refresh button at the top of the page to display the latest information for the incident. <a class="image-icon" href="#incid...
Enhancement to the Quarantined Email Release Feature
On the Incident Details page, for an email incident with a quarantined status, after you release the quarantined email to one or more of its recipients, the Quarantined Email Status field appears in the Overview section on this page. When you click the View Status link in this fi...
Update to Supported Number of Predicates for Statements for Incident Group and Workflow Mappings
On the Incident Group Mapping page and the Workflow Mappings page, you configure the mappings for incident groups or workflows, respectively, by adding statements (i.e., rules). Each statement contains one or more predicates. You can add up to 100 predicates for a statement. <...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to the Incidents Page and the Incident Analytics DashboardOn the Incidents page and the Incident Analytics dashboard, a Response Available widget is added. This widge...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to Notification TemplatesOn the Notification Template page, you can create custom email, Slack, and Microsoft Teams notification templates that your organization can...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to Custom Date RangeOn the Incidents page, Incident Summary page, and the Incident Analytics dashboard, you can filter the incidents that appear by selecting the time...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Introducing Incident SummariesOn the Incident Summary page, you can view aggregate incident counts for a specified date range by using various selectable attributes and filters....
Enhancement to Notification Templates
On the Notification Template page in the Data Protection integration, you can create custom email, Slack, and Microsoft Teams notification templates that can be used by your organization. When creating these different types of templates, you can use the merge tags that are provid...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Protocol EnhancementA few enhancements were made for incident protocol. These enhancements are: • On the Incidents page, the Protocol column is added to the Incidents...
Enhancement to the Incidents Page
On the Incidents page in the Data Protection integration, the User Groups column is added to the incident table. The User Groups column displays the user groups that the end user is a member of in your organization. In addition, when you export incidents, the User Groups co...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Introducing Custom WorkflowsYou can now create custom workflows in Workflow Automation using the custom workflow builder page accessed by clicking the Add Custom Workflow button...
Enhancement to the Add Admin Assignment Window
On the Add Admin Assignment window in the Data Protection integration, you have the option to override your organization's data privacy settings when adding the admin assignments for an individual admin. To override the settings, enable or disable the Hide Evidence Data sett...
Enhancement to the Incidents Page
On the Incidents page in the Data Protection integration, additional columns are added to the incident table for incidents of Source DLP type SaaS Security. The following additional columns appear: • External Collaborators Groups: The collaborator groups...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to Audit LogsWorkflow Automation creates audit logs when you update an incident group mapping on the Incident Group Mapping page, and when you update a workflow mappi...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Filter Incidents of Source DLP Type Endpoint by ChannelOn the Incidents page, a new Channel column is added to the Incidents table, and the Channel attribute is added as a filter...
Enhancement to the Incidents Analytics Dashboard
A new widget, All, is added to the Incident Analytics dashboard. This widget displays the total number of incidents that have occurred in your organization. See image. To learn more, see <a href="https://help.zscaler.com...
Enhancements for Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Support for Cloud-to-Cloud Forwarding in DLP Application IntegrationWorkflow Automation Data Loss Prevention (DLP) Application integration with Amazon Web Services (AWS) and Micr...
Enhancement to the Workflow Automation Admin Portal
A window, What's New?, now appears whenever an admin logs in to the Workflow Automation Admin Portal. This window highlights the latest feature releases, including new functionalities, fixes, and improvements. Admins have the option to permanently disable this window if it i...
Enhancements for Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to Notification TemplatesOn the Notification Templates page, a new Subject Line field is available when you add, edit, or clone an email template. This field allows y...
Enhancements to Account Settings
On the Account Settings page in the Data Protection integration, a new Restrict Approver Email Domains option is added under the Approvers Domain Management section. This option allows you to add a maximum of 10 trusted email domains to restrict who can be set as approvers. On th...
Configurable User Digest Notification Frequency
On the Account Settings page in the Data Protection integration, you can select the frequency at which user digest notifications are generated for your organization. Frequencies are Hourly, Daily, or Weekly. The default is daily. <a class="image-icon" href="#user-digest-fre...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to Viewing Incidents on the Incidents PageOn the Incidents page, the incidents that have occurred for your organization appear in a table. This table displays multipl...
Enhancements to DLP Incident Filters
On the Incidents page in the Data Protection Integration, you can use filters to determine which incidents appear on the Incidents page. Using the Filters window, you can choose the Data Loss Prevention (DLP) incident filters and enter the values for these filters. Some of the fi...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to Incident FiltersOn the Incidents page, you can filter the incidents that appear on the page. In the Filters window, for filters with predefined values (e.g., Dicti...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Support for Managing Incidents Across Multiple ZIA Tenants in a Single Workflow Automation AccountIn the Workflow Automation Admin Portal, you can manage the incidents that occur...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Modification to the System Default Escalation Survey TemplateWorkflow Automation provides a system default survey template (Escalation - Questionnaire Template) that you can use...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Modification to the Close Incident ActionIn the Close Incident window, which you access by selecting the Close Incident action on the Incidents page or the Incident Details page,...
Enhancement to Notification Templates
On the Notification Template page in the Data Protection integration, the Client IP tag is added to the Merge Tags drop-down menu when adding buttons, text, and headings to an email notification template. The Client IP tag is also added to the Select Merge Tags drop-down menu whe...
Enhancements to Custom Email Domains
The following are enhancements to the Custom Email Domains feature in the Data Protection integration: • On the Custom Email Domain page, you can revert back to the Zscaler domain (zsworkflow.net) by clicking Revert to Zscaler Domain. The status of the custom email do...
Custom Email Domains
On the Custom Email Domain page in the Data Protection integration, admins can configure custom email domains for their organization. Workflow Automation generates and sends email notifications for the various actions that you can perform, such as notifying the user of an inciden...
Enhancements to Data Protection Features
The following are enhancements to the Data Protection features in Workflow Automation: Enhancement to the Account Settings PageThe Incident Management section is added to the Account Settings page. In this section, you can enable the Retrieve User Email from Primar...
AI Guard
Service - Zscaler AI Guard
AI Guard 2.15.1
Role-Based Access Control (RBAC) ManagementAI Guard 2.15.1 introduces enhanced data integration capabilities and significantly expands administrative control through advanced Role-Based Access Control (RBAC). These updates are designed to strengthen governance, flexibili...
AI Guard 2.14.2
Codex Application SupportSupport added for the Codex application. Codex is an OpenAI code agent and doesn't require additional Internet & SaaS (ZIA) configuration for URLs if you've already configured the forwarding for ChatGPT traffic from ZIA. It supports request blocking and...
AI Guard 2.13.1
Default LLM Provider Auto-ProvisioningDuring AI Guard tenant creation, all default LLM providers are now: • Automatically provisioned. • Pre-configured and ready to use. This eliminates the need for manual setup, reduces operational overhead, and accelerates st...
AI Guard 2.12.0
Intellectual Property (IP) DetectorThe IP Detector is a critical new feature designed to safeguard proprietary or sensitive information provided by users as background data (the "context") for language model interactions. It analyzes a user's subsequent input/query...
AI Guard 2.11.0
Additional Masking CapabilityEnhanced data privacy with extended masking options on Dashboard and LLM providers. For more information on how the options work, see the following table: PII Flag on ProductSend Masked PII to L...
AI Guard Release 2.10.0
Splunk Integration for LogsAI Guard now supports Splunk integration, enabling seamless export and monitoring of logs within Splunk environments. This enhances observability, security monitoring, and centralized log analysis capabilities. <a class="image-icon" href=...
Data Security Posture Management (DSPM)
Service - app.zsdpc.net
Cloud Account Onboarding
DSPM now supports only custom network configuration for onboarding cloud accounts, where you must set up the network by creating virtual networks (VNets) or virtual private clouds (VPCs) in the <a href="https://help.zscaler.com/dspm/understanding-orchestrator" target="_blank" data-entity-type="no...
Data Classification Settings Enhancements
The Data Classification Settings page includes the following enhancements: • The Data Sensitivity Settings page is renamed to Data Classification Settings. • You can select t...
Data Duplication Enhancements
The following enhancements for Data Duplications are included: Data Duplications PageThe following enhancements are made to the Data Duplication page: • The Clouds filter includes On‑Premises. <li data-list-item-id=...
Data Inventory Enhancements
The detailed view for files related to the Data Inventory is displayed in the following tabs: • Details • Evidence <li data-list-item-id="e9494420f730fb4aa10f8cbbde7fd71c...
Data Posture Policies
The following new data posture policies for Azure are available: • Azure AI Foundry • <a href="#ds-azu...
Data Scan Enhancements
Data scanning includes the following enhancements: RDBMS Data Sample ScanningWhen performing a data sampling scan on Relational Database Management Systems (RDBMS), random rows are selected from each table. This provides a more accurate representation of data, redu...
DSPM Upgraded to Experience Center
DSPM is now available in Experience Center, a centralized unified platform that provides a more secure and streamlined user experience. You can access and manage DSPM in the Zscaler Admin Console for E...
On-Premises Scanners
You can now use only on-premises scanners to scan on-premises databases. DSPM no longer provides support for using cloud scanners to scan on-premises databases. While registering an unmanaged database, you can only select an on-premises scanner. <a class="image-icon" href="...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: File Details in Sensitive Data TabThe file details are shown in the following tabs: • Details <li data-list-item-id="e78e8115860972a232b6a...
Data Classification Evidence in GCP
DSPM generates evidence data for scanned files and tables which allows in-context investigation and validation of sensitive data. This is now supported for Google Cloud Platform (GCP). To learn more, see: • <a href="https://help...
Data Duplication Enhancements
The export feature on the Data Duplications page includes two new options: • Summary View: This report provides the total number of duplicate files including their locations across accounts and regions. <li data-list-item-id="e9ae...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure</li...
Data Scan Enhancements
Data scanning includes the following enhancements: Support for On-Premises NetApp File SharesDSPM supports the discovery and classification of sensitive data in on-premises NetApp file shares using NFS and SMB protocols. <a class="image-icon" href="#rn-nfs-ne...
Discovery Status and Error Messages for On-Premises File Servers
You can now view detailed error messages when on-premises file servers cannot be discovered for scanning. The error message includes specific reasons for failure, such as networking, authentication, or permission issues, to resolve the issues. <a class="image-icon" href="#r...
Microsoft 365 Tenant Onboarding
DSPM supports onboarding of Microsoft 365 (M365) tenants to monitor and scan data stores, access Microsoft Information Protection (MIP) labels for Microsoft Azure or on-premises file shares, or integrate with Microsoft Copilot....
MIP Labeling Enhancements
The following enhancements are included: MIP Labeling for On-Premises File SharesDSPM extends Microsoft Information Protection (MIP) labeling for on-premises SMB and NFS file shares. Use action rules to automatically apply MIP sensitivity labels to sensitive data (e.g., PII, PHI, P...
Action Rules
Action rules allow you to define the criteria for identifying specific data types and to automatically apply Microsoft Information Protection sensitivity labels to files. This feature currently supports Azure File Shares See image.<...
Additional Threat Categories
The following threat categories are available to assess AI governance and safety: • AI Governance • AI Safety S...
AI Security
DSPM AI security includes the following enhancements: Scanning AI ModelsDSPM scans AI models to identify vulnerabilities such as malicious code injection, backdoors, embedded secrets, data leakage, etc. The scan results are displayed on the AI Model Security Scan F...
CLI Command to Initialize Scanner VM
A new CLI command is available to initialize the on-premises scanner. This helps simplify the network configuration and allows you to configure the scanner, install required components, and run initial connectivity and health checks. To learn more, see <a href="https://help...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure</li...
Data Scan Enhancements
Data scanning includes the following enhancements: Scan Support for Azure Cosmos DB NoSQL Data StoresDSPM supports the discovery and classification of sensitive data in Azure Cosmos DB accounts. See image. To...
Investigation and Policy Query Enhancement
The investigation and policy queries are enhanced with the following predicate and operator for improved metadata analysis and enrichment: You can use the Has Data predicate to query if there is sensitive data in resources within Azure AI Foundry. To learn more, see <a href="https://h...
Posture Labels for Resource Types
The following posture labels are applicable for these resource types: • Azure Cosmos DB NoSQL:• Public Exposure •...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Supported Data StoresThe following data stores are scanned for sensitive data: • Azure Cosmos DB •...
AI Inventory Enhancements
DSPM now calculates risks associated with open-source models like Hugging Face, model behavior, and supply chain within the AI Inventory. The AI Inventory includes the following enhancements: FiltersThe following additional filters are available for models: • Managed Model...
Alert Age Calculation
When an alert is generated or reset, its age is now calculated from zero to improve accuracy. For example, when an alert is initially generated, the age is 0 on the first day. See image. To learn more, see <a href=...
Data Scan Enhancements
The data scan feature includes the following enhancements: Data Scan Support for Azure Germany NorthDSPM supports data discovery and classification in the Azure Germany North region. You can select the region and corresponding API values while onboarding the accoun...
DSPM Policies
The following new policies are available: • AWS • Azure • On-Premises • Snowflake • <a...
Enhancements to On-Premises Scanner
The on-premises scanner includes the following enhancements: Scanner Initialization Command for OVA and VHDOn-premises scanners can be deployed from OVA or VHD images with a single init command that onboards and initializes the scanner, automating the process. <...
Posture Labels for Resource Types
The following posture labels are applicable for these resource types: • Unmanaged AWS and Azure MongoDB Server and On-Premises MongoDB Server:• Logging • Encryption • GCP BigQuery:• Public Exposure • Encry...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Supported Data StoresThe following data stores are scanned for sensitive data: • GCP BigQuery • On-Premises MongoDB Server • Unmanaged AWS and Azure MongoDB Server • AWS Bedrock Agent <p...
Additional Details of AI Resources
You can now view additional details of AI resources listed on the AI Inventory page. You can click the Resource Name to view the resource and metadata details. See image. <a class="ck-anchor" i...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP • On-Premises • <a...
Data Scan Enhancements
The data scan feature includes the following enhancements: Support for Scanning Azure File SharesDSPM supports Azure File Shares scanning over SMB and NFS to discover and classify sensitive data. See ima...
Enhancement to AWS IAM Condition Operators
DSPM supports the following AWS IAM condition operators for managing principal-based (identity-based) and resource-based access to scan data: • "NotPrincipal" • "ArnNotLike" • "IfExists" To learn more, see <a href="https://help.zsc...
Enhancements to On-Premises Scanning
On-premises data scanning includes the following enhancements: Hyper-V Support for On-Premises ScannerDSPM on-premises scanner now supports a Hyper-V deployment mode. Download the Hyper‑V scanner image and run it over a Hyper‑V service in the data center to registe...
Posture Label Enhancements
The following enhancements are available for posture labels: Renamed Over-Privileged Access Posture LabelThe posture label Over-Privileged Access is renamed to Privileged Access. The Privileged Access posture label is assigned when an entity has full or edit access permissions on o...
Resource Inventory Enhancements
The Resource Inventory feature includes the following enhancements: Azure AI Foundry Renamed to Azure AI Foundry HubAzure AI Foundry is renamed to Azure AI Foundry Hub. The following associated resources are also renamed: • Azure AI Foundry Hub Connection • Azure AI...
AI Inventory
The AI Inventory is dedicated to the inventory, management, and analysis of Artificial Intelligence (AI) and Machine Learning (ML) resources within a cloud environment. See image. To learn more, see <a href="http...
AI Security Dashboard: Summary Tiles
The summary tiles at the top of the dashboard provide additional details: • Data Shared with AI: The number of files and data stores shared with the AI. • AI Tools & Packages Vulnerabilities: AI tools and packages that have vulnerabilities. • Open Alerts on AI Resources: The...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • On-Premises • Snowflake</l...
DSPM Integration with ZIdentity
DSPM is migrated to ZIdentity, a unified identity service for Zscaler that centralizes identity management, user authentication and authorization. You can access the DSPM Admin Portal via the <a href="https://help.zscaler.com/zidentity/accessing-and-navigating-zidentity-landing-p...
Enhancements to Data Scanning
The following enhancements are available for data scanning: Automatic Exclusion Data Stores Used for Storing LogsDSPM automatically excludes data stores used for storing logs of cloud-native services such as Network Flow, RDS Audit, ALB, or NLB transactions from sc...
Notification Emails
You can now send emails to specific recipients about any configuration or permission issues encountered with the onboarded organization or tenant. You can add multiple email addresses of recipients who need to receive the notifications during or after the onboarding process. <...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Resource Names for AWS EC2 Virtual MachinesYou can see the resource names of AWS EC2 virtual machines instead of their instance ID on the Resource Inventory page. Posture Label SupportThe following posture l...
Saved Views
You can apply filters, modify table columns, and other settings on a page and save this customized view, so whenever you access the page later, it is displayed with the same settings. Saved view is available on the Resource Inventory, AI Inventory, and Compliance pages. <a...
Snowflake Predicates in Investigation & Policy Query
The investigation and policy queries include the following posture predicates that can be used to query Snowflake resources: • Is Dormant • Stale Access Keys...
Unmanaged Identities in Identity Inventory
Identities from unmanaged and Snowflake databases are shown in the Identity Inventory, providing visibility into the resources and data types that the identities can access. See image. To learn more, see<a href="https:/...
Custom Tag Validation
While onboarding accounts, you can define and assign custom tags to resources created by DSPM. These tags are included in the templates generated by DSPM. Tag validation is now aligned with the specific guidelines of each CSP to ensure accuracy and avoid incorrect tag syntax in t...
Dashboard Enhancements
The Dashboard includes the following enhancements: AI Security DashboardThe AI Security dashboard includes the following changes: • The summary tiles at the top of the dashboard showing details about deployed AI, data stores shared with AI, and open alerts on AI resources...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP • Snowflake • <a hr...
Identity Inventory
DSPM scans your data stores to identify identities with excessive privileges and provides a comprehensive view of the identities within the cloud environment. The Identity Inventory shows details about an identity, such as entity type, the sensitive data stores acces...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Snowflake EntitlementsDSPM now provides identity permissions and access details for a Snowflake database. View and analyze database access and permission grants to ens...
Use Wildcards to Exclude Data Stores from Scanning
AWS, Azure, and GCP data stores can now be excluded from scanning by using wildcards to match the data store names. This provides an easier and broader exclusion criteria. Based on the wildcards chosen, all the matching AWS S3 buckets, Azure storage accounts, or Google cloud storage buckets are e...
Azure AI Foundry Enhancements
The following enhancements are made to Azure AI Foundry: Investigation PredicatesYou can use the Has Model predicate to query the correlation of AI model information and sensitive data for Azure AI Foundry along with the following additional predicates: • Model Name <l...
Compliance Framework Enhancements
The Compliance dashboard is enhanced with the following features: • The following new compliance frameworks are supported:• Australian Signals Directorate Essential Eight • Transportation Security Administration Security Directive Pipeline 2021-02 • Hea...
Data Classification Evidence in Azure
DSPM generates evidence data for scanned files and tables which allows data security analysts to access the triggers related to the data classification and perform in-context investigation and validation of sensitive data. The evidence data is securely stored in a storage account that resides in...
Data Inventory
The new Data Inventory page provides a comprehensive overview of all the sensitive files and tables that exist across your clouds, accounts, and data stores. Identifying and listing all instances of files and tables with certain data is required for auditing and compliance tasks. For example, you...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP • On-Premises <d...
Data Scanning Enhancements
The following enhancements are made to data scanning: On-Demand ScanningYou can now use the On-Demand scan option to run the scans manually. This is supported for all resource types including virtual machines, databases, NoSQL databases and u...
Database Enhancements
The following are the database enhancements: Snowflake Database SupportZscaler DSPM now supports Snowflake and scans databases within the onboarded Snowflake accounts for sensitive data and provides security assessments. <a class="image-icon" href="#img-snowf...
Resource Inventory Enhancements
The resource inventory includes the following enhancements: Data Inventory Renamed to Resource InventoryData Inventory has been renamed to Resource Inventory. See image. <a c...
Unmanaged AI Service Discovery
The DSPM dashboard provides a detailed view of all the unmanaged and custom AI models and services installed on virtual machines across AWS, Azure, and GCP. These services can also be identified by DSPM policies for specific risk alerts. <a class="image-icon" href="#ds-unma...
Additional Predefined DSPM Role
DSPM offers a new predefined role, Data Analyst, with permissions for data investigation, analysis, and evidence. The role can be assigned to a specific group of users that need to access evidence data displayed on the Evidence tab. <a class="image-icon" href="#data-analyst...
Dashboard Enhancements
The DSPM dashboard includes the following enhancement: Viewing Insights for AI ServicesThe DSPM dashboard includes the AI Security tab which provides detailed insights into the generative AI services that have access to data stores containing sensitive data, and the security postur...
Data Duplication
DSPM detects duplicate files and displays the details on the Data Duplications page, allowing you to take corrective actions. Identifying copies of similar sensitive files at multiple locations is critical for multiple reasons, including data reduction, attack surface reduction, and for limiting...
Data Inventory Enhancements
The data inventory includes the following enhancements: Evidence for Sensitive DataDSPM discovers files and tables containing sensitive data and generates evidence data, allowing you to review that there is sensitive data, and it is not a false positive. You can investigate and val...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP...
Scan Support for Additional Databases
DSPM provides support for scanning the following databases in AWS and Azure cloud environments: • Unmanaged MySQL Database • Unmanaged Oracle Database DSPM expands the support for scanning unamanged MySQL and Oracle databases on cloud and on-premises en...
Cloud Accounts Onboarding Enhancements
The following enhancements are introduced in cloud accounts onboarding: Onboarding AWS ServicesYou can now select and onboard a subset of the supported AWS services (e.g., Storage bucket, Database, NoSQL Datastores, etc.). This option allows DSPM to have minimal pe...
Compliance Dashboard Enhancements
To assess compliance improvements or degradations, you can view the number of failed policies and resources for the control category on the compliance dashboard. This information is available for each compliance framework. See ima...
Dashboard Enhancements
The DSPM dashboard includes the following enhancements: AI Services WidgetAWS Bedrock Knowledge Bases and Agents are now monitored as a primary data store. The dashboard provides high-level visibility of AI services and exposed sensitive data stores. DSPM performs data scans and cl...
Data Inventory Enhancements
The Data Inventory includes the following enhancements: Access Tab for Unmanaged DatabasesDSPM now analyzes unmanaged databases (MSSQL, PostgreSQL, etc.) for access permissions. The Access tab on the Data Inventory page displays details regarding who can access the data, their acce...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP <a class="ck-a...
Data Scan Enhancements
The data scan includes the following enhancements: Support for Scanning GCP Compute EnginesDSPM scans and classifies the data in disks associated with GCP compute engines, checks for misconfigurations and posture issues, performs vulnerabilit...
Investigation and Policy Query Enhancements
The investigation and policy queries are enhanced with the following predicates and operators for improved metadata analysis and enrichment: Predicates for Unmanaged PostgreSQLYou can use the following relationship predicate to query the unmanaged PostgreSQL database: Can be access...
AI Service Details in Data Inventory
AI services such as Azure AI Foundry Hub are considered as data stores and explored for content and security posture, allowing you to review security misconfigurations, public exposure, data access, and more. DSPM monitors the AI services and displays the findings on the Data Inv...
AWS Single Account Onboarding
DSPM now supports the onboarding of AWS single accounts to monitor and scan the data stores within them. This option can be used when there are restrictions for onboarding accounts at the organization level. See image.</a...
Compliance Dashboard Enhancements
The Compliance dashboard includes the following enhancements: • On the Summary tab, you can view the number of failed policies by severity and control category. See image. • The Policies tab displays the...
Dashboard Enhancements
DSPM provides support for detecting AI services that have access to data stores containing sensitive data, the security posture of the AI services, and the overall risks. This information is crucial so you can apply security controls and manage the sensitive data that is exposed...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP <a class="ck-a...
Document Types and Categories
AI or machine language (ML) classification is extended to support over 100 new document types across 10 common document categories. This classification can be applied over any scanned file and can be used in DSPM policies. Document types and categories are visible on the Da...
Expanded Data Store Support
DSPM now provides support for scanning the following data stores: • Google Cloud SQL Instances (MSSQL, PostgreSQL, MySQL) • Unmanaged PostgreSQL databases on Azure and AWS • AWS Unmanaged MSSQL databases on AWS EC2 instances, in addition to unmanaged MSSQL su...
Investigation - Updates to Has Data Predicate
The Has Data relationship predicate is updated with new predicates that allow querying data stores based on the number of discovered DLP triggers, volume of sensitive data discovered or number of sensitive files or rows discovered. The following new predicates are available...
Azure AI Foundry and Storage Account Association
AI services such as Azure AI Foundry Hub leverage storage accounts to host the AI training data. DSPM provides visibility of sensitive data that is exposed to Azure AI services and machine learning workspaces on the Data Inventory page. This information allows you to create policies or investigat...
Data Posture Policies
The following new data posture policies for Azure are available: • Azure Policy Title</the...
Enhancements for Onboarding Azure Accounts
The Azure onboarding process is updated with the following enhancements: Onboard Management GroupsDSPM now supports the onboarding of Azure management groups and scans the subscriptions within them. This option can be used when there are restrictions for onboarding...
Support for Scanning Unmanaged MSSQL Databases
DSPM provides support for onboarding and scanning unmanaged Microsoft SQL Server (MSSQL) databases hosted on Azure virtual machines. Based on the scan setting configuration, DSPM scans and classifies data in these databases and identifies misconfigurations and posture issues....
Compliance Dashboard
The Compliance dashboard provides an overview of the compliance breaches detected by DSPM for industry-standard data protection regulations and benchmarks such as CIS, NIST, PCI DSS, HIPAA, GDPR, DPDP, CCPA, RBI, ISO 27001, and SOC2. The Compliance dashboard provides insights int...
Dashboard Enhancements
The dashboard includes the following enhancements: • A legend is added to provide context to the risk score values displayed on the dashboard. See image. • The scan statistics is moved to the Data Discovery tab...
Data Posture Policies
The following new data posture policies are available for cloud service providers: • AWS • Azure <a class="ck-anchor" id="ds-...
Enhancements to Cloud Accounts Onboarding Workflow
The Cloud Accounts onboarding process is updated with the following enhancements: Deploy Orchestrator and Scanner Instances in Custom NetworkDSPM provides support for deploying the orchestrator and scanner instances in your organization's existing network sett...
Investigation and Policy Query Enhancements
The investigation and policy queries are enhanced with the following predicates and operators for improved metadata analysis and enrichment: Custom Policy and Investigation Queries for AWS DynamoDBDSPM supports entitlements for AWS DynamoDB and allows you to create...
MFA for Local Users
To improve the security of user authentication, DSPM has enabled multi-factor authentication for local users while logging in. After entering the login ID, a verification code is sent to the registered email address, and this code is valid for 10 minutes. <a class="image-ic...
Scan Settings Enhancements
The scan settings include the following enhancements: Support for Azure-Managed PostgreSQL Flexible ServerDSPM provides support for scanning the Azure-Managed PostgreSQL Flexible Server. Based on the scan setting configuration, DSPM scans and classifies data in the...
Service - app.eu.zsdpc.net
Cloud Account Onboarding
DSPM now supports only custom network configuration for onboarding cloud accounts, where you must set up the network by creating virtual networks (VNets) or virtual private clouds (VPCs) in the <a href="https://help.zscaler.com/dspm/understanding-orchestrator" target="_blank" data-entity-type="no...
Data Classification Settings Enhancements
The Data Classification Settings page includes the following enhancements: • The Data Sensitivity Settings page is renamed to Data Classification Settings. • You can select t...
Data Duplication Enhancements
The following enhancements for Data Duplications are included: Data Duplications PageThe following enhancements are made to the Data Duplication page: • The Clouds filter includes On‑Premises. <li data-list-item-id=...
Data Inventory Enhancements
The detailed view for files related to the Data Inventory is displayed in the following tabs: • Details • Evidence <li data-list-item-id="e9494420f730fb4aa10f8cbbde7fd71c...
Data Posture Policies
The following new data posture policies for Azure are available: • Azure AI Foundry • <a href="#ds-azu...
Data Scan Enhancements
Data scanning includes the following enhancements: RDBMS Data Sample ScanningWhen performing a data sampling scan on Relational Database Management Systems (RDBMS), random rows are selected from each table. This provides a more accurate representation of data, redu...
DSPM Upgraded to Experience Center
DSPM is now available in Experience Center, a centralized unified platform that provides a more secure and streamlined user experience. You can access and manage DSPM in the Zscaler Admin Console for E...
On-Premises Scanners
You can now use only on-premises scanners to scan on-premises databases. DSPM no longer provides support for using cloud scanners to scan on-premises databases. While registering an unmanaged database, you can only select an on-premises scanner. <a class="image-icon" href="...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: File Details in Sensitive Data TabThe file details are shown in the following tabs: • Details <li data-list-item-id="e78e8115860972a232b6a...
Data Classification Evidence in GCP
DSPM generates evidence data for scanned files and tables which allows in-context investigation and validation of sensitive data. This is now supported for Google Cloud Platform (GCP). To learn more, see: • <a href="https://help...
Data Duplication Enhancements
The export feature on the Data Duplications page includes two new options: • Summary View: This report provides the total number of duplicate files including their locations across accounts and regions. <li data-list-item-id="e9ae...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure</li...
Data Scan Enhancements
Data scanning includes the following enhancements: Support for On-Premises NetApp File SharesDSPM supports the discovery and classification of sensitive data in on-premises NetApp file shares using NFS and SMB protocols. <a class="image-icon" href="#rn-nfs-ne...
Discovery Status and Error Messages for On-Premises File Servers
You can now view detailed error messages when on-premises file servers cannot be discovered for scanning. The error message includes specific reasons for failure, such as networking, authentication, or permission issues, to resolve the issues. <a class="image-icon" href="#r...
Microsoft 365 Tenant Onboarding
DSPM supports onboarding of Microsoft 365 (M365) tenants to monitor and scan data stores, access Microsoft Information Protection (MIP) labels for Microsoft Azure or on-premises file shares, or integrate with Microsoft Copilot....
MIP Labeling Enhancements
The following enhancements are included: MIP Labeling for On-Premises File SharesDSPM extends Microsoft Information Protection (MIP) labeling for on-premises SMB and NFS file shares. Use action rules to automatically apply MIP sensitivity labels to sensitive data (e.g., PII, PHI, P...
Action Rules
Action rules allow you to define the criteria for identifying specific data types and to automatically apply Microsoft Information Protection sensitivity labels to files. This feature currently supports Azure File Shares See image.<...
Additional Threat Categories
The following threat categories are available to assess AI governance and safety: • AI Governance • AI Safety S...
AI Security
DSPM AI security includes the following enhancements: Scanning AI ModelsDSPM scans AI models to identify vulnerabilities such as malicious code injection, backdoors, embedded secrets, data leakage, etc. The scan results are displayed on the AI Model Security Scan F...
CLI Command to Initialize Scanner VM
A new CLI command is available to initialize the on-premises scanner. This helps simplify the network configuration and allows you to configure the scanner, install required components, and run initial connectivity and health checks. To learn more, see <a href="https://help...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure</li...
Data Scan Enhancements
Data scanning includes the following enhancements: Scan Support for Azure Cosmos DB NoSQL Data StoresDSPM supports the discovery and classification of sensitive data in Azure Cosmos DB accounts. See image. To...
Investigation and Policy Query Enhancement
The investigation and policy queries are enhanced with the following predicate and operator for improved metadata analysis and enrichment: You can use the Has Data predicate to query if there is sensitive data in resources within Azure AI Foundry. To learn more, see <a href="https://h...
Posture Labels for Resource Types
The following posture labels are applicable for these resource types: • Azure Cosmos DB NoSQL:• Public Exposure •...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Supported Data StoresThe following data stores are scanned for sensitive data: • Azure Cosmos DB •...
AI Inventory Enhancements
DSPM now calculates risks associated with open-source models like Hugging Face, model behavior, and supply chain within the AI Inventory. The AI Inventory includes the following enhancements: FiltersThe following additional filters are available for models: • Managed Model...
Alert Age Calculation
When an alert is generated or reset, its age is now calculated from zero to improve accuracy. For example, when an alert is initially generated, the age is 0 on the first day. See image. To learn more, see <a href=...
Data Scan Enhancements
The data scan feature includes the following enhancements: Data Scan Support for Azure Germany NorthDSPM supports data discovery and classification in the Azure Germany North region. You can select the region and corresponding API values while onboarding the accoun...
DSPM Policies
The following new policies are available: • AWS • Azure • On-Premises • Snowflake • <a...
Enhancements to On-Premises Scanner
The on-premises scanner includes the following enhancements: Scanner Initialization Command for OVA and VHDOn-premises scanners can be deployed from OVA or VHD images with a single init command that onboards and initializes the scanner, automating the process. <...
Posture Labels for Resource Types
The following posture labels are applicable for these resource types: • Unmanaged AWS and Azure MongoDB Server and On-Premises MongoDB Server:• Logging • Encryption • GCP BigQuery:• Public Exposure • Encry...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Supported Data StoresThe following data stores are scanned for sensitive data: • GCP BigQuery • On-Premises MongoDB Server • Unmanaged AWS and Azure MongoDB Server • AWS Bedrock Agent <p...
Additional Details of AI Resources
You can now view additional details of AI resources listed on the AI Inventory page. You can click the Resource Name to view the resource and metadata details. See image. <a class="ck-anchor" i...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP • On-Premises • <a...
Data Scan Enhancements
The data scan feature includes the following enhancements: Support for Scanning Azure File SharesDSPM supports Azure File Shares scanning over SMB and NFS to discover and classify sensitive data. See ima...
Enhancement to AWS IAM Condition Operators
DSPM supports the following AWS IAM condition operators for managing principal-based (identity-based) and resource-based access to scan data: • "NotPrincipal" • "ArnNotLike" • "IfExists" To learn more, see <a href="https://help.zsc...
Enhancements to On-Premises Scanning
On-premises data scanning includes the following enhancements: Hyper-V Support for On-Premises ScannerDSPM on-premises scanner now supports a Hyper-V deployment mode. Download the Hyper‑V scanner image and run it over a Hyper‑V service in the data center to registe...
Posture Label Enhancements
The following enhancements are available for posture labels: Renamed Over-Privileged Access Posture LabelThe posture label Over-Privileged Access is renamed to Privileged Access. The Privileged Access posture label is assigned when an entity has full or edit access permissions on o...
Resource Inventory Enhancements
The Resource Inventory feature includes the following enhancements: Azure AI Foundry Renamed to Azure AI Foundry HubAzure AI Foundry is renamed to Azure AI Foundry Hub. The following associated resources are also renamed: • Azure AI Foundry Hub Connection • Azure AI...
AI Inventory
The AI Inventory is dedicated to the inventory, management, and analysis of Artificial Intelligence (AI) and Machine Learning (ML) resources within a cloud environment. See image. To learn more, see <a href="http...
AI Security Dashboard: Summary Tiles
The summary tiles at the top of the dashboard provide additional details: • Data Shared with AI: The number of files and data stores shared with the AI. • AI Tools & Packages Vulnerabilities: AI tools and packages that have vulnerabilities. • Open Alerts on AI Resources: The...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • On-Premises • Snowflake</l...
DSPM Integration with ZIdentity
DSPM is migrated to ZIdentity, a unified identity service for Zscaler that centralizes identity management, user authentication and authorization. You can access the DSPM Admin Portal via the <a href="https://help.zscaler.com/zidentity/accessing-and-navigating-zidentity-landing-p...
Enhancements to Data Scanning
The following enhancements are available for data scanning: Automatic Exclusion Data Stores Used for Storing LogsDSPM automatically excludes data stores used for storing logs of cloud-native services such as Network Flow, RDS Audit, ALB, or NLB transactions from sc...
Notification Emails
You can now send emails to specific recipients about any configuration or permission issues encountered with the onboarded organization or tenant. You can add multiple email addresses of recipients who need to receive the notifications during or after the onboarding process. <...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Resource Names for AWS EC2 Virtual MachinesYou can see the resource names of AWS EC2 virtual machines instead of their instance ID on the Resource Inventory page. Posture Label SupportThe following posture l...
Saved Views
You can apply filters, modify table columns, and other settings on a page and save this customized view, so whenever you access the page later, it is displayed with the same settings. Saved view is available on the Resource Inventory, AI Inventory, and Compliance pages. <a...
Snowflake Predicates in Investigation & Policy Query
The investigation and policy queries include the following posture predicates that can be used to query Snowflake resources: • Is Dormant • Stale Access Keys...
Unmanaged Identities in Identity Inventory
Identities from unmanaged and Snowflake databases are shown in the Identity Inventory, providing visibility into the resources and data types that the identities can access. See image. To learn more, see<a href="https:/...
Custom Tag Validation
While onboarding accounts, you can define and assign custom tags to resources created by DSPM. These tags are included in the templates generated by DSPM. Tag validation is now aligned with the specific guidelines of each CSP to ensure accuracy and avoid incorrect tag syntax in t...
Dashboard Enhancements
The Dashboard includes the following enhancements: AI Security DashboardThe AI Security dashboard includes the following changes: • The summary tiles at the top of the dashboard showing details about deployed AI, data stores shared with AI, and open alerts on AI resources...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP • Snowflake • <a hr...
Identity Inventory
DSPM scans your data stores to identify identities with excessive privileges and provides a comprehensive view of the identities within the cloud environment. The Identity Inventory shows details about an identity, such as entity type, the sensitive data stores acces...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Snowflake EntitlementsDSPM now provides identity permissions and access details for a Snowflake database. View and analyze database access and permission grants to ens...
Use Wildcards to Exclude Data Stores from Scanning
AWS, Azure, and GCP data stores can now be excluded from scanning by using wildcards to match the data store names. This provides an easier and broader exclusion criteria. Based on the wildcards chosen, all the matching AWS S3 buckets, Azure storage accounts, or Google cloud storage buckets are e...
Azure AI Foundry Enhancements
The following enhancements are made to Azure AI Foundry: Investigation PredicatesYou can use the Has Model predicate to query the correlation of AI model information and sensitive data for Azure AI Foundry along with the following additional predicates: • Model Name <l...
Compliance Framework Enhancements
The Compliance dashboard is enhanced with the following features: • The following new compliance frameworks are supported:• Australian Signals Directorate Essential Eight • Transportation Security Administration Security Directive Pipeline 2021-02 • Hea...
Data Classification Evidence in Azure
DSPM generates evidence data for scanned files and tables which allows data security analysts to access the triggers related to the data classification and perform in-context investigation and validation of sensitive data. The evidence data is securely stored in a storage account that resides in...
Data Inventory
The new Data Inventory page provides a comprehensive overview of all the sensitive files and tables that exist across your clouds, accounts, and data stores. Identifying and listing all instances of files and tables with certain data is required for auditing and compliance tasks. For example, you...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP • On-Premises <d...
Data Scanning Enhancements
The following enhancements are made to data scanning: On-Demand ScanningYou can now use the On-Demand scan option to run the scans manually. This is supported for all resource types including virtual machines, databases, NoSQL databases and u...
Database Enhancements
The following are the database enhancements: Snowflake Database SupportZscaler DSPM now supports Snowflake and scans databases within the onboarded Snowflake accounts for sensitive data and provides security assessments. <a class="image-icon" href="#img-snowf...
Resource Inventory Enhancements
The resource inventory includes the following enhancements: Data Inventory Renamed to Resource InventoryData Inventory has been renamed to Resource Inventory. See image. <a c...
Unmanaged AI Service Discovery
The DSPM dashboard provides a detailed view of all the unmanaged and custom AI models and services installed on virtual machines across AWS, Azure, and GCP. These services can also be identified by DSPM policies for specific risk alerts. <a class="image-icon" href="#ds-unma...
Additional Predefined DSPM Role
DSPM offers a new predefined role, Data Analyst, with permissions for data investigation, analysis, and evidence. The role can be assigned to a specific group of users that need to access evidence data displayed on the Evidence tab. <a class="image-icon" href="#data-analyst...
Dashboard Enhancements
The DSPM dashboard includes the following enhancement: Viewing Insights for AI ServicesThe DSPM dashboard includes the AI Security tab which provides detailed insights into the generative AI services that have access to data stores containing sensitive data, and the security postur...
Data Duplication
DSPM detects duplicate files and displays the details on the Data Duplications page, allowing you to take corrective actions. Identifying copies of similar sensitive files at multiple locations is critical for multiple reasons, including data reduction, attack surface reduction, and for limiting...
Data Inventory Enhancements
The data inventory includes the following enhancements: Evidence for Sensitive DataDSPM discovers files and tables containing sensitive data and generates evidence data, allowing you to review that there is sensitive data, and it is not a false positive. You can investigate and val...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP...
Scan Support for Additional Databases
DSPM provides support for scanning the following databases in AWS and Azure cloud environments: • Unmanaged MySQL Database • Unmanaged Oracle Database DSPM expands the support for scanning unamanged MySQL and Oracle databases on cloud and on-premises en...
Cloud Accounts Onboarding Enhancements
The following enhancements are introduced in cloud accounts onboarding: Onboarding AWS ServicesYou can now select and onboard a subset of the supported AWS services (e.g., Storage bucket, Database, NoSQL Datastores, etc.). This option allows DSPM to have minimal pe...
Compliance Dashboard Enhancements
To assess compliance improvements or degradations, you can view the number of failed policies and resources for the control category on the compliance dashboard. This information is available for each compliance framework. See ima...
Dashboard Enhancements
The DSPM dashboard includes the following enhancements: AI Services WidgetAWS Bedrock Knowledge Bases and Agents are now monitored as a primary data store. The dashboard provides high-level visibility of AI services and exposed sensitive data stores. DSPM performs data scans and cl...
Data Inventory Enhancements
The Data Inventory includes the following enhancements: Access Tab for Unmanaged DatabasesDSPM now analyzes unmanaged databases (MSSQL, PostgreSQL, etc.) for access permissions. The Access tab on the Data Inventory page displays details regarding who can access the data, their acce...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP <a class="ck-a...
Data Scan Enhancements
The data scan includes the following enhancements: Support for Scanning GCP Compute EnginesDSPM scans and classifies the data in disks associated with GCP compute engines, checks for misconfigurations and posture issues, performs vulnerabilit...
Investigation and Policy Query Enhancements
The investigation and policy queries are enhanced with the following predicates and operators for improved metadata analysis and enrichment: Predicates for Unmanaged PostgreSQLYou can use the following relationship predicate to query the unmanaged PostgreSQL database: Can be access...
AI Service Details in Data Inventory
AI services such as Azure AI Foundry Hub are considered as data stores and explored for content and security posture, allowing you to review security misconfigurations, public exposure, data access, and more. DSPM monitors the AI services and displays the findings on the Data Inv...
AWS Single Account Onboarding
DSPM now supports the onboarding of AWS single accounts to monitor and scan the data stores within them. This option can be used when there are restrictions for onboarding accounts at the organization level. See image.</a...
Compliance Dashboard Enhancements
The Compliance dashboard includes the following enhancements: • On the Summary tab, you can view the number of failed policies by severity and control category. See image. • The Policies tab displays the...
Dashboard Enhancements
DSPM provides support for detecting AI services that have access to data stores containing sensitive data, the security posture of the AI services, and the overall risks. This information is crucial so you can apply security controls and manage the sensitive data that is exposed...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure • GCP <a class="ck-a...
Document Types and Categories
AI or machine language (ML) classification is extended to support over 100 new document types across 10 common document categories. This classification can be applied over any scanned file and can be used in DSPM policies. Document types and categories are visible on the Da...
Expanded Data Store Support
DSPM now provides support for scanning the following data stores: • Google Cloud SQL Instances (MSSQL, PostgreSQL, MySQL) • Unmanaged PostgreSQL databases on Azure and AWS • AWS Unmanaged MSSQL databases on AWS EC2 instances, in addition to unmanaged MSSQL su...
Investigation - Updates to Has Data Predicate
The Has Data relationship predicate is updated with new predicates that allow querying data stores based on the number of discovered DLP triggers, volume of sensitive data discovered or number of sensitive files or rows discovered. The following new predicates are available...
Azure AI Foundry and Storage Account Association
AI services such as Azure AI Foundry Hub leverage storage accounts to host the AI training data. DSPM provides visibility of sensitive data that is exposed to Azure AI services and machine learning workspaces on the Data Inventory page. This information allows you to create policies or investigat...
Data Posture Policies
The following new data posture policies for Azure are available: • Azure Policy Title</the...
Enhancements for Onboarding Azure Accounts
The Azure onboarding process is updated with the following enhancements: Onboard Management GroupsDSPM now supports the onboarding of Azure management groups and scans the subscriptions within them. This option can be used when there are restrictions for onboarding...
Support for Scanning Unmanaged MSSQL Databases
DSPM provides support for onboarding and scanning unmanaged Microsoft SQL Server (MSSQL) databases hosted on Azure virtual machines. Based on the scan setting configuration, DSPM scans and classifies data in these databases and identifies misconfigurations and posture issues....
Compliance Dashboard
The Compliance dashboard provides an overview of the compliance breaches detected by DSPM for industry-standard data protection regulations and benchmarks such as CIS, NIST, PCI DSS, HIPAA, GDPR, DPDP, CCPA, RBI, ISO 27001, and SOC2. The Compliance dashboard provides insights int...
Dashboard Enhancements
The dashboard includes the following enhancements: • A legend is added to provide context to the risk score values displayed on the dashboard. See image. • The scan statistics is moved to the Data Discovery tab...
Data Posture Policies
The following new data posture policies are available for cloud service providers: • AWS • Azure <a class="ck-anchor" id="ds-...
Enhancements to Cloud Accounts Onboarding Workflow
The Cloud Accounts onboarding process is updated with the following enhancements: Deploy Orchestrator and Scanner Instances in Custom NetworkDSPM provides support for deploying the orchestrator and scanner instances in your organization's existing network sett...
Investigation and Policy Query Enhancements
The investigation and policy queries are enhanced with the following predicates and operators for improved metadata analysis and enrichment: Custom Policy and Investigation Queries for AWS DynamoDBDSPM supports entitlements for AWS DynamoDB and allows you to create...
MFA for Local Users
To improve the security of user authentication, DSPM has enabled multi-factor authentication for local users while logging in. After entering the login ID, a verification code is sent to the registered email address, and this code is valid for 10 minutes. <a class="image-ic...
Scan Settings Enhancements
The scan settings include the following enhancements: Support for Azure-Managed PostgreSQL Flexible ServerDSPM provides support for scanning the Azure-Managed PostgreSQL Flexible Server. Based on the scan setting configuration, DSPM scans and classifies data in the...
Service - app.in.zsdpc.net
Cloud Account Onboarding
DSPM now supports only custom network configuration for onboarding cloud accounts, where you must set up the network by creating virtual networks (VNets) or virtual private clouds (VPCs) in the <a href="https://help.zscaler.com/dspm/understanding-orchestrator" target="_blank" data-entity-type="no...
Data Classification Settings Enhancements
The Data Classification Settings page includes the following enhancements: • The Data Sensitivity Settings page is renamed to Data Classification Settings. • You can select t...
Data Duplication Enhancements
The following enhancements for Data Duplications are included: Data Duplications PageThe following enhancements are made to the Data Duplication page: • The Clouds filter includes On‑Premises. <li data-list-item-id=...
Data Inventory Enhancements
The detailed view for files related to the Data Inventory is displayed in the following tabs: • Details • Evidence <li data-list-item-id="e9494420f730fb4aa10f8cbbde7fd71c...
Data Posture Policies
The following new data posture policies for Azure are available: • Azure AI Foundry • <a href="#ds-azu...
Data Scan Enhancements
Data scanning includes the following enhancements: RDBMS Data Sample ScanningWhen performing a data sampling scan on Relational Database Management Systems (RDBMS), random rows are selected from each table. This provides a more accurate representation of data, redu...
DSPM Upgraded to Experience Center
DSPM is now available in Experience Center, a centralized unified platform that provides a more secure and streamlined user experience. You can access and manage DSPM in the Zscaler Admin Console for E...
On-Premises Scanners
You can now use only on-premises scanners to scan on-premises databases. DSPM no longer provides support for using cloud scanners to scan on-premises databases. While registering an unmanaged database, you can only select an on-premises scanner. <a class="image-icon" href="...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: File Details in Sensitive Data TabThe file details are shown in the following tabs: • Details <li data-list-item-id="e78e8115860972a232b6a...
Data Classification Evidence in GCP
DSPM generates evidence data for scanned files and tables which allows in-context investigation and validation of sensitive data. This is now supported for Google Cloud Platform (GCP). To learn more, see: • <a href="https://help...
Data Duplication Enhancements
The export feature on the Data Duplications page includes two new options: • Summary View: This report provides the total number of duplicate files including their locations across accounts and regions. <li data-list-item-id="e9ae...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure</li...
Data Scan Enhancements
Data scanning includes the following enhancements: Support for On-Premises NetApp File SharesDSPM supports the discovery and classification of sensitive data in on-premises NetApp file shares using NFS and SMB protocols. <a class="image-icon" href="#rn-nfs-ne...
Discovery Status and Error Messages for On-Premises File Servers
You can now view detailed error messages when on-premises file servers cannot be discovered for scanning. The error message includes specific reasons for failure, such as networking, authentication, or permission issues, to resolve the issues. <a class="image-icon" href="#r...
Microsoft 365 Tenant Onboarding
DSPM supports onboarding of Microsoft 365 (M365) tenants to monitor and scan data stores, access Microsoft Information Protection (MIP) labels for Microsoft Azure or on-premises file shares, or integrate with Microsoft Copilot....
MIP Labeling Enhancements
The following enhancements are included: MIP Labeling for On-Premises File SharesDSPM extends Microsoft Information Protection (MIP) labeling for on-premises SMB and NFS file shares. Use action rules to automatically apply MIP sensitivity labels to sensitive data (e.g., PII, PHI, P...
Action Rules
Action rules allow you to define the criteria for identifying specific data types and to automatically apply Microsoft Information Protection sensitivity labels to files. This feature currently supports Azure File Shares See image.<...
Additional Threat Categories
The following threat categories are available to assess AI governance and safety: • AI Governance • AI Safety S...
AI Security
DSPM AI security includes the following enhancements: Scanning AI ModelsDSPM scans AI models to identify vulnerabilities such as malicious code injection, backdoors, embedded secrets, data leakage, etc. The scan results are displayed on the AI Model Security Scan F...
CLI Command to Initialize Scanner VM
A new CLI command is available to initialize the on-premises scanner. This helps simplify the network configuration and allows you to configure the scanner, install required components, and run initial connectivity and health checks. To learn more, see <a href="https://help...
Data Posture Policies
The following new data posture policies are available: • AWS • Azure</li...
Data Scan Enhancements
Data scanning includes the following enhancements: Scan Support for Azure Cosmos DB NoSQL Data StoresDSPM supports the discovery and classification of sensitive data in Azure Cosmos DB accounts. See image. To...
Investigation and Policy Query Enhancement
The investigation and policy queries are enhanced with the following predicate and operator for improved metadata analysis and enrichment: You can use the Has Data predicate to query if there is sensitive data in resources within Azure AI Foundry. To learn more, see <a href="https://h...
Posture Labels for Resource Types
The following posture labels are applicable for these resource types: • Azure Cosmos DB NoSQL:• Public Exposure •...
Resource Inventory Enhancements
The Resource Inventory includes the following enhancements: Supported Data StoresThe following data stores are scanned for sensitive data: • Azure Cosmos DB •...
Client Connector
Service - mobile.zscaler.net
Zscaler Client Connector Portal 4.5.4
• Adds validations for wildcard entry for process-based application bypasses for Windows to limit asterisks to...
Zscaler Client Connector Portal 4.5.3
• Enhances the Device Posture dashboard to display macOS devices in addition to Windows devices, the top 50 failed device postures, and new widgets that show compliant vs non-compliant information. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zsca...
Zscaler Client Connector Portal 4.5.2
• Extends the maximum time allowed before an uninstall, upgrade, or revert password used in unattended mode expires from 48 hours to 90 days. To learn more, see Configuring...
Zscaler Client Connector Portal 4.5.1
• Adds an option to clear the Kerberos ticket after Zscaler Private Access (ZPA) reauthentication to force a Kerberos ticket refresh. To learn more, see Configu...
Zscaler Client Connector Portal 4.5
• Adds a notification template that consolidates existing end user notification settings, and adds the ability to create and assign templates per app profile. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-notification-templates-zscaler-client-connect...
Zscaler Client Connector Portal 4.4.3
• Adds a Search function that can be used during the adding or editing of an app profile to locate configuration items in the app profile policy window. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles" target="_bla...
Zscaler Client Connector Portal 4.4.2
• Updates the Zscaler Client Connector Device Details window to refresh the one-time passwords (OTPs) automatically every 60 minutes while the window is open, and adds a Refresh Status option in the Compliance Status section. To learn more, see <a href="https://help.zscaler.com/zscaler-client-...
Zscaler Client Connector Portal 4.4.1
• Adds a Device Events dashboard that displays Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) service status and statistics about users turning off the services via passwords. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zscaler-cl...
Zscaler Client Connector Portal 4.4
• Adds the Execute GPO Update option to the None mode in forwarding profiles. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connecto...
Zscaler Client Connector Portal 4.3.2
• Supports application bypasses for Microsoft 365 and Azure Virtual Desktop to bypass traffic for Zscaler Tunnel (Z-Tunnel) 2.0. As a result, customers no longer experience a 30- to 60-second connectivity loss when launching or exiting Zscaler Client Connector. To learn more, see <a href="http...
Service - mobile.zscalerone.net
Zscaler Client Connector Portal 4.5.4
• Adds validations for wildcard entry for process-based application bypasses for Windows to limit asterisks to...
Zscaler Client Connector Portal 4.5.3
• Enhances the Device Posture dashboard to display macOS devices in addition to Windows devices, the top 50 failed device postures, and new widgets that show compliant vs non-compliant information. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zsca...
Zscaler Client Connector Portal 4.5.2
• Extends the maximum time allowed before an uninstall, upgrade, or revert password used in unattended mode expires from 48 hours to 90 days. To learn more, see Configuring...
Zscaler Client Connector Portal 4.5.1
• Adds an option to clear the Kerberos ticket after Zscaler Private Access (ZPA) reauthentication to force a Kerberos ticket refresh. To learn more, see Configu...
Zscaler Client Connector Portal 4.5
• Adds a notification template that consolidates existing end user notification settings, and adds the ability to create and assign templates per app profile. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-notification-templates-zscaler-client-connect...
Zscaler Client Connector Portal 4.4.3
• Adds a Search function that can be used during the adding or editing of an app profile to locate configuration items in the app profile policy window. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles" target="_bla...
Zscaler Client Connector Portal 4.4.2
• Updates the Zscaler Client Connector Device Details window to refresh the one-time passwords (OTPs) automatically every 60 minutes while the window is open, and adds a Refresh Status option in the Compliance Status section. To learn more, see <a href="https://help.zscaler.com/zscaler-client-...
Zscaler Client Connector Portal 4.4.1
• Adds a Device Events dashboard that displays Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) service status and statistics about users turning off the services via passwords. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zscaler-cl...
Zscaler Client Connector Portal 4.4
• Adds the Execute GPO Update option to the None mode in forwarding profiles. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connecto...
Zscaler Client Connector Portal 4.3.2
• Supports application bypasses for Microsoft 365 and Azure Virtual Desktop to bypass traffic for Zscaler Tunnel (Z-Tunnel) 2.0. As a result, customers no longer experience a 30- to 60-second connectivity loss when launching or exiting Zscaler Client Connector. To learn more, see <a href="http...
Service - mobile.zscalertwo.net
Zscaler Client Connector Portal 4.5.4
• Adds validations for wildcard entry for process-based application bypasses for Windows to limit asterisks to...
Zscaler Client Connector Portal 4.5.3
• Enhances the Device Posture dashboard to display macOS devices in addition to Windows devices, the top 50 failed device postures, and new widgets that show compliant vs non-compliant information. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zsca...
Zscaler Client Connector Portal 4.5.2
• Extends the maximum time allowed before an uninstall, upgrade, or revert password used in unattended mode expires from 48 hours to 90 days. To learn more, see Configuring...
Zscaler Client Connector Portal 4.5.1
• Adds an option to clear the Kerberos ticket after Zscaler Private Access (ZPA) reauthentication to force a Kerberos ticket refresh. To learn more, see Configu...
Zscaler Client Connector Portal 4.5
• Adds a notification template that consolidates existing end user notification settings, and adds the ability to create and assign templates per app profile. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-notification-templates-zscaler-client-connect...
Zscaler Client Connector Portal 4.4.3
• Adds a Search function that can be used during the adding or editing of an app profile to locate configuration items in the app profile policy window. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles" target="_bla...
Zscaler Client Connector Portal 4.4.2
• Updates the Zscaler Client Connector Device Details window to refresh the one-time passwords (OTPs) automatically every 60 minutes while the window is open, and adds a Refresh Status option in the Compliance Status section. To learn more, see <a href="https://help.zscaler.com/zscaler-client-...
Zscaler Client Connector Portal 4.4.1
• Adds a Device Events dashboard that displays Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) service status and statistics about users turning off the services via passwords. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zscaler-cl...
Zscaler Client Connector Portal 4.4
• Adds the Execute GPO Update option to the None mode in forwarding profiles. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connecto...
Zscaler Client Connector Portal 4.3.2
• Supports application bypasses for Microsoft 365 and Azure Virtual Desktop to bypass traffic for Zscaler Tunnel (Z-Tunnel) 2.0. As a result, customers no longer experience a 30- to 60-second connectivity loss when launching or exiting Zscaler Client Connector. To learn more, see <a href="http...
Service - mobile.zscalerthree.net
Zscaler Client Connector Portal 4.5.4
• Adds validations for wildcard entry for process-based application bypasses for Windows to limit asterisks to...
Zscaler Client Connector Portal 4.5.3
• Enhances the Device Posture dashboard to display macOS devices in addition to Windows devices, the top 50 failed device postures, and new widgets that show compliant vs non-compliant information. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zsca...
Zscaler Client Connector Portal 4.5.2
• Extends the maximum time allowed before an uninstall, upgrade, or revert password used in unattended mode expires from 48 hours to 90 days. To learn more, see Configuring...
Zscaler Client Connector Portal 4.5.1
• Adds an option to clear the Kerberos ticket after Zscaler Private Access (ZPA) reauthentication to force a Kerberos ticket refresh. To learn more, see Configu...
Zscaler Client Connector Portal 4.5
• Adds a notification template that consolidates existing end user notification settings, and adds the ability to create and assign templates per app profile. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-notification-templates-zscaler-client-connect...
Zscaler Client Connector Portal 4.4.3
• Adds a Search function that can be used during the adding or editing of an app profile to locate configuration items in the app profile policy window. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles" target="_bla...
Zscaler Client Connector Portal 4.4.2
• Updates the Zscaler Client Connector Device Details window to refresh the one-time passwords (OTPs) automatically every 60 minutes while the window is open, and adds a Refresh Status option in the Compliance Status section. To learn more, see <a href="https://help.zscaler.com/zscaler-client-...
Zscaler Client Connector Portal 4.4.1
• Adds a Device Events dashboard that displays Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) service status and statistics about users turning off the services via passwords. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zscaler-cl...
Zscaler Client Connector Portal 4.4
• Adds the Execute GPO Update option to the None mode in forwarding profiles. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connecto...
Zscaler Client Connector Portal 4.3.2
• Supports application bypasses for Microsoft 365 and Azure Virtual Desktop to bypass traffic for Zscaler Tunnel (Z-Tunnel) 2.0. As a result, customers no longer experience a 30- to 60-second connectivity loss when launching or exiting Zscaler Client Connector. To learn more, see <a href="http...
Service - mobile.zscloud.net
Zscaler Client Connector Portal 4.5.4
• Adds validations for wildcard entry for process-based application bypasses for Windows to limit asterisks to...
Zscaler Client Connector Portal 4.5.3
• Enhances the Device Posture dashboard to display macOS devices in addition to Windows devices, the top 50 failed device postures, and new widgets that show compliant vs non-compliant information. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zsca...
Zscaler Client Connector Portal 4.5.2
• Extends the maximum time allowed before an uninstall, upgrade, or revert password used in unattended mode expires from 48 hours to 90 days. To learn more, see Configuring...
Zscaler Client Connector Portal 4.5.1
• Adds an option to clear the Kerberos ticket after Zscaler Private Access (ZPA) reauthentication to force a Kerberos ticket refresh. To learn more, see Configu...
Zscaler Client Connector Portal 4.5
• Adds a notification template that consolidates existing end user notification settings, and adds the ability to create and assign templates per app profile. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-notification-templates-zscaler-client-connect...
Zscaler Client Connector Portal 4.4.3
• Adds a Search function that can be used during the adding or editing of an app profile to locate configuration items in the app profile policy window. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles" target="_bla...
Zscaler Client Connector Portal 4.4.2
• Updates the Zscaler Client Connector Device Details window to refresh the one-time passwords (OTPs) automatically every 60 minutes while the window is open, and adds a Refresh Status option in the Compliance Status section. To learn more, see <a href="https://help.zscaler.com/zscaler-client-...
Zscaler Client Connector Portal 4.4.1
• Adds a Device Events dashboard that displays Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) service status and statistics about users turning off the services via passwords. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/understanding-zscaler-cl...
Zscaler Client Connector Portal 4.4
• Adds the Execute GPO Update option to the None mode in forwarding profiles. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connecto...
Zscaler Client Connector Portal 4.3.2
• Supports application bypasses for Microsoft 365 and Azure Virtual Desktop to bypass traffic for Zscaler Tunnel (Z-Tunnel) 2.0. As a result, customers no longer experience a 30- to 60-second connectivity loss when launching or exiting Zscaler Client Connector. To learn more, see <a href="http...
Client Connector per OS - Windows
Zscaler Client Connector 4.8.0.190 Enhancements and Fixes
Fixes an issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to enter an error state (display a blue screen) after the u...
Zscaler Client Connector 4.7.0.248 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.8.0.172 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.9.0.331 Enhancements and Fixes
Fixes an issue where Zscaler Client Connector didn't fail over to the secondary DNS server on the network segment if the device's network adapter had only one DNS server configured and the primary DN...
Zscaler Client Connector 4.6.0.418 Enhancements and Fixes
• Fixes an issue where the Deception service didn't...
Zscaler Client Connector 4.9.0.330 Enhancements and Fixes
• Fixes an issue where the original system proxy settings were not restored due to a crash when Cache Sy...
Zscaler Client Connector 4.7.0.239 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.6.0.410 Enhancements and Fixes
• Fixes performance issues that occurred when accessing virtual machines if Hyper-V was enabled on the device. • Fixes performance issues that occurred after enabling a Hyper-V external switch with a Wi-Fi adapter. • Fixes out-of-bound reads that could occur when parsing ClientHell...
Zscaler Client Connector 4.8.0.156 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.9 Enhancements and Fixes
• Adds support for Zscaler Deception service entitlement for ZIdentity tenants. • Supports sending the network type for the Network Share, Printing, and Device Control channels whe...
Zscaler Client Connector 4.7.0.232 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.8.0.151 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.6.0.398 Enhancements and Fixes
• Supports controlling how Zscaler Client Connector interacts with hardware offloading on network adapters to resolve compatibility issues. To learn more, see Confi...
Zscaler Client Connector 4.7.0.223 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.8.0.140 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where, if Zscaler Client Connector is upgraded on a device with a Windows reboot pending (e.g., after a Windows update), there could be a delay in installing the Zscaler Client Connector driver which could cause the system to...
Zscaler Client Connector 4.6.0.371 Enhancements and Fixes
• Supports controlling how Zscaler Client Connector interacts with the Receive Segment Coalescing (RSC) feature on network adapters to resolve compatibility issues. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles#a...
Zscaler Client Connector 4.7.0.202 Enhancements and Fixes
• Supports controlling how Zscaler Client Connector interacts with the Receive Segment Coalescing (RSC) feature on network adapters to resolve compatibility issues. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles#a...
Zscaler Client Connector 4.8.0.115 Enhancements and Fixes
• Supports controlling how Zscaler Client Connector interacts with the Receive Segment Coalescing (RSC) feature on network adapters to resolve compatibility issues. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connect...
Zscaler Client Connector 4.8.0.88 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.6.0.351 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.7.0.168 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.5.0.508 Enhancements and Fixes
• Adds support to download the forwarding PAC file through the tunnel when in Tunnel mode instead of directly. To learn more, see Configuring Forwarding Profiles...
Zscaler Client Connector 4.4.0.472 Enhancements and Fixes
Updates the version check for Zscaler Deception to prevent downgrades during slow or phased rollouts....
Zscaler Client Connector 4.6.0.334 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.7.0.141 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.8.0.63 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.8 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where a trusted network defined by the Hostname and IP condition isn't detected when t...
Zscaler Client Connector 4.4.0.468 Enhancements and Fixes
• Adds support to install the latest Zscaler Root CA Certificate if Install Zscaler SSL Certificate is enabled and to remove the existing certificate for SSL Inspection. • Removes deprecated Windows command usage from the Zscaler Client Connector uninstallation process. • Fixes an...
Zscaler Client Connector 4.5.0.498 Enhancements and Fixes
• Adds support to install the latest Zscaler Root CA Certificate if Install Zscaler SSL Certificate is enabled and to remove the existing certificate for SSL Inspection. • Removes deprecated Windows command usage from the Zscaler Client Connector uninstallation process. • Fixes an...
Zscaler Client Connector 4.6.0.310 Enhancements and Fixes
• Adds an option to allow Zscaler to retrieve and analyze Zscaler Client Connector log bundles to expedite resolution of customer-reported issues and to proactively resolve internal issues. Zscaler recommends enabling this feature. To learn more, see <a href="https://help.zscaler.com/zscaler-c...
Zscaler Client Connector 4.7.0.113 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue that could potentially prevent a limited amount of traffic from being inspected under specific and limited circumstances. (CVE-2026-22569) The issue has been corrected on Zscaler Client Connector version 4.7.0.141. <li...
Zscaler Client Connector 4.5.0.495 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.4.0.465 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.5.0.484 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.7.0.88 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.4.0.464 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.6.0.284 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.6.0.282 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.5.0.478 Enhancements and Fixes
Zscaler Client Connector version 4.5.0.478 for Windows has a known issue where some users experience intermittent failures with command-line applications such as Slack, Microsoft Teams, and other apps that use Command Prompt (CMD). This issue only happens on devices with anti-tamperi...
Zscaler Client Connector 4.4.0.460 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the ZSATunnel can crash intermittently if you use the unsupported legacy PAC Parser. You can resolve the issue by...
Zscaler Client Connector 4.7.0.61 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue that could potentially prevent a limited amount of traffic from being inspected under specific and limited circumstances. (CVE-2026-22569) The issue has been corrected on Zscaler Client Connector version 4.7.0.141. <li...
Zscaler Client Connector 4.5.0.471 Enhancements and Fixes
• Updates Zscaler Client Connector to retrieve the system PAC file settings and pass them to WebView2 for authentication during enrollment to ensure that the correct proxy setting is used. • Fixes an issue where users still received an "Authentication required on Lock screen"...
Zscaler Client Connector 4.4.0.456 Enhancements and Fixes
• Updates Zscaler Client Connector to retrieve the system PAC file settings and pass them to WebView2 for authentication during enrollment to ensure that the correct proxy setting is used. • Fixes an issue where users still received an "Authentication required on Lock screen"...
Zscaler Client Connector 4.6.0.240 Enhancements and Fixes
• Updates Zscaler Client Connector to retrieve the system PAC file settings and pass them to WebView2 for authentication during enrollment to ensure that the correct proxy setting is used. • Fixes an issue where users still received an "Authentication required on Lock screen"...
Zscaler Client Connector 4.5.0.459 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector started the enrollment process in the background before the Autopilot setup was complete when deploying Zscaler Client Connector using Microsoft Autopilot. • Fixes an issue with Zscaler Digital Experience (ZDX) probes that occurred after Zs...
Zscaler Client Connector 4.7.0.47 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue that could potentially prevent a limited amount of traffic from being inspected under specific and limited circumstances. (CVE-2026-22569) The issue has been corrected on Zscaler Client Connector version 4.7.0.141. <li...
Zscaler Client Connector 4.6.0.216 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector started the enrollment process in the background before the Autopilot setup was complete when deploying Zscaler Client Connector using Microsoft Autopilot. • Fixes an issue where Zscaler Client Connector sent traffic from devices via the bu...
Zscaler Client Connector 4.4.0.432 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector started the enrollment process in the background before the Autopilot setup was complete when deploying Zscaler Client Connector using Microsoft Autopilot. • Fixes an issue where Zscaler Client Connector could not access an IP-based Zscaler...
Zscaler Client Connector 4.7 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the cached ports for source port-based bypasses were not being cleared, leading to high memory consumption and new connections being blocked or unintentionally bypassed. The issue has been corrected on Zscaler Client Co...
Zscaler Client Connector 4.6.0.200 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the cached ports for source port-based bypasses were not being cleared, leading to high memory consumption and new connections being blocked or unintentionally bypassed. The issue has been corrected on Zscaler Client Co...
Zscaler Client Connector 4.5.0.434 Enhancements and Fixes
• Fixes a delay in detecting the captive portal when Zscaler Client Connector encountered network issues while establishing a connection. • Fixes an issue where Zscaler Client Connector displayed incorrect connectivity information in the app after a user's device switched from an of...
Zscaler Client Connector 4.4.0.428 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector displayed incorrect connectivity information in the app after a user's device switched from an off-trusted network to a VPN network. • Fixes an issue where the Zscaler Internet Access (ZIA) trust level was incorrectly calculated using...
Zscaler Client Connector 4.6.0.168 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the cached ports for source port-based bypasses were not being cleared, leading to high memory consumption and new connections being blocked or unintentionally bypassed. The issue has been corrected on Zscaler Client Co...
Zscaler Client Connector 4.5.0.381 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the cached ports for source port-based bypasses were not being cleared, leading to high memory consumption and new connections being blocked or unintentionally bypassed. The issue has been corrected on Zscaler Client Co...
Zscaler Client Connector 4.4.0.406 Enhancements and Fixes
• Updates Npcap to version 1.80. • Fixes an issue with anti-tampering that could cause a driver error when upgrading Zscaler Client Connector. • Fixes an issue where the ZSATunnel process could crash and sometimes create dump files in the export logs after a fragmented packet was r...
Zscaler Client Connector 4.3.0.277 Enhancements and Fixes
• Fixes an issue with anti-tampering that could cause a driver error when upgrading Zscaler Client Connector. • Fixes an issue where the ZSATunnel process could crash. • Improves Zscaler Client Connector's handling of <a href="https://help.zscaler.com/zscaler-client-connector/...
Zscaler Client Connector 4.6.0.146 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the cached ports for source port-based bypasses were not being cleared, leading to high memory consumption and new connections being blocked or unintentionally bypassed. The issue has been corrected on Zscaler Client Co...
Zscaler Client Connector 4.5.0.366 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where the cached ports for source port-based bypasses were not being cleared, leading to high memory consumption and new connections being blocked or unintentionally bypassed. The issue has been corrected on Zscaler Client Co...
Zscaler Client Connector 4.4.0.395 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector intermittently did not follow IP-based Zscaler Tunnel (Z-Tunnel) 2.0 inclusion and exclusion rules. • Limits the total size of all Zscaler log files for all Windows user profiles to 500 MB on a machine with Zscaler Client Connector integrat...
Zscaler Client Connector 4.3.0.272 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector intermittently did not follow IP-based Zscaler Tunnel (Z-Tunnel) 2.0 inclusion and exclusion rules. • Fixes an issue where ZSAHelper log files were created frequently for forwarding profiles with the Route-Based tunnel driver type and Enabl...
Client Connector per OS - macOS
Zscaler Client Connector 4.5.2 Refresh 11 Enhancements and Fixes
• <span style="background-color:transpar...
Zscaler Client Connector 4.7 Refresh 7 Enhancements and Fixes
• <span style="background-color:transpar...
Zscaler Client Connector 4.8 Refresh 3 Enhancements and Fixes
• <span style="font-family:Ari...
Zscaler Client Connector 4.5.2.221 Enhancements and Fixes
• Fixes an issue where Google Chrome was able to access websites when Zscaler Tunnel (Z-Tunnel) was in a transient state with "enforceTrafficVIaTunnel" parameter enabled for Zscaler Client Connector firewall. <li data-list-it...
Zscaler Client Connector 4.7.0.207 Enhancements and Fixes
• Fixes an issue where Google Chrome was able to access websites when Zscaler Tunnel (Z-Tunnel) was in a transient state with "enforceTrafficVIaTunnel" parameter enabled for Zscaler Client Connector firewall. <li data-list-it...
Zscaler Client Connector 4.8.0.104 Enhancements and Fixes
• Fixes an issue where Google Chrome was able to access websites when Zscaler Tunnel (Z-Tunnel) was in a transient state with "enforceTrafficVIaTunnel" parameter enabled for Zscaler Client Connector firewall. <li data-list-it...
Zscaler Client Connector 4.5.2.201 Enhancements and Fixes
• Fixes an issue where the Zscaler speedtest diagnostic failed to launch the More Diagnostics window when Transparent Proxy-based Traffic Interception (TPTI) is in use. • Fixes an issue where posture evaluation for ZPA machine tunnels caused an error after user login. • Fixes an is...
Zscaler Client Connector 4.7.0.187 Enhancements and Fixes
• Fixes an issue where the Zscaler speedtest diagnostic failed to launch the More Diagnostics window when Transparent Proxy-based Traffic Interception (TPTI) is in use. • Fixes an issue where Zscaler Private Access (ZPA) ReAuth Notification with Advanced Notification sent reauthenticate...
Zscaler Client Connector 4.8.0.83 Enhancements and Fixes
• Fixes an issue where the Zscaler speedtest diagnostic failed to launch the More Diagnostics window when Transparent Proxy-based Traffic Interception (TPTI) is in use. • Fixes an issue where Zscaler Private Access (ZPA) ReAuth Notification with Advanced Notification sent reauthenticate...
Zscaler Client Connector 4.5.2.175 Enhancements and Fixes
• Fixes an issue where, if the Redirect Web Traffic to Zscaler Client Connector Listening Proxy and Transparent Proxy-based Interception options were enabled, Zscaler Digital Experience (ZDX) Web probe requests were sent to Zscaler Internet Access (ZIA) even though the app profile PAC file was...
Zscaler Client Connector 4.7.0.155 Enhancements and Fixes
• Fixes an issue where, if the Redirect Web Traffic to Zscaler Client Connector Listening Proxy and Transparent Proxy-based Interception options were enabled, Zscaler Digital Experience (ZDX) Web probe requests were sent to Zscaler Internet Access (ZIA) even though the app profile PAC file was...
Zscaler Client Connector 4.8 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.158 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.7.0.134 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.153 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-c...
Zscaler Client Connector 4.7.0.126 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-c...
Zscaler Client Connector 4.5.0.343 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.198 Enhancements and Fixes
Fixes an issue that caused Zscaler Client Connector to unexpectedly quit and restart....
Zscaler Client Connector 4.5.0.341 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.121 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.7.0.87 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.105 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.193 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector trusts only the CA certificates provided in the Zscaler Client Connector Portal for client certificate posture instead of CA certificates trusted on the machine. • Fixes an issue where authentication with the IdP for Zscaler Internet Access...
Zscaler Client Connector 4.5.0.331 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.7 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.98 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.185 Enhancements and Fixes
• Fixes an issue where, after a user’s device awakened from sleep, it experienced connection issues when Zscaler Client Connector switched from the primary data center to the secondary data center. • Fixes an issue where some users couldn't connect to the internet due to the assignm...
Zscaler Client Connector 4.5.0.312 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.73 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.180 Enhancements and Fixes
• Supports the Reconnect Tunnel on System Wakeup feature in App Profiles, allowing Zscaler Client Connector to immediately restart Zscaler Tunnel (Z-Tunnel) 2.0 after a device wakes up from sleep. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler...
Zscaler Client Connector 4.5.0.297 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2.54 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.2 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.166 Enhancements and Fixes
• Fixes an issue where Zscaler Internet Access (ZIA) service remained in an OFF state. • Fixes a tunnel crash issue experienced by devices using Zscaler Client Connector version 4.3.1.91. • Fixes an issue where, after a user’s device awakened from sleep, it experienced connection i...
Zscaler Client Connector 4.5.0.279 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.153 Enhancements and Fixes
• Improves logging for the CLI process. • Fixes an issue where users couldn't connect to Zscaler Internet Access (ZIA) for up to 40 seconds after the device...
Zscaler Client Connector 4.5.0.262 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.136 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector automatically filled the device’s profile ID on the ZIdentity login page. • Fixes an issue where the Zscaler Client Connector firewall started after Zscaler Internet Access (ZIA) authentication was completed but before Zscaler Private Acces...
Zscaler Client Connector 4.5.0.249 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.5.0.238 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.127 Enhancements and Fixes
• Fixes an issue where a user device switched between primary and secondary data centers after the device remained idle or was woken up from sleep. • Fixes an issue where Zscaler Private Access (ZPA) service status remained off even when the user tried to turn it on. • Fixes an iss...
Zscaler Client Connector 4.5.1.101 Enhancements and Fixes
• Adds enhancements to the packet capture functionality (e.g., capture options for session length, file size, frame size limits, and capture filters). • Adds s...
Zscaler Client Connector 4.3.1.114 Enhancements and Fixes
• Provides an MDM configuration parameter zccToForegroundDuringAuth that fixes an issue where, during Zscaler Private Access (ZPA) reauthentication via Okta FastPass, the Zscaler Client Connector window disappeared. To resolve this issue, configure the parameter in your organization’s MDM. To...
Zscaler Client Connector 4.5.0.223 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.1.102 Enhancements and Fixes
• Fixes an issue where, after uploading a property list (Plist) with updated firewall rules using an MDM platform, Zscaler Client Connector did not enforce the expected firewall rules. To avoid this issue in the future, see updated instructions on managing firewall rules in <a href="https://he...
Zscaler Client Connector 4.5.0.211 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Zscaler Client Connector 4.3.0.270 Enhancements and Fixes
• Provides a new Mobile Device Management (MDM) configuration for a connection issue resulting from a network change (off-trusted to an on-trusted network). Due to an outdated DNS cache, some users were unable to connect to some Zscaler Private Access (ZPA) applications in a no-default route e...
Zscaler Client Connector 4.3.1.91 Enhancements and Fixes
• Provides a new Mobile Device Management (MDM) configuration for a connection issue resulting from a network change (off-trusted to an on-trusted network). Due to an outdated DNS cache, some users were unable to connect to some Zscaler Private Access (ZPA) applications in a no-default route e...
Zscaler Client Connector 4.3.0.264 Enhancements and Fixes
• Allows only one service restart per minute to prevent attempts to bypass Zscaler Client Connector traffic forwarding. • Fixes an issue where customers experienced repeated Zscaler Internet Access (ZIA) connection and disconnection notifications during system sleep. • Fixes an iss...
Zscaler Client Connector 4.3.1.83 Enhancements and Fixes
• Allows only one service restart per minute to prevent attempts to bypass Zscaler Client Connector traffic forwarding. • Fixes an issue where customers experienced repeated Zscaler Internet Access (ZIA) connection and disconnection notifications during system sleep. • Fixes an iss...
Zscaler Client Connector 4.5 Enhancements and Fixes
This version of Zscaler Client Connector has a known issue where Zscaler Client Connector prematurely switched to the secondary ZPA Public Service Edge for customers using <a href="https://help.zscaler.com/zscaler-client-connector/configuring-forwarding-profiles-zscaler-client-connec...
Client Connector per OS - iOS
Zscaler Client Connector 4.5 Enhancements and Fixes
• Supports ZIdentity integration for the following features: using one-time passwords (OTPs), using device group-based app profiles, the assignment of service entitlements based on device posture, quarantining devices, displaying the service disable reason, and force-removing devices. To learn...
Zscaler Client Connector 4.4.4 Enhancements and Fixes
• Fixes an issue that caused delayed status updates in the Zscaler Client Connector interface after launching Zscaler Client Connector. • Fixes an issue where constant mobile carrier connection timeouts caused high cellular data usage. You can push the ZpaSo...
Zscaler Client Connector 4.4.3 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector couldn’t establish a connection to Zscaler Private Access (ZPA) from native IPv6 clients. • Fixes an issue where mobile users lost connection to Zscaler Internet Access (ZIA) after switching from Wi-Fi to mobil...
Zscaler Client Connector 4.4.2 Enhancements and Fixes
• Improves Zscaler Tunnel (Z-Tunnel) connection and disconnection notifications when logging in to Zscaler Client Connector. • Fixes an issue where some users connecting to hotel guest Wi-Fi received a captive portal 403 error after clicking Open Browser in Zscaler Client Connector....
Zscaler Client Connector 4.4.1 Enhancements and Fixes
Zscaler Client Connector versions 4.4 and 4.4.1 for iOS have a known issue where iOS users might lose access to Zscaler services, e.g., Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), and Zscaler Digital Experience (ZDX). This issue impacts iOS users who are using device...
Zscaler Client Connector 4.4 Enhancements and Fixes
Zscaler Client Connector versions 4.4 and 4.4.1 for iOS have a known issue where iOS users might lose access to Zscaler services, e.g., Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), and Zscaler Digital Experience (ZDX). This issue impacts iOS users who are using device...
Zscaler Client Connector 4.3.6 Enhancements and Fixes
• Includes battery optimization, which fixes an issue that caused increased battery consumption. • Fixes an issue where some websites failed to load after configuring per-app VPN access for Microsoft Edge or Chrome on iOS. • Fixes an issue where Zscaler Client Connector was stuck i...
Zscaler Client Connector 4.3.5 Enhancements and Fixes
• Fixes an issue where customers experienced audio problems on MuPRO when Zscaler Client Connector was enabled on their devices. • Fixes an issue where <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles#iOS-pac-proxy" target="_bla...
Zscaler Client Connector 4.3.4 Enhancements and Fixes
• Includes optimizations for CPU and battery usage. • Fixes an issue that caused intermittent loss of connectivity to some internal and internet applications when match domains were appended to search domains. This requires configuring the MatchDomainsNoSearch setting in the VPN configur...
Zscaler Client Connector 4.3.3 Enhancements and Fixes
• Fixes an issue where DNS didn’t work on a specific Wi-Fi network when the enforceRoutes option was used in the VPN profile configuration. • Fixes an issue where some users were prompted to reauthenticate on Zscaler Private Access (ZPA) even after they had already authenticated. <li...
Zscaler Client Connector 4.3.2 Enhancements and Fixes
Z-Tunnel 2.0 is not supported for devices using Zscaler Digital Experience (ZDX) for iOS at this time. • Fixes an issue where, after upgrading to Zscaler Client Connector version 4.3, Zscaler Digital Experience (ZDX) remained in a connecting state. • Fixes an issue whe...
Zscaler Client Connector 4.3.1 Enhancements and Fixes
• Fixes an issue where, if a large number of Zscaler Private Access (ZPA) domains were configured, internet access could be blocked when using the SDK version 3.8. • Fixes an issue where, after upgrading to Zscaler Client Connector version 4.3, ZPA-only deployment users couldn’t access i...
Zscaler Client Connector 4.3 Enhancements and Fixes
New features introduced in Zscaler Client Connector version 4.3 require Tunnel SDK version 4.3 enablement. By default, Tunnel SDK 3.8 is enabled. Enable the Use Tunnel SDK Version 4.3 option in the <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-...
Zscaler Client Connector 3.8.2 Enhancements and Fixes
• Fixes an issue where the "zsa://" shortcut that opens Zscaler Client Connector didn’t work. • Fixes an issue where users experienced intermittent Zscaler Private Access (ZPA) authentication errors after Tunnel SDK 3.8 was enabled....
Zscaler Client Connector 3.8.1 Enhancements and Fixes
Fixes an issue where enabling ZIA dynamically didn't prompt end users to log into Zscaler Client Connector again....
Client Connector per OS - Android
Zscaler Client Connector 4.1.0.77 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector didn’t drop QUIC traffic in Zscaler Tunnel (Z-Tunnel) 1.0 mode even though Drop QUIC Traffic was enabled in app profiles...
Zscaler Client Connector 4.1.0.70 Enhancements and Fixes
• Fixes an issue where auto-enrollment failed and an "Invalid Device Token" message displayed for users on Android 11 after logging in when Zscaler Client Connector was deployed through mobile device management (MDM). • Fixes a Firebase crash.</li...
Zscaler Client Connector 4.1.0.63 Enhancements and Fixes
• Fixes an issue where web traffic bypassed Zscaler Tunnel (Z-Tunnel) 2.0 for users on Zscaler Client Connector version 4.1.0.53. • Fixes an issue where DNS responses over Z-Tunnel 2.0 failed....
Zscaler Client Connector 4.1 Enhancements and Fixes
• Supports IPv6 traffic forwarding from IPv6-only Android devices to Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/enabling-ipv6-resolution-zscaler-domains" target="_bl...
Zscaler Client Connector 4.0.0.288 Enhancements and Fixes
• Fixes an issue where users couldn’t access private applications because configuration parameters for Zscaler Private Access (ZPA) weren’t updated after upgrading Zscaler Client Connector. • Fixed multiple Firebase-reported crashes. • Fixes an issue w...
Zscaler Client Connector 4.0 Enhancements and Fixes
Zscaler Client Connector version 4.0 for Android has a known issue where DNS resolution through the ZIA Public Service Edge would sometimes fail if DNS domains aren’t added to the Domain Inclusion field in <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler...
Zscaler Client Connector 3.10.0.61 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector crashed or became unresponsive while using meeting applications such as Google Meet, Microsoft Teams, or Slack on ChromeOS devices, particularly lower-specification Chromebooks under high system load. This instabilit...
Zscaler Client Connector 3.10.0.52 Enhancements and Fixes
• Fixes an issue where a driver error occurred for version 3.10.0.47 when switching from a trusted network to an off-trusted network. • Fixes an issue where the single sign-on (SSO) page appeared distorted because hardware acceleration was disabled after upg...
Zscaler Client Connector 3.10.0.47 Enhancements and Fixes
• Fixed crashes reported from Firebase. • Fixes an issue where, after clicking Turn On in the Service Status field, users received the message "Are you sure you want to turn off Private Access?" and the only options were Cancel and Disable. <l...
Zscaler Client Connector 3.10.0.34 Enhancements and Fixes
• Fixes a memory leak that occurred during login when Browser-Based Authentication was enabled. • Fixes a Firebase-reported crash caused by a race condition. • Fixes an issue where users received a "Network Error" message for Zscaler Interne...
Zscaler Client Connector 3.10 Enhancements and Fixes
• Adds shortcuts for the Zscaler Client Connector Export Logs, Report an Issue, and Reauthenticate options. • Supports upgrading OpenSSL to version...
Zscaler Client Connector 3.9 Enhancements and Fixes
• Zscaler Client Connector supports the integration of the ZIdentity platform, enabling user authentication and registration via Single Sign-On (SSO) to access Zscaler services. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/accessin...
Zscaler Client Connector 3.8.0.73 Enhancements and Fixes
• Fixes a Firebase-reported crash seen in devices running Android 9 because of a third-party library issue. • Fixes an issue where users received an "Authentication Error" message in the Service Status field in Zscaler Client Connector and weren’t...
Zscaler Client Connector 3.8 Enhancements and Fixes
• Supports 50 DNS search domains (suffixes) per system. To learn more, see Adding DNS Search Domains. • Adds support for <a href="https://help.zscaler.com/zscaler-client...
Client Connector per OS - ChromeOS
Zscaler Client Connector 4.1.0.77 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector didn’t drop QUIC traffic in Zscaler Tunnel (Z-Tunnel) 1.0 mode even though Drop QUIC Traffic was enabled in app profiles...
Zscaler Client Connector 4.1.0.70 Enhancements and Fixes
• Fixes an issue where auto-enrollment failed and an "Invalid Device Token" message displayed for users on Android 11 after logging in when Zscaler Client Connector was deployed through mobile device management (MDM). • Fixes a Firebase crash.</li...
Zscaler Client Connector 4.1.0.63 Enhancements and Fixes
• Fixes an issue where web traffic bypassed Zscaler Tunnel (Z-Tunnel) 2.0 for users on Zscaler Client Connector version 4.1.0.53. • Fixes an issue where DNS responses over Z-Tunnel 2.0 failed....
Zscaler Client Connector 4.1 Enhancements and Fixes
• Supports IPv6 traffic forwarding from IPv6-only Android devices to Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/enabling-ipv6-resolution-zscaler-domains" target="_bl...
Zscaler Client Connector 4.0.0.288 Enhancements and Fixes
• Fixes an issue where users couldn’t access private applications because configuration parameters for Zscaler Private Access (ZPA) weren’t updated after upgrading Zscaler Client Connector. • Fixed multiple Firebase-reported crashes. • Fixes an issue w...
Zscaler Client Connector 4.0 Enhancements and Fixes
Zscaler Client Connector version 4.0 for Android has a known issue where DNS resolution through the ZIA Public Service Edge would sometimes fail if DNS domains aren’t added to the Domain Inclusion field in <a href="https://help.zscaler.com/zscaler-client-connector/configuring-zscaler...
Zscaler Client Connector 3.10.0.61 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector crashed or became unresponsive while using meeting applications such as Google Meet, Microsoft Teams, or Slack on ChromeOS devices, particularly lower-specification Chromebooks under high system load. This instabilit...
Zscaler Client Connector 3.10.0.52 Enhancements and Fixes
• Fixes an issue where a driver error occurred for version 3.10.0.47 when switching from a trusted network to an off-trusted network. • Fixes an issue where the single sign-on (SSO) page appeared distorted because hardware acceleration was disabled after upg...
Zscaler Client Connector 3.10.0.47 Enhancements and Fixes
• Fixed crashes reported from Firebase. • Fixes an issue where, after clicking Turn On in the Service Status field, users received the message "Are you sure you want to turn off Private Access?" and the only options were Cancel and Disable. <l...
Zscaler Client Connector 3.10.0.34 Enhancements and Fixes
• Fixes a memory leak that occurred during login when browser-based authentication was enabled. • Fixes a Firebase-reported crash caused by a race condition. • Fixes an issue where users received a "Network Error" message for Zscaler Interne...
Zscaler Client Connector 3.10 Enhancements and Fixes
• Adds shortcuts for the Zscaler Client Connector Export Logs, Report an Issue, and Reauthenticate options. • Supports upgrading OpenSSL to version...
Zscaler Client Connector 3.9 Enhancements and Fixes
• Zscaler Client Connector supports the integration of the ZIdentity platform, enabling user authentication and registration via Single Sign-On (SSO) to access Zscaler services. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connector/accessin...
Zscaler Client Connector 3.8.0.73 Enhancements and Fixes
• Fixes a Firebase-reported crash seen in devices running Android 9 because of a third-party library issue. • Fixes an issue where users received an "Authentication Error" message in the Service Status field in Zscaler Client Connector and weren’t...
Zscaler Client Connector 3.8 Enhancements and Fixes
• Supports 50 DNS search domains (suffixes) per system. To learn more, see Adding DNS Search Domains. • Adds support for <a href="https://help.zscaler.com/zscaler-client...
Client Connector per OS - Linux
Zscaler Client Connector 4.2.1 Enhancements and Fixes
• Displays the serial number of Linux devices on the Zscaler Client Connector Registered De...
Zscaler Client Connector 3.7.2.53 Enhancements and Fixes
• Fixes an issue where the Wi-Fi connection on Ubuntu version 22.04.5 LTS intermittently disconnected and reconnected after Zscaler Client Connector was installed. • Fixes an issue where a CrowdStrike upgrade changed the binary path, which caused posture che...
Zscaler Client Connector 4.2 Enhancements and Fixes
• Allows Zscaler Client Connector to evaluate trusted network criteria against all default route adapters. To learn more, see Configuring Forwarding Profiles for...
Zscaler Client Connector 3.7.2.51 Enhancements and Fixes
• Fixes an issue where users intermittently experienced a Zscaler Private Access (ZPA) reauthentication failure, and were redirected to a notification page with the message, "Sorry, this web browser is not approved for use at our company". • Fixes...
Zscaler Client Connector 3.7.2.45 Enhancements and Fixes
• Fixes an issue where users experienced multiple errors while installing Zscaler Client Connector on Lintian Ubuntu. • Fixes an issue where Zscaler Client Connector intermittently failed to automatically reconnect to the tunnel after logging back in, but th...
Zscaler Client Connector 3.7.2.31 Enhancements and Fixes
• Fixes an issue where users received the error message "Internal socket problem has been detected" because Zscaler Client Connector held some system resources for a longer time. To learn more, see <a href="https://help.zscaler.com/zscaler-client-connec...
Zscaler Client Connector 3.7.1.74 Enhancements and Fixes
• Fixes an issue where the Zscaler Client Connector installation froze, which blocked other application installations. • Fixes an issue where some users received a "Network Error" message, an "Internal Error" message, or a "Too Man...
Zscaler Client Connector 3.7.2 Enhancements and Fixes
• Zscaler Client Connector supports the integration of the ZIdentity platform that allows you to use single sign-on (SSO) for the portals of all Zscaler services in the ZIdentity Admin Portal. To learn more, see <a href="https://help.zscaler.com/zscaler-client-con...
Zscaler Client Connector 3.7.1.71 Enhancements and Fixes
• Fixes an issue where users couldn’t authenticate to Zscaler Client Connector and received the error message "The site can’t be reached". • Fixes an issue where customers received a "Network Error" message while trying to connect after...
ZDX Module per OS - Windows
ZDX Module 4.7 Enhancements and Fixes
• Addresses incomplete Network Interface data in Device Profile and Device Stats on Windows. • Fixes an issue where there are missing Zscaler Internet Access (ZIA) Public Service Edge metrics on the Cloud Path. • Fixes Cloud Path VIP selection to use the tunnel-detected VIP in IPSe...
ZDX Module 4.6.2.15 Enhancements and Fixes
• Corrects the Learn More button display in the Notifications tab on corporate devices. • Enhances proxy handling by retrying with the system-configured external proxy when direct TPG connections time out....
ZDX Module 4.6.2.7 Enhancements and Fixes
This package includes a new executable, ZUpmApplication.exe. This binary is present to support a future cloud-dependent capability and remains inactive in this release. It has no functional impact and requires no admin action. • Adds improved detection of failed updates that might leave...
ZDX Module 4.5.0.34 Enhancements and Fixes
The following updates from ZDX Module 4.5.0.33 for Windows have been temporarily deferred to allow for addit...
ZDX Module 4.5.0.33 Enhancements and Fixes
• Adds Source IP Anchoring (SIPA) Cloud Path support for ZDX. • Fixes an issue where public IP address and geolocation reporting was incorrect for users in Zscaler locations. • Fixes an issue where the API call to Zscaler Internet Access (ZIA) encounters a Secure Sockets Layer (SSL...
ZDX Module 4.5.0.16 Enhancements and Fixes
• Mitigates an issue where certain Intel NICs receive a stalled ring that led to a drop in network connectivity when ZDX was enabled. • Updates policy logic for Windows Error Reporting (WER) events. • Fixes an issue where the ZDX installation encounter...
ZDX Module 4.5 Enhancements and Fixes
• Adds support to install Nmap Packet Capture (Npcap), if it is not already installed, when Cloud Path starts. • Enhances Wi-Fi metrics for telemetry data. • Extends the packet capture (PCAP) duration selection to 60 minutes. • Supports Hi-Fi Clo...
ZDX Module 4.4.0.15 Enhancements and Fixes
• Adds tunnel support in Cloud Path for application bypass. • Fixes an issue where Cloud Path failed when the secure sockets layer virtual private network (SSL VPN) was configured with a DNS name. • Fixes an issue where data was missing from the Cloud...
ZDX Module 4.4.0.11 Enhancements and Fixes
• Fixes an issue where the SYSID was missing when an external proxy was chained to the Zscaler Service Edge. • Fixes an issue that prevented NAT64 discovery due to an older version of Zscaler Client Connector. • Fixes an issue where Self Service did not provide a notification for h...
ZDX Module per OS - macOS
ZDX Module 4.6.0.41 Enhancements and Fixes
• Support macOS devices for Real User Monitoring (RUM). • Fixes an issue where macOS devices are experiencing heavy battery drain when they are in sleep mode. • Fixes an issue where duplicate RUM data is uploaded to the Transaction Processing Gateway (TPG). • Fixes an issue w...
ZDX Module 4.5.0.44 Enhancements and Fixes
• Adds hardware ID to device telemetry to support Device Details pages. • Adds IPv6 support. • Enhances Wi‑Fi metrics upload, including retransmission rate. • Upgrades SQLite to version 3.50.4. • Fixes a condition where ZDX remains in "Connecting" by creating...
ZDX Module 4.4.1.12 Enhancements and Fixes
Enhances remote packet capture (PCAP) in ZDX by allowing longer capture durations, configurable file sizes, and header- or payload-specific data collection....
ZDX Module 4.4.0.75 Enhancements and Fixes
Fixes an issue where the macOS interface incorrectly flags security software as unsafe....
ZDX Module 4.4 Enhancements and Fixes
• Adds handling of personally identifiable information (PII) for new features. • Adds support in Cloud Path where the traffic is sent through the tunnel and bypassed through the Application Profile PAC. • Enhances accuracy of geolocation detection logic. • Substitutes the Per...
ZDX Module 3.9.1.8 Enhancements and Fixes
Fixes a disconnection issue on macOS Sequoia from the recent virtual MAC address feature update....
ZDX Module 3.9.1 Enhancements and Fixes
• Adds a network detection module in ZDX to check and display an error in the UI when no network is available on the system. • Fixes a plugin issue where application data was not available after system wake up. • Fixes an issue where the top 5 network process stats were missing fro...
Cloud & Branch Connector
Service - connector.zscaler.net
Cloud Connector Scheduled Upgrade Enhancements
Zscaler Cloud Connector supports enhanced upgrade capabilities by allowing you to select release channels. When upgrading your Cloud Connectors, you can choose between the stable, latest, or beta release channels. See image....
Endpoints for Scheduled Upgrade Enhancement
New endpoints are added to extend programmatic access for managing Cloud & Branch Connector virtual machines (VMs). The following APIs allow you to update the release channel for VMs, update the status of VMs in bulk, and retrieve the release channel and scheduled upgrade metrics: <li data...
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Ensure that you refresh all Infrastructure as Code (IaC) deployment templates to use the l...
Update to Zscaler Cloud Connector Google Cloud Platform Virtual Machine
The Google Cloud Platform (GCP) VM image for Zscaler Cloud Connector has been updated to version zs-cc-ga-03092026. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Use the latest <a class="url-external" href="htt...
Update to Zscaler Cloud Connector Microsoft Azure Virtual Machine
The Microsoft Azure VM image for Zscaler Cloud Connector has been updated to version 42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. To learn more, see <a href="https://help.zscaler.com/cloud-branch...
Azure Endpoints for Partner Integrations
New endpoints are added to extend programmatic access to features and functionalities for Azure accounts and groups. The following endpoints allow you to create, update, and delete Azure accounts and account groups. You can also retrieve the list of available Azure accounts, Cloud Connector group...
Cloud & Branch Connector Monitoring Dashboard Enhancements
The Cloud & Branch Connector Monitoring page has improved data about your total entitled and deployed Cloud & Branch Connector devices. See image. To learn more, see <a href="https://help.zscaler.com/clou...
Increased Number of Subscriptions per Azure Partner Integrations Account
The maximum number of subscriptions under a Cloud Connector Azure partner integrations account increased from 32 to 128. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-entity-type="node" data-entity-uuid="7972a88f-8098-43c7-9e31-f7088a5...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways are available in the me-south-1, eu-north-1, and eu-south-2 Amazon Web Services (AWS) regions. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uu...
Cloud Connector MIG Autoscaling with Google Cloud Platform
A new version of the Zscaler Cloud Connector Google Cloud Platform (GCP) virtual machine (VM) is available. Version zs-cc-ga-02042026 supports a Managed Instance Group (MIG) with autoscaling deployment with GCP. In the Zscaler Cloud & Branch Connector Admin Portal, references to autoscaling also...
Support for AWS Endpoint ID in Session Insights Logs
Zscaler Cloud Connector supports the Endpoint/Interface filter and column in the Session Insights Logs, which is the Amazon Web Services (AWS) virtual private cloud (VPC) endpoint ID that connects to the Gateway Load Balancer. To learn more, see <a href="https://help.zscaler.com/cloud-branc...
ZPA Pattern Matching for Cloud Connector
Cloud Connector supports ZPA pattern matching. Admins can define applications with patterns within application segments. Pattern matching allows you to use the policy evaluation with hostname patterns instead of exact FQDNs. To learn more, see <a href="https://help.zscaler.com/zpa/using-pat...
Zscaler Client Connector for VDI Username Visibility
When logged in to multisession Virtual Desktop Infrastructure (VDI), you can view your username using the Zscaler Client Connector for VDI application. See image. To learn more, see <a href="https://help.zscaler.com/clo...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways support the new regions of sa-east-1, ca-central-1, eu-central-2, and eu-west-3. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uuid="b49b2d75-3...
Cloud Connector Traffic Enhancements
Zscaler Cloud Connector and Zero Trust Gateways support all traffic paths, including: • East-west support: Secure traffic between virtual private clouds (VPCs)/VNets or subnets in the same VPC/VNet by applying essential Layer 4 (L4) stateful rules enforced directly on Cloud Connector and...
Sublocation Scopes to Group Cloud Connector Workloads in AWS
Sublocation scopes allow you to group workload traffic into sublocations at various levels within your Amazon Web Services (AWS) account. These levels, or scopes, are VPC Endpoint, VPC, Account, and Namespace. For example, the VPC scope groups workloads from one or more Virtual Private Clouds (VP...
Amazon Web Services Endpoints for Partner Integrations
The following Amazon Web Services (AWS) endpoints are added for partner integrations. These endpoints extend programmatic access to features and functionalities for AWS accounts and AWS account groups: • AWS Account and AWS...
JSON Web Token Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. You configure JWT authentication in the ZIA Admin Portal. You configure token validators for JWT authentication in the ZIdentity Admin Portal. Sessions that include JWT authentication are logged in We...
Support for Google Cloud Platform User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Google Cloud Platform (GCP). Additionally, Zscaler supports applying labels and network tags in GCP. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connect...
Endpoints for Managing Cloud & Branch Connector VMs by Instance ID
New endpoints are added to extend programmatic access for managing Cloud & Branch Connector virtual machines (VMs). The following APIs allow you to retrieve detailed information about a VM and delete a VM using its native public cloud instance ID: • "GET /ecVm/uuid/{vmInstanceId}</c...
ZTW CRUD Endpoints
The Cloud & Branch Connector API is updated to include the following new endpoints to extend programmatic access to various features and functionalities: • DNS Control Forwarding Rules • <a href="#dns-gate...
Update to Zscaler Branch Connector Virtual Machine
The Zscaler Branch Connector virtual machine (VM) image has been updated. This image provides a general security enhancement. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved security instead of waiting for the <a href="https://h...
Update to Zscaler Cloud Connector Image
Zscaler Cloud Connector has been updated to version zs1.145.84_6.2.425577. This version provides a general security enhancement. Zscaler strongly recommends updating and redeploying this version as soon as possible to take advantage of the improved security instead of waiting for the <a href="htt...
Update to Zscaler Branch Connector Virtual Machine Image for Hyper-V
The Zscaler Branch Connector virtual machine (VM) image for Hyper-V has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the impro...
Update to Zscaler Branch Connector Virtual Machine Image for Linux KVM
The Zscaler Branch Connector virtual machine (VM) image for Linux KVM has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the imp...
Update to Zscaler Branch Connector Virtual Machine Image for VMware ESXi
The Zscaler Branch Connector virtual machine (VM) image for VMware ESXi has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the i...
TLS Tunnel Support for Cloud Connectors
You can select TLS as the Zscaler Internet Access (ZIA) tunnel mode when editing a Cloud Connector. You can also enable or disable fallback to TLS, which detects when the tunnel is unhealthy and switches the tunnel from Unencrypted UDP or DTLS to TLS. <a class="image-icon"...
Zscaler Cloud Connector TCP Optimization with SNI Learning
Cloud Connector supports an integrated TCP optimization module that learns server name indication (SNI) and maintains a database of learned IP addresses, fully qualified domain names (FQDNs), and wildcard FQDN mappings. The module is native to Cloud Connectors, and you can use FQDNs, wildcard FQD...
Support for Microsoft Azure User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Microsoft Azure. To request this feature, contact Zscaler Support. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/about-microsoft-azure-accounts"...
Zscaler Zero Trust Gateways in Amazon Web Services
Zscaler has introduced a fully managed, cloud-native SaaS security offering in Amazon Web Services (AWS) that allows you to secure your workload traffic and eliminate the need to manage your security infrastructure in your AWS environment. It provides the same security controls for cloud-to-inter...
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS6.1.26.2. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved securi...
Update to Zscaler Cloud Connector Azure Virtual Machine
The Azure VM image for Zscaler Cloud Connector has been updated to version 24.3.5. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved...
Update to Cloud & Branch Connector API
The Cloud & Branch Connector API has been updated to include the following new categories of endpoints to extend programmatic access to various features and functionalities: • Policy Management • <a...
Zscaler Client Connector for VDI ZPA Support
Support for Zscaler Private Access (ZPA) using Zscaler Client Connector for VDI is available. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/what-zscaler-vdi-agent" target="_blank" data-entity-type="node" data-entity-uuid="c17770e5-52f5-44c4-97a0-bf126c08f2b2" d...
Automatic Fail Open for Physical Branch Devices
Zscaler Branch Connector supports automatic fail open for physical branch devices deployed in gateway mode, which allows all local and internet-destined traffic to flow without policy validation or content inspection if a policy enforcement engine fails or is stopped for upgrades. <div class="...
Custom DHCP Options for Physical Branch Devices
You can add custom Dynamic Host Configuration Protocol (DHCP) options when configuring a branch configuration template for physical branch devices deployed in gateway mode. See image. To learn more, see <a href=...
Azure Virtual Machine Availability in Microsoft Azure Marketplace for Spain
The Zscaler Cloud Connector virtual machine (VM) is available in the Microsoft Azure Marketplace for the Spain Central region. If you deploy Cloud Connector using Terraform, use the latest <a class="url-external" href="https://github.com/zscaler/terraform-azurerm-cloud-connector-modules" target="...
Zscaler Cloud Connector Integration with HashiCorp Vault
You can use a HashiCorp Vault to store and manage secret credentials for new Zscaler Cloud Connectors deployed on the Google Cloud Platform (GCP). HashiCorp Vault is a cloud-agnostic identity-based secret management system that can be used as an alternative to GCP Secret Manager. Use the latest <...
Service - connector.zscalertwo.net
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Ensure that you refresh all Infrastructure as Code (IaC) deployment templates to use the l...
Update to Zscaler Cloud Connector Google Cloud Platform Virtual Machine
The Google Cloud Platform (GCP) VM image for Zscaler Cloud Connector has been updated to version zs-cc-ga-03092026. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Use the latest <a class="url-external" href="htt...
Update to Zscaler Cloud Connector Microsoft Azure Virtual Machine
The Microsoft Azure VM image for Zscaler Cloud Connector has been updated to version 42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. To learn more, see <a href="https://help.zscaler.com/cloud-branch...
Azure Endpoints for Partner Integrations
New endpoints are added to extend programmatic access to features and functionalities for Azure accounts and groups. The following endpoints allow you to create, update, and delete Azure accounts and account groups. You can also retrieve the list of available Azure accounts, Cloud Connector group...
Cloud & Branch Connector Monitoring Dashboard Enhancements
The Cloud & Branch Connector Monitoring page has improved data about your total entitled and deployed Cloud & Branch Connector devices. See image. To learn more, see <a href="https://help.zscaler.com/clou...
Increased Number of Subscriptions per Azure Partner Integrations Account
The maximum number of subscriptions under a Cloud Connector Azure partner integrations account increased from 32 to 128. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-entity-type="node" data-entity-uuid="7972a88f-8098-43c7-9e31-f7088a5...
Cloud Connector MIG Autoscaling with Google Cloud Platform
A new version of the Zscaler Cloud Connector Google Cloud Platform (GCP) virtual machine (VM) is available. Version zs-cc-ga-02042026 supports a Managed Instance Group (MIG) with autoscaling deployment with GCP. In the Zscaler Cloud & Branch Connector Admin Portal, references to autoscaling also...
Support for AWS Endpoint ID in Session Insights Logs
Zscaler Cloud Connector supports the Endpoint/Interface filter and column in the Session Insights Logs, which is the Amazon Web Services (AWS) virtual private cloud (VPC) endpoint ID that connects to the Gateway Load Balancer. To learn more, see <a href="https://help.zscaler.com/cloud-branc...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways are available in the me-south-1, eu-north-1, and eu-south-2 Amazon Web Services (AWS) regions. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uu...
ZPA Pattern Matching for Cloud Connector
Cloud Connector supports ZPA pattern matching. Admins can define applications with patterns within application segments. Pattern matching allows you to use the policy evaluation with hostname patterns instead of exact FQDNs. To learn more, see <a href="https://help.zscaler.com/zpa/using-pat...
Zscaler Client Connector for VDI Username Visibility
When logged in to multisession Virtual Desktop Infrastructure (VDI), you can view your username using the Zscaler Client Connector for VDI application. See image. To learn more, see <a href="https://help.zscaler.com/clo...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways support the new regions of sa-east-1, ca-central-1, eu-central-2, and eu-west-3. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uuid="b49b2d75-3...
Support for Google Cloud Platform User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Google Cloud Platform (GCP). Additionally, Zscaler supports applying labels and network tags in GCP. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connect...
Sublocation Scopes to Group Cloud Connector Workloads in AWS
Sublocation scopes allow you to group workload traffic into sublocations at various levels within your Amazon Web Services (AWS) account. These levels, or scopes, are VPC Endpoint, VPC, Account, and Namespace. For example, the VPC scope groups workloads from one or more Virtual Private Clouds (VP...
Cloud Connector Traffic Enhancements
Zscaler Cloud Connector and Zero Trust Gateways support all traffic paths, including: • East-west support: Secure traffic between virtual private clouds (VPCs)/VNets or subnets in the same VPC/VNet by applying essential Layer 4 (L4) stateful rules enforced directly on Cloud Connector and...
Amazon Web Services Endpoints for Partner Integrations
The following Amazon Web Services (AWS) endpoints are added for partner integrations. These endpoints extend programmatic access to features and functionalities for AWS accounts and AWS account groups: • AWS Account and AWS...
JSON Web Token Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. You configure JWT authentication in the ZIA Admin Portal. You configure token validators for JWT authentication in the ZIdentity Admin Portal. Sessions that include JWT authentication are logged in We...
Update to Zscaler Branch Connector Virtual Machine Image for Hyper-V
The Zscaler Branch Connector virtual machine (VM) image for Hyper-V has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the impro...
Update to Zscaler Branch Connector Virtual Machine Image for Linux KVM
The Zscaler Branch Connector virtual machine (VM) image for Linux KVM has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the imp...
Update to Zscaler Branch Connector Virtual Machine Image for VMware ESXi
The Zscaler Branch Connector virtual machine (VM) image for VMware ESXi has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the i...
ZTW CRUD Endpoints
The Cloud & Branch Connector API is updated to include the following new endpoints to extend programmatic access to various features and functionalities: • DNS Control Forwarding Rules • <a href="#dns-gate...
Endpoints for Managing Cloud & Branch Connector VMs by Instance ID
New endpoints are added to extend programmatic access for managing Cloud & Branch Connector virtual machines (VMs). The following APIs allow you to retrieve detailed information about a VM and delete a VM using its native public cloud instance ID: • "GET /ecVm/uuid/{vmInstanceId}</c...
Update to Zscaler Branch Connector Virtual Machine
The Zscaler Branch Connector virtual machine (VM) image has been updated. This image provides a general security enhancement. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved security instead of waiting for the <a href="https://h...
Update to Zscaler Cloud Connector Image
Zscaler Cloud Connector has been updated to version zs1.145.84_6.2.425577. This version provides a general security enhancement. Zscaler strongly recommends updating and redeploying this version as soon as possible to take advantage of the improved security instead of waiting for the <a href="htt...
TLS Tunnel Support for Cloud Connectors
You can select TLS as the Zscaler Internet Access (ZIA) tunnel mode when editing a Cloud Connector. You can also enable or disable fallback to TLS, which detects when the tunnel is unhealthy and switches the tunnel from Unencrypted UDP or DTLS to TLS. <a class="image-icon"...
Zscaler Cloud Connector TCP Optimization with SNI Learning
Cloud Connector supports an integrated TCP optimization module that learns server name indication (SNI) and maintains a database of learned IP addresses, fully qualified domain names (FQDNs), and wildcard FQDN mappings. The module is native to Cloud Connectors, and you can use FQDNs, wildcard FQD...
Support for Microsoft Azure User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Microsoft Azure. To request this feature, contact Zscaler Support. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/about-microsoft-azure-accounts"...
Zscaler Zero Trust Gateways in Amazon Web Services
Zscaler has introduced a fully managed, cloud-native SaaS security offering in Amazon Web Services (AWS) that allows you to secure your workload traffic and eliminate the need to manage your security infrastructure in your AWS environment. It provides the same security controls for cloud-to-inter...
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS6.1.26.2. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved securi...
Update to Zscaler Cloud Connector Azure Virtual Machine
The Azure VM image for Zscaler Cloud Connector has been updated to version 24.3.5. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved...
Update to Cloud & Branch Connector API
The Cloud & Branch Connector API has been updated to include the following new categories of endpoints to extend programmatic access to various features and functionalities: • Policy Management • <a...
Zscaler Client Connector for VDI ZPA Support
Support for Zscaler Private Access (ZPA) using Zscaler Client Connector for VDI is available. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/what-zscaler-vdi-agent" target="_blank" data-entity-type="node" data-entity-uuid="c17770e5-52f5-44c4-97a0-bf126c08f2b2" d...
Azure Virtual Machine Availability in Microsoft Azure Marketplace for Spain
The Zscaler Cloud Connector virtual machine (VM) is available in the Microsoft Azure Marketplace for the Spain Central region. If you deploy Cloud Connector using Terraform, use the latest <a class="url-external" href="https://github.com/zscaler/terraform-azurerm-cloud-connector-modules" target="...
Automatic Fail Open for Physical Branch Devices
Zscaler Branch Connector supports automatic fail open for physical branch devices deployed in gateway mode, which allows all local and internet-destined traffic to flow without policy validation or content inspection if a policy enforcement engine fails or is stopped for upgrades. <div class="...
Custom DHCP Options for Physical Branch Devices
You can add custom Dynamic Host Configuration Protocol (DHCP) options when configuring a branch configuration template for physical branch devices deployed in gateway mode. See image. To learn more, see <a href=...
Zscaler Cloud Connector Integration with HashiCorp Vault
You can use a HashiCorp Vault to store and manage secret credentials for new Zscaler Cloud Connectors deployed on the Google Cloud Platform (GCP). HashiCorp Vault is a cloud-agnostic identity-based secret management system that can be used as an alternative to GCP Secret Manager. Use the latest <...
Zero Trust Branch Device SFP Port Support
The ZT800 Zero Trust Branch Device has support for the following copper and fiber small form-factor pluggable (SFP) ports in gateway mode: • Copper: Finisar - FCLF8522P2BTL• Cat5e or later Ethernet cable • Fiber short range (SR): Finisar - FTLF8519P3BNL• Multi...
Service - connector.zscalerthree.net
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Ensure that you refresh all Infrastructure as Code (IaC) deployment templates to use the l...
Update to Zscaler Cloud Connector Google Cloud Platform Virtual Machine
The Google Cloud Platform (GCP) VM image for Zscaler Cloud Connector has been updated to version zs-cc-ga-03092026. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Use the latest <a class="url-external" href="htt...
Update to Zscaler Cloud Connector Microsoft Azure Virtual Machine
The Microsoft Azure VM image for Zscaler Cloud Connector has been updated to version 42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. To learn more, see <a href="https://help.zscaler.com/cloud-branch...
Azure Endpoints for Partner Integrations
New endpoints are added to extend programmatic access to features and functionalities for Azure accounts and groups. The following endpoints allow you to create, update, and delete Azure accounts and account groups. You can also retrieve the list of available Azure accounts, Cloud Connector group...
Cloud & Branch Connector Monitoring Dashboard Enhancements
The Cloud & Branch Connector Monitoring page has improved data about your total entitled and deployed Cloud & Branch Connector devices. See image. To learn more, see <a href="https://help.zscaler.com/clou...
Increased Number of Subscriptions per Azure Partner Integrations Account
The maximum number of subscriptions under a Cloud Connector Azure partner integrations account increased from 32 to 128. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-entity-type="node" data-entity-uuid="7972a88f-8098-43c7-9e31-f7088a5...
Cloud Connector MIG Autoscaling with Google Cloud Platform
A new version of the Zscaler Cloud Connector Google Cloud Platform (GCP) virtual machine (VM) is available. Version zs-cc-ga-02042026 supports a Managed Instance Group (MIG) with autoscaling deployment with GCP. In the Zscaler Cloud & Branch Connector Admin Portal, references to autoscaling also...
Support for AWS Endpoint ID in Session Insights Logs
Zscaler Cloud Connector supports the Endpoint/Interface filter and column in the Session Insights Logs, which is the Amazon Web Services (AWS) virtual private cloud (VPC) endpoint ID that connects to the Gateway Load Balancer. To learn more, see <a href="https://help.zscaler.com/cloud-branc...
ZPA Pattern Matching for Cloud Connector
Cloud Connector supports ZPA pattern matching. Admins can define applications with patterns within application segments. Pattern matching allows you to use the policy evaluation with hostname patterns instead of exact FQDNs. To learn more, see <a href="https://help.zscaler.com/zpa/using-pat...
Zscaler Client Connector for VDI Username Visibility
When logged in to multisession Virtual Desktop Infrastructure (VDI), you can view your username using the Zscaler Client Connector for VDI application. See image. To learn more, see <a href="https://help.zscaler.com/clo...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways are available in the me-south-1, eu-north-1, and eu-south-2 Amazon Web Services (AWS) regions. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uu...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways support the new regions of sa-east-1, ca-central-1, eu-central-2, and eu-west-3. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uuid="b49b2d75-3...
Sublocation Scopes to Group Cloud Connector Workloads in AWS
Sublocation scopes allow you to group workload traffic into sublocations at various levels within your Amazon Web Services (AWS) account. These levels, or scopes, are VPC Endpoint, VPC, Account, and Namespace. For example, the VPC scope groups workloads from one or more Virtual Private Clouds (VP...
Amazon Web Services Endpoints for Partner Integrations
The following Amazon Web Services (AWS) endpoints are added for partner integrations. These endpoints extend programmatic access to features and functionalities for AWS accounts and AWS account groups: • AWS Account and AWS...
JSON Web Token Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. You configure JWT authentication in the ZIA Admin Portal. You configure token validators for JWT authentication in the ZIdentity Admin Portal. Sessions that include JWT authentication are logged in We...
Support for Google Cloud Platform User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Google Cloud Platform (GCP). Additionally, Zscaler supports applying labels and network tags in GCP. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connect...
Cloud Connector Traffic Enhancements
Zscaler Cloud Connector and Zero Trust Gateways support all traffic paths, including: • East-west support: Secure traffic between virtual private clouds (VPCs)/VNets or subnets in the same VPC/VNet by applying essential Layer 4 (L4) stateful rules enforced directly on Cloud Connector and...
Update to Zscaler Branch Connector Virtual Machine Image for Hyper-V
The Zscaler Branch Connector virtual machine (VM) image for Hyper-V has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the impro...
Update to Zscaler Branch Connector Virtual Machine Image for Linux KVM
The Zscaler Branch Connector virtual machine (VM) image for Linux KVM has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the imp...
Update to Zscaler Branch Connector Virtual Machine Image for VMware ESXi
The Zscaler Branch Connector virtual machine (VM) image for VMware ESXi has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the i...
Endpoints for Managing Cloud & Branch Connector VMs by Instance ID
New endpoints are added to extend programmatic access for managing Cloud & Branch Connector virtual machines (VMs). The following APIs allow you to retrieve detailed information about a VM and delete a VM using its native public cloud instance ID: • "GET /ecVm/uuid/{vmInstanceId}</c...
ZTW CRUD Endpoints
The Cloud & Branch Connector API is updated to include the following new endpoints to extend programmatic access to various features and functionalities: • DNS Control Forwarding Rules • <a href="#dns-gate...
Update to Zscaler Branch Connector Virtual Machine
The Zscaler Branch Connector virtual machine (VM) image has been updated. This image provides a general security enhancement. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved security instead of waiting for the <a href="https://h...
Update to Zscaler Cloud Connector Image
Zscaler Cloud Connector has been updated to version zs1.145.84_6.2.425577. This version provides a general security enhancement. Zscaler strongly recommends updating and redeploying this version as soon as possible to take advantage of the improved security instead of waiting for the <a href="htt...
TLS Tunnel Support for Cloud Connectors
You can select TLS as the Zscaler Internet Access (ZIA) tunnel mode when editing a Cloud Connector. You can also enable or disable fallback to TLS, which detects when the tunnel is unhealthy and switches the tunnel from Unencrypted UDP or DTLS to TLS. <a class="image-icon"...
Zscaler Cloud Connector TCP Optimization with SNI Learning
Cloud Connector supports an integrated TCP optimization module that learns server name indication (SNI) and maintains a database of learned IP addresses, fully qualified domain names (FQDNs), and wildcard FQDN mappings. The module is native to Cloud Connectors, and you can use FQDNs, wildcard FQD...
Support for Microsoft Azure User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Microsoft Azure. To request this feature, contact Zscaler Support. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/about-microsoft-azure-accounts"...
Zscaler Zero Trust Gateways in Amazon Web Services
Zscaler has introduced a fully managed, cloud-native SaaS security offering in Amazon Web Services (AWS) that allows you to secure your workload traffic and eliminate the need to manage your security infrastructure in your AWS environment. It provides the same security controls for cloud-to-inter...
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS6.1.26.2. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved securi...
Update to Zscaler Cloud Connector Azure Virtual Machine
The Azure VM image for Zscaler Cloud Connector has been updated to version 24.3.5. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved...
Update to Cloud & Branch Connector API
The Cloud & Branch Connector API has been updated to include the following new categories of endpoints to extend programmatic access to various features and functionalities: • Policy Management • <a...
Zscaler Client Connector for VDI ZPA Support
Support for Zscaler Private Access (ZPA) using Zscaler Client Connector for VDI is available. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/what-zscaler-vdi-agent" target="_blank" data-entity-type="node" data-entity-uuid="c17770e5-52f5-44c4-97a0-bf126c08f2b2" d...
Azure Virtual Machine Availability in Microsoft Azure Marketplace for Spain
The Zscaler Cloud Connector virtual machine (VM) is available in the Microsoft Azure Marketplace for the Spain Central region. If you deploy Cloud Connector using Terraform, use the latest <a class="url-external" href="https://github.com/zscaler/terraform-azurerm-cloud-connector-modules" target="...
Automatic Fail Open for Physical Branch Devices
Zscaler Branch Connector supports automatic fail open for physical branch devices deployed in gateway mode, which allows all local and internet-destined traffic to flow without policy validation or content inspection if a policy enforcement engine fails or is stopped for upgrades. <div class="...
Custom DHCP Options for Physical Branch Devices
You can add custom Dynamic Host Configuration Protocol (DHCP) options when configuring a branch configuration template for physical branch devices deployed in gateway mode. See image. To learn more, see <a href=...
Zscaler Cloud Connector Integration with HashiCorp Vault
You can use a HashiCorp Vault to store and manage secret credentials for new Zscaler Cloud Connectors deployed on the Google Cloud Platform (GCP). HashiCorp Vault is a cloud-agnostic identity-based secret management system that can be used as an alternative to GCP Secret Manager. Use the latest <...
Zero Trust Branch Device SFP Port Support
The ZT800 Zero Trust Branch Device has support for the following copper and fiber small form-factor pluggable (SFP) ports in gateway mode: • Copper: Finisar - FCLF8522P2BTL• Cat5e or later Ethernet cable • Fiber short range (SR): Finisar - FTLF8519P3BNL• Multi...
Service - connector.zscloud.net
Cloud Connector Scheduled Upgrade Enhancements
Zscaler Cloud Connector supports enhanced upgrade capabilities by allowing you to select release channels. When upgrading your Cloud Connectors, you can choose between the stable, latest, or beta release channels. See image....
Endpoints for Scheduled Upgrade Enhancement
New endpoints are added to extend programmatic access for managing Cloud & Branch Connector virtual machines (VMs). The following APIs allow you to update the release channel for VMs, update the status of VMs in bulk, and retrieve the release channel and scheduled upgrade metrics: <li data...
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Ensure that you refresh all Infrastructure as Code (IaC) deployment templates to use the l...
Update to Zscaler Cloud Connector Google Cloud Platform Virtual Machine
The Google Cloud Platform (GCP) VM image for Zscaler Cloud Connector has been updated to version zs-cc-ga-03092026. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. Use the latest <a class="url-external" href="htt...
Update to Zscaler Cloud Connector Microsoft Azure Virtual Machine
The Microsoft Azure VM image for Zscaler Cloud Connector has been updated to version 42.1.0. This image contains OS security fixes and certificate updates. Zscaler recommends that all new deployments utilize the latest image. To learn more, see <a href="https://help.zscaler.com/cloud-branch...
Azure Endpoints for Partner Integrations
New endpoints are added to extend programmatic access to features and functionalities for Azure accounts and groups. The following endpoints allow you to create, update, and delete Azure accounts and account groups. You can also retrieve the list of available Azure accounts, Cloud Connector group...
Cloud & Branch Connector Monitoring Dashboard Enhancements
The Cloud & Branch Connector Monitoring page has improved data about your total entitled and deployed Cloud & Branch Connector devices. See image. To learn more, see <a href="https://help.zscaler.com/clou...
Increased Number of Subscriptions per Azure Partner Integrations Account
The maximum number of subscriptions under a Cloud Connector Azure partner integrations account increased from 32 to 128. To learn more, see <a href="https://help.zscaler.com/unified/ranges-limitations" target="_blank" data-entity-type="node" data-entity-uuid="7972a88f-8098-43c7-9e31-f7088a5...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways are available in the me-south-1, eu-north-1, and eu-south-2 Amazon Web Services (AWS) regions. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uu...
Cloud Connector MIG Autoscaling with Google Cloud Platform
A new version of the Zscaler Cloud Connector Google Cloud Platform (GCP) virtual machine (VM) is available. Version zs-cc-ga-02042026 supports a Managed Instance Group (MIG) with autoscaling deployment with GCP. In the Zscaler Cloud & Branch Connector Admin Portal, references to autoscaling also...
Support for AWS Endpoint ID in Session Insights Logs
Zscaler Cloud Connector supports the Endpoint/Interface filter and column in the Session Insights Logs, which is the Amazon Web Services (AWS) virtual private cloud (VPC) endpoint ID that connects to the Gateway Load Balancer. To learn more, see <a href="https://help.zscaler.com/cloud-branc...
ZPA Pattern Matching for Cloud Connector
Cloud Connector supports ZPA pattern matching. Admins can define applications with patterns within application segments. Pattern matching allows you to use the policy evaluation with hostname patterns instead of exact FQDNs. To learn more, see <a href="https://help.zscaler.com/zpa/using-pat...
Zscaler Client Connector for VDI Username Visibility
When logged in to multisession Virtual Desktop Infrastructure (VDI), you can view your username using the Zscaler Client Connector for VDI application. See image. To learn more, see <a href="https://help.zscaler.com/clo...
Supported Regions for Zscaler Zero Trust Gateways
Zscaler Zero Trust Gateways support the new regions of sa-east-1, ca-central-1, eu-central-2, and eu-west-3. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/analyzing-zero-trust-gateway-details" target="_blank" data-entity-type="node" data-entity-uuid="b49b2d75-3...
Sublocation Scopes to Group Cloud Connector Workloads in AWS
Sublocation scopes allow you to group workload traffic into sublocations at various levels within your Amazon Web Services (AWS) account. These levels, or scopes, are VPC Endpoint, VPC, Account, and Namespace. For example, the VPC scope groups workloads from one or more Virtual Private Clouds (VP...
Support for Google Cloud Platform User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Google Cloud Platform (GCP). Additionally, Zscaler supports applying labels and network tags in GCP. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connect...
Amazon Web Services Endpoints for Partner Integrations
The following Amazon Web Services (AWS) endpoints are added for partner integrations. These endpoints extend programmatic access to features and functionalities for AWS accounts and AWS account groups: • AWS Account and AWS...
JSON Web Token Authentication
JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. You configure JWT authentication in the ZIA Admin Portal. You configure token validators for JWT authentication in the ZIdentity Admin Portal. Sessions that include JWT authentication are logged in We...
Cloud Connector Traffic Enhancements
Zscaler Cloud Connector and Zero Trust Gateways support all traffic paths, including: • East-west support: Secure traffic between virtual private clouds (VPCs)/VNets or subnets in the same VPC/VNet by applying essential Layer 4 (L4) stateful rules enforced directly on Cloud Connector and...
Update to Zscaler Branch Connector Virtual Machine Image for Hyper-V
The Zscaler Branch Connector virtual machine (VM) image for Hyper-V has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the impro...
Update to Zscaler Branch Connector Virtual Machine Image for Linux KVM
The Zscaler Branch Connector virtual machine (VM) image for Linux KVM has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the imp...
Update to Zscaler Branch Connector Virtual Machine Image for VMware ESXi
The Zscaler Branch Connector virtual machine (VM) image for VMware ESXi has been updated. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the i...
ZTW CRUD Endpoints
The Cloud & Branch Connector API is updated to include the following new endpoints to extend programmatic access to various features and functionalities: • DNS Control Forwarding Rules • <a href="#dns-gate...
Endpoints for Managing Cloud & Branch Connector VMs by Instance ID
New endpoints are added to extend programmatic access for managing Cloud & Branch Connector virtual machines (VMs). The following APIs allow you to retrieve detailed information about a VM and delete a VM using its native public cloud instance ID: • "GET /ecVm/uuid/{vmInstanceId}</c...
Update to Zscaler Branch Connector Virtual Machine
The Zscaler Branch Connector virtual machine (VM) image has been updated. This image provides a general security enhancement. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved security instead of waiting for the <a href="https://h...
Update to Zscaler Cloud Connector Image
Zscaler Cloud Connector has been updated to version zs1.145.84_6.2.425577. This version provides a general security enhancement. Zscaler strongly recommends updating and redeploying this version as soon as possible to take advantage of the improved security instead of waiting for the <a href="htt...
TLS Tunnel Support for Cloud Connectors
You can select TLS as the Zscaler Internet Access (ZIA) tunnel mode when editing a Cloud Connector. You can also enable or disable fallback to TLS, which detects when the tunnel is unhealthy and switches the tunnel from Unencrypted UDP or DTLS to TLS. <a class="image-icon"...
Zscaler Cloud Connector TCP Optimization with SNI Learning
Cloud Connector supports an integrated TCP optimization module that learns server name indication (SNI) and maintains a database of learned IP addresses, fully qualified domain names (FQDNs), and wildcard FQDN mappings. The module is native to Cloud Connectors, and you can use FQDNs, wildcard FQD...
Support for Microsoft Azure User-Defined Tags and Attributes in Security Policies
Zscaler supports applying security policies by leveraging user-defined tags and attributes for workloads deployed in Microsoft Azure. To request this feature, contact Zscaler Support. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/about-microsoft-azure-accounts"...
Zscaler Zero Trust Gateways in Amazon Web Services
Zscaler has introduced a fully managed, cloud-native SaaS security offering in Amazon Web Services (AWS) that allows you to secure your workload traffic and eliminate the need to manage your security infrastructure in your AWS environment. It provides the same security controls for cloud-to-inter...
Update to Zscaler Cloud Connector Amazon Machine Image
The AMI for Zscaler Cloud Connector has been updated to version ZS6.1.26.2. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved securi...
Update to Zscaler Cloud Connector Azure Virtual Machine
The Azure VM image for Zscaler Cloud Connector has been updated to version 24.3.5. This image contains ZscalerOS 42, which provides additional OS hardening and vulnerability fixes. Zscaler strongly recommends updating and redeploying the image as soon as possible to take advantage of the improved...
Update to Cloud & Branch Connector API
The Cloud & Branch Connector API has been updated to include the following new categories of endpoints to extend programmatic access to various features and functionalities: • Policy Management • <a...
Zscaler Client Connector for VDI ZPA Support
Support for Zscaler Private Access (ZPA) using Zscaler Client Connector for VDI is available. To learn more, see <a href="https://help.zscaler.com/cloud-branch-connector/what-zscaler-vdi-agent" target="_blank" data-entity-type="node" data-entity-uuid="c17770e5-52f5-44c4-97a0-bf126c08f2b2" d...
Automatic Fail Open for Physical Branch Devices
Zscaler Branch Connector supports automatic fail open for physical branch devices deployed in gateway mode, which allows all local and internet-destined traffic to flow without policy validation or content inspection if a policy enforcement engine fails or is stopped for upgrades. <div class="...
Custom DHCP Options for Physical Branch Devices
You can add custom Dynamic Host Configuration Protocol (DHCP) options when configuring a branch configuration template for physical branch devices deployed in gateway mode. See image. To learn more, see <a href=...
Azure Virtual Machine Availability in Microsoft Azure Marketplace for Spain
The Zscaler Cloud Connector virtual machine (VM) is available in the Microsoft Azure Marketplace for the Spain Central region. If you deploy Cloud Connector using Terraform, use the latest <a class="url-external" href="https://github.com/zscaler/terraform-azurerm-cloud-connector-modules" target="...
Zscaler Cloud Connector Integration with HashiCorp Vault
You can use a HashiCorp Vault to store and manage secret credentials for new Zscaler Cloud Connectors deployed on the Google Cloud Platform (GCP). HashiCorp Vault is a cloud-agnostic identity-based secret management system that can be used as an alternative to GCP Secret Manager. Use the latest <...
Client Connector per OS - Windows
Zscaler Client Connector for VDI 1.6.0.8 Enhancements and Fixes
• Fixes an issue where Zscaler Client Connector for VDI failed to start due to a connection error. • Fixes "removeRule" failure issues during data channel reconnection. • Fixes a blue screen of death (BSOD) issue caused by the Windows Filtering Platform (WFP) driver.</li...
Zscaler Client Connector for VDI 1.7.0.10 Enhancements and Fixes
Fixes an issue where Zscaler Client Connector for VDI added stray characters to the username field, causing the application to not start on some machines....
Zscaler Client Connector for VDI 1.7.0.7 Enhancements and Fixes
Fixes an issue that caused intermittent permission issues with WebView2....
Zscaler Client Connector for VDI 1.7.0.6 Enhancements and Fixes
Adds a logic to reattempt the initial policy fetch in the event of failure....
Zscaler Client Connector for VDI 1.7.0.4 Enhancements and Fixes
• Contains a new installer parameter, "SHOWREAUTHNOTIFICATION", which makes reauthentication notifications configurable. • Fixes an issue where the user does not receive a notification from Zscaler Client Connector for VDI when a Zscaler Private Access (ZPA) timeout policy is...
Zscaler Client Connector for VDI 1.6.0.6 Enhancements and Fixes
Fixes an issue where Zscaler Client Connector for VDI was crashing due to a race condition when the system shut down....
Zscaler Client Connector for VDI 1.6.0.5 Enhancements and Fixes
Fixes an issue that stopped the control channel from restarting when sending outbound packets and not receiving inbound packets....
Zscaler Client Connector for VDI 1.6.0.3 Enhancements and Fixes
Improves the stability of the Zscaler Client Connector for VDI control channel....
Zscaler Client Connector for VDI 1.5.0.8 Enhancements and Fixes
Fixes an issue where WebView2 has intermittent issues with the discovery of PAC settings....
Zscaler Client Connector for VDI 1.5.0.7 Enhancements and Fixes
• Fixes an issue where the Zscaler Client Connector for VDI application window did not open for some users. • Fixes an issue where Zscaler Client Connector for VDI dropped traffic as a non-standard user....
Zscaler Client Connector for VDI 1.5.0.5 Enhancements and Fixes
Adds a registry option to prevent Zscaler Client Connector for VDI from onboarding on system reboot....
Zscaler Client Connector for VDI 1.4.0.8 Enhancements and Fixes
Fixes an error that caused control channel connections to fail when the certificate had not expired....
Zscaler Client Connector for VDI 1.4.0.7 Enhancements and Fixes
• Increases the authorization timeout from 60 seconds to 180 seconds. • Fixes an issue where default policies in Virtual Desktop Infrastructure (VDI) forwarding profiles were not bypassed....
Zscaler Cellular
Service - admin.ztsim.com
Support for eSIMs
Zscaler Cellular supports eSIMs (embedded SIMs) in addition to traditional physical SIM cards, providing flexibility for organizations adopting eSIM technology. This enhancement allows administrators to view, manage, and activate both physical SIMs and eSIMs directly from the Zsc...
User Interface Changes and Enhancements
The following user interface changes and enhancements are made to the Zscaler Cellular Admin Portal: • Added Refresh button to specific pages (SIMs, Network Events, and Login Tracker) to fetch and display the latest data. <a class="image-icon" href="#refresh-but...
Zero Trust Branch
Service - goairgap.com
Zero Trust Branch 8.0.8P4
The following enhancements to Zero Trust Branch are supported as part of the 8.0.8P4 release: Dynamic DNS (DDNS) Updates For Windows EndpointsDNS Proxy allows Windows DDNS update packets to be forwarded to private DNS servers based on the configured DNS...
Zero Trust Branch 8.0.8P3a
New Features and EnhancementsThis release includes the following new features and enhancements to improve routing control and traffic management: Enhanced WAN Monitoring and Traffic RoutingEnhanced WAN monitoring allows for more gran...
Zero Trust Branch 8.1.1
The following enhancements to Zero Trust Branch are supported as part of the 8.1.1 release: Support for ZPA MicrotenantsYou can register Zscaler Zero Trust Branch with a Zscaler Private Access (ZPA) Microtenant while provisioning the Zero Trust Branch site. This al...
Zero Trust Branch 8.0.8P2
The following enhancements to Zero Trust Branch are supported as part of the 8.0.8P2 release: Firewall Rule Restoration for Zero Trust Branch AppliancesThe upgrade process is improved to ensure all required rules are restored successfully, preventing connectivity l...
Zero Trust Branch 8.0.8P1
Resolved IssuesThe following issues were addressed: • Resolves an issue where deleting a Virtual Routing and Forwarding (VRF) configuration from the Zero Trust Branch Admin Portal did not remove the corresponding interface binding. • Resolves an issue where DHCP Option 43...
Zero Trust Branch 8.0.8
Resolved IssuesThe following issues were resolved: • Resolves a rare threading issue in the configuration daemon that could cause some internal processes to restart unexpectedly. • Resolves an issue where both appliances in high availability (HA) deployment retained a Virt...
Zero Trust Branch 8.0.7
The following enhancements to Zero Trust Branch are supported as part of the 8.0.7 release: Remote Support AccessYou can grant Zscaler Support personnel temporary super admin-level access to the Zero Trust Branch Admin Portal to assist with troubleshooting and conf...
Zero Trust Branch 8.0.7 Preview
The following enhancement to Zero Trust Branch is supported for Preview as part of the 8.0.7 release: Use Root FS Upgrade MethodThe Use Legacy Method to Change Version option is renamed to Use Root FS Upgrade Method. <a class="image-icon" href="#preview-root-...
Zero Trust Branch 8.0.6
The following enhancements to Zero Trust Branch are supported as part of the 8.0.6 release: Gateway Version ManagerWhen you click the Upgrade available icon for a site, the Gateway Version Manager panel opens and provides a rich set of options: • You can perform upgrade op...
Zero Trust Branch 8.0.5
The following enhancement to Zero Trust Branch (formerly [[variable:zero-trust-device-segmentation]]) is supported as part of the 8.0.5 release: Manual Synchronization of ZIA and ZPA to Zero Trust BranchWhen the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) integra...
Zero Trust Branch 8.0.4
The following enhancements to Zero Trust Branch (formerly [[variable:zero-trust-device-segmentation]]) are supported as part of the 8.0.4 release: Enhancements to ConnectivityZero Trust Branch has the following enhancements to connectivity: • Allows DHCP t...
Zero Trust Branch 8.0.1
The following enhancements to Zero Trust Branch (formerly [[variable:zero-trust-device-segmentation]]) are supported as part of the 8.0.1 release: Enhancements to ProvisioningZero Trust Branch has the following enhancements to provisioning: •...
Zero Trust Device Segmentation 7.8
The following enhancements to Zero Trust Device Segmentation are supported as part of the 7.8 release: Provisioning EnhancementsZero Trust Device Segmentation has the following enhancements to provisioning:• Zero Touch Provisioning allows easier configuration and enables onboard...
Unified Vulnerability Management (UVM)
Service - app.avalor.io
Overview Dashboard
The Overview dashboard provides a comprehensive view of findings from ingestion to remediation. It demonstrates deduplication, normalization, and prioritization capabilities that transform fragmented data points into a streamlined set of prioritized work items based on your defin...
Ticket Workflows Enhancements
Zscaler Unified Vulnerability Management (UVM) Ticket Workflows allow more granular control of ticket statuses by simplifying rule creation and improving automation logic. Enhancements include: • Enable and disable...
Integrated External Attack Surface Management Capabilities
Zscaler integrates External Attack Surface Management (EASM) capabilities into the Zscaler Security Operations (SecOps) platform to provide native asset inventory and vulnerability management for internet-facing assets. This integration offers automated discovery and scanning of...
Apache Kafka Outegration
The Apache Kafka outegration enables Zscaler Data Fabric for Security to publish entity data to an external Kafka topic. This provides a secure, reliable way for you to ingest ticket events into event-driven architectures. To learn more, see <a href="https://help.zscaler.com/uvm/configuring...
Trigger Asset Scans
You can trigger asset scans directly in UVM to immediately validate remediation, instead of waiting for scheduled scan cycles. With a configured scanner outegration, you can launch scans from the Assets page, an asset drawer, or a ticket drawer while reviewing remediation tasks....
Remediation Copilot for UVM
Remediation Copilot is an AI-guided remediation assistant available directly in UVM tickets. It provides context-aware fix paths and instructions based on the ticket's findings, affected assets, and environment, and suggests mitigations when no fix is available. Remediation...
Microsoft Entra ID Stream Data Update
The Entra ID - Devices stream retrieves registered owners for each device, in addition to the device inventory data (e.g., device ID, name, operating system, and compliance and management fields). See image. To learn...
Microsoft Entra ID Applications Stream Available
The Microsoft Entra ID connector includes the Applications stream that retrieves a list of applications registered in your Microsoft Entra ID tenant (e.g., application name and app ID) and the owners for each application....
Dragos Connector Available
The Dragos connector enables organizations to retrieve Operational Technology (OT) asset inventories and their associated vulnerabilities from the Dragos platform via the Sitestore API. It provides detailed metadata, including asset details, vulnerability severities, timestamps,...
HCL BigFix Computers Connector Available
The HCL BigFix - Computers connector retrieves a list of computers from your HCL BigFix deployment, including key details such as computer IDs, hostnames, operating systems, IP addresses, and core properties like hardware information. To learn more, see <a href="https://help.zscaler.com/uvm...
SentinelOne Connector Streams Available
The SentinelOne connector has three new streams available: • SentinelOne Assets: Retrieves different types of assets based on configuration, including endpoints such as managed devices, cloud assets, and unmanaged devices discovered on the network. • SentinelOne Alerts: Retrieves s...
Mandiant ASM Connector Available
The Mandiant ASM connector allows organizations to retrieve data from Mandiant's Attack Surface Management platform across two streams: • Mandiant ASM Entities: Retrieves all exposed assets within the organization's external attack surface, including domains, subdomains, IP add...
Ticket Workflows Enhancements
Ticket Workflows in Zscaler Unified Vulnerability Management (UVM) have been redesigned to organize rules into three workflow categories: • Ticket Status Management: Centralizes automated rules for closing tickets, cr...
Updated Severity and Service Level Agreement Settings in UVM
Zscaler Unified Vulnerability Management (UVM) features enhanced severity settings and service level agreement (SLA) settings for improved flexibility and control. See image. Severity settings are independent of SLA...
Aqua Security Connector Available
The Aqua Security connector enables organizations to retrieve comprehensive data from Aqua Security's cloud-native security platform across 7 data streams. These streams include insights into vulnerability data for functions, hosts, and container images, as well as details about running cont...
Saved Views in Widgets View Items
You can save customized table layouts when viewing widget items, including reordering, adding, or removing columns. Saved views are automatically reusable across all widgets and dashboards that reference the same entity (e.g., Tickets, Assets, or custom entities), increasing cons...
Automated Aging of Findings for Inactive Assets
When configuring asset aging, you can choose to automatically age findings linked to inactive assets. This ensures alignment between the status of assets and their associated findings, minimizes discrepancies, reduces manual cleanup, and improves data consistency. This process ap...
Rapid7 InsightVM Policy Compliance Stream Available
The Rapid7 Policy Compliance stream ingests policy compliance data from the Rapid7 InsightVM platform. The data is retrieved via asynchronous export jobs and downloaded as Parquet files. To learn more, see <a href="https://help.zscaler.com/uvm/configuring-rapid7-insightvm-connector" target=...
Veracode Applications Stream Available
The Veracode connector has one new stream available. The Veracode Applications stream retrieves a paginated list of applications from Veracode. To learn more, see <a href="https://help.zscaler.com/uvm/configuring-veracode-connector" target="_blank" data-entity-type="node" data-entity-uuid="...
Endor Labs Connector Available
The Endor Labs connector allows organizations to retrieve findings from specified namespaces in the Endor Labs platform, including vulnerabilities using the REST API, as well as Software Composition Analysis (SCA) findings, container-related findings, secrets-related findings, and Static Applicat...
Ticket Lifecycle
Ticket Lifecycle allows you to define the behavior of tickets throughout their lifecycle. This enables clarity, control, and automation for every stage of ticket progression. Ticket Lifecycle contains the following settings: • Ticket Statuses: Manage the status of tickets by creating sta...
Enable Failure Alert Notifications for ETL, Connectors, and Outegrations
You can enable email notifications to receive alerts on errors for outegration workflows, source run failures, and issues with Extract, Transform, and Load (ETL) and data pipeline. This allows you to proactively resolve issues and reduce workflow disruptions. To learn more, see <a href="htt...
GitHub Advanced Security Connector Available
There are two available GitHub Advanced Security streams: • GitHub Advanced Security - Code Scanning: Retrieves code scanning data from GitHub repositories, including security vulnerabilities, misconfigurations, and potential exploits in codebases. • GitHub Advanced Security - Secr...
Ionix Connector Available
The Ionix connector enables organizations to retrieve critical data from two streams: Assets and Findings. The connector supports retrieving detailed metadata, including asset IDs, types, statuses, and vulnerabilities. For the Findings stream, the connector retrieves CVE-level details and associa...
Dimension-Based Formatting Rules
Dimension-based formatting rules allow you to define custom coloring for a dimension and apply the rules to specific widgets. This helps make dashboard data more intuitive and easier to grasp at a glance. See image. To learn...
Audit Logs
Audit logs track user-initiated actions within the Zscaler Security Operations (SecOps) platform. This enables you to monitor configuration changes, such as updates to reports, data source instances, and outegrations. You can download specific audit logs for immediate review, and schedule automat...
GitHub Repositories Connector Available
The GitHub Repositories connector enables organizations to ingest data from GitHub for the specified repositories. It retrieves repository metadata and includes configuration options such as selecting the repository branch to use and ingesting repository custom properties defined...
Claroty xDome Healthcare Connector Available
The Claroty xDome for Healthcare (formerly Medigate) connector allows organizations to retrieve security posture data for medical devices, OT, and IoT assets across two streams: • Claroty xDome Healthcare - Assets: Re...
Asset Exposure Management
Service - app.avalor.io
Integrated External Attack Surface Management Capabilities
Zscaler integrates External Attack Surface Management (EASM) capabilities into the Zscaler Security Operations (SecOps) platform to provide native asset inventory and vulnerability management for internet-facing assets. This integration offers automated discovery and scanning of...
Apache Kafka Outegration
The Apache Kafka outegration enables Zscaler Data Fabric for Security to publish entity data to an external Kafka topic. This provides a secure, reliable way for you to ingest ticket events into event-driven architectures. To learn more, see <a href="https://help.zscaler.com/aem/configuring...
Microsoft Entra ID Stream Data Update
The Entra ID - Devices stream retrieves registered owners for each device, in addition to the device inventory data (e.g., device ID, name, operating system, and compliance and management fields). See image. To learn...
Microsoft Entra ID Applications Stream Available
The Microsoft Entra ID connector includes the Applications stream that retrieves a list of applications registered in your Microsoft Entra ID tenant (e.g., application name and app ID) and the owners for each application....
Dragos Connector Available
The Dragos connector enables organizations to retrieve Operational Technology (OT) asset inventories and their associated vulnerabilities from the Dragos platform via the Sitestore API. It provides detailed metadata, including asset details, vulnerability severities, timestamps,...
HCL BigFix Computers Connector Available
The HCL BigFix - Computers connector retrieves a list of computers from your HCL BigFix deployment, including key details such as computer IDs, hostnames, operating systems, IP addresses, and core properties like hardware information. To learn more, see <a href="https://help.zscaler.com/uvm...
SentinelOne Connector Streams Available
The SentinelOne connector has three new streams available: • SentinelOne Assets: Retrieves different types of assets based on configuration, including endpoints such as managed devices, cloud assets, and unmanaged devices discovered on the network. • SentinelOne Alerts: Retrieves s...
Mandiant ASM Connector Available
The Mandiant ASM connector allows organizations to retrieve data from Mandiant's Attack Surface Management platform across two streams: • Mandiant ASM Entities: Retrieves all exposed assets within the organization's external attack surface, including domains, subdomains, IP add...
Violation Ticket Lifecycle
Violation Ticket Lifecycle allows you to define the behavior of violation tickets throughout their lifecycle. This enables clarity, control, and automation for every stage of the violation ticket progression. Ticket Lifecycle consists of the following settings: • Violation Ticket Statuse...
Aqua Security Connector Available
The Aqua Security connector enables organizations to retrieve comprehensive data from Aqua Security's cloud-native security platform across 7 data streams. These streams include insights into vulnerability data for functions, hosts, and container images, as well as details about running cont...
Saved Views in Widgets View Items
You can save customized table layouts when viewing widget items, including reordering, adding, or removing columns. Saved views are automatically reusable across all widgets and dashboards that reference the same entity (e.g., Violation Tickets, Assets, or custom entities), incre...
Rapid7 InsightVM Policy Compliance Stream Available
The Rapid7 Policy Compliance stream ingests policy compliance data from the Rapid7 InsightVM platform. The data is retrieved via asynchronous export jobs and downloaded as Parquet files. To learn more, see <a href="https://help.zscaler.com/uvm/configuring-rapid7-insightvm-connector" target=...
Supported Operating Systems in OS End of Life Policy
The OS End of Life policy has been updated to incorporate support for the following operating systems: • RHEL (Red Hat Enterprise Linux) • VMware ESXi • Apple iOS • IBM AIX (Advanced Interactive eXecutive) • Oracle Linux • Oracle Solaris • Rocky Linux<...
Veracode Applications Stream Available
The Veracode connector has one new stream available. The Veracode Applications stream retrieves a paginated list of applications from Veracode. To learn more, see <a href="https://help.zscaler.com/uvm/configuring-veracode-connector" target="_blank" data-entity-type="node" data-entity-uuid="...
Endor Labs Connector Available
The Endor Labs connector allows organizations to retrieve findings from specified namespaces in the Endor Labs platform, including vulnerabilities using the REST API, as well as Software Composition Analysis (SCA) findings, container-related findings, secrets-related findings, and Static Applicat...
Custom Grouping Rules for Violation Tickets
Violation tickets are grouped by default using rules based on policy name and policy assignee. If your organization needs a different grouping logic, you can change or create custom grouping rules to match your specific requirements. To learn more, see <a href="https://help.zscaler.com/aem/...
Enable Failure Alert Notifications for ETL, Connectors, and Outegrations
You can enable email notifications to receive alerts on errors for outegration workflows, source run failures, and issues with Extract, Transform, and Load (ETL) and data pipeline. This allows you to proactively resolve issues and reduce workflow disruptions. To learn more, see <a href="htt...
GitHub Advanced Security Connector Available
There are two available GitHub Advanced Security streams: • GitHub Advanced Security - Code Scanning: Retrieves code scanning data from GitHub repositories, including security vulnerabilities, misconfigurations, and potential exploits in codebases. • GitHub Advanced Security - Secr...
Ionix Connector Available
The Ionix connector enables organizations to retrieve critical data from two streams: Assets and Findings. The connector supports retrieving detailed metadata, including asset IDs, types, statuses, and vulnerabilities. For the Findings stream, the connector retrieves CVE-level details and associa...
Dimension-Based Formatting Rules
Dimension-based formatting rules allow you to define custom coloring for a dimension and apply the rules to specific widgets. This helps make dashboard data more intuitive and easier to grasp at a glance. See image. To learn...
Audit Logs
Audit logs track user-initiated actions within the Zscaler Security Operations (SecOps) platform. This enables you to monitor configuration changes, such as updates to reports, data source instances, and outegrations. You can download specific audit logs for immediate review, and schedule automat...
GitHub Repositories Connector Available
The GitHub Repositories connector enables organizations to ingest data from GitHub for the specified repositories. It retrieves repository metadata and includes configuration options such as selecting the repository branch to use and ingesting repository custom properties defined...
ServiceNow CMDB Outegration
The ServiceNow Configuration Management Database (CMDB) outegration facilitates updates to CMDB records, including the addition of missing assets. This ensures the CMDB remains accurate and current, which is essential for boosting operational efficiency, reinforcing...
Violation Tickets Dashboard
The Violation Tickets Dashboard in the Zscaler Security Operations (SecOps) platform offers visibility into your team's progress in identifying, managing, and resolving violation tickets. You can view open violation tickets by severity, monitor ticket trends over time, track remediation effo...
OS End of Life Dashboard
The OS End of Life dashboard provides comprehensive visibility into assets running operating systems that have reached or are approaching End-of-Life (EOL) or End-of-Support (EOS) status. The dashboard features summary tiles, charts, and tables that help you quickly identify and manage the OS ass...
Claroty xDome Healthcare Connector Available
The Claroty xDome for Healthcare (formerly Medigate) connector allows organizations to retrieve security posture data for medical devices, OT, and IoT assets across two streams: • Claroty xDome Healthcare - Assets: Re...
External Attack Surface Management
Service - zscalereasm.net
Alert for Phishing Domain Detection
When EASM detects phishing lookalike domains, an alert icon appears on the Lookalike Domains tab in the left-side navigation. See image. Additionally, this alert icon appears in the Top 5 Lookalik...
Jira Integration for EASM
You can connect your Jira instance with individual EASM organizations to seamlessly create and track Jira tickets for the organization's findings directly from the EASM Admin Portal. You can configure the integration for an organization under Administration > Organizations >...
Support for EASM API
EASM supports the use of APIs for programmatic access to EASM features. The EASM API is accessible via Zscaler OneAPI, a unified programming interface for platform automation. OneAPI secures API authorization with...
Update to EASM API: New Asset Endpoints
The EASM API includes the following new endpoints to retrieve information about the assets discovered for an organization: • "GET /{orgId}/assets" • "GET /{orgId}/assets/{assetId}/services" • "GET /{orgId}/assets/{assetId}/technologies" <l...
Return on Investment Score for Findings
EASM determines the risk impact of each finding and its associated financial implications and expresses it as the Return on Investment (ROI) score to help organizations proactively remediate high-priority threats that can result in significant business impact. You can view the fi...
Generating Reports for Organizations
You can generate reports for individual EASM organizations in the PPTX format, translating real-time technical security data from automated discovery findings into actionable, strategic insights for diverse stakeholders. Admins with full permission to an organization can generate...
Update to Asset Status
When assets are attributed to an organization through the discovery process, they are initially assigned the Candidate status by default. EASM automatically validates these assets and updates the status to Approved only for assets that are successfully verified. This ensures that customers receiv...
Discovery Chain for Assets
On the Asset Details page (and the drawer), EASM provides an asset discovery chain for source traceability and attestation of the asset's connection to the organization. The discovery chain is presented as a link chain, featuring the seed asset, intermediate nodes, and the c...
Scan Evidence for Findings
On the Finding Details page, EASM presents the full scan results used to identify the finding and specific portions of the scan that serve as matching evidence for the finding. This information is available for each finding, providing attestation of detected findings and an inves...
Deception
Service - illusionblack.com
Cloud Deception Enhancement
The health check function app for Cloud Deception with Azure was upgraded to Node.js v24.x. You must run the deployment script to sync the latest code and runtime configuration. To learn more, see...
New Datasets
The following new static application datasets were added: ApplicationDescriptionCommvaultEnterprise backup, recovery, and data protection platform used for managing and securing data across hybrid environmen...
New SCADA/IoT Datasets and Protocols
The following new protocols were added for deploying SCADA/IoT decoys: ProtocolPrimary Use CaseEnvironmentDNP3Telemetry and controlPower and waterIEC 61850Substat...
New ThreatParse Rules
The following ThreatParse rules that detect exploits of different application vulnerabilities were added: ApplicationCVE IDDescription of VulnerabilityApache ActiveMQCVE-2026-34197Remote Co...
Support for Detection Types and Subtypes in Safe Processes
Landmine agents for Windows and macOS endpoints support defining safe processes at a granular level based on detection types and subtypes. The following table lists the detection types and subtypes supported for Windows and macOS: Detection...
Updates to GCP Decoy Deployment
An update was released for Terraform user agent configuration that reduces false positive events during Google Cloud Platform (GCP) decoy deployments. See image. To learn more, see <a href="https://help.zscale...
Landmine Policy Enhancements
The following enhancements were made to landmine policies: Windows EndpointsOn the File Decoys tab, the Credential section was replaced with the following sections: • Network Credential: Generates a CSV file containing credentials to access network decoys...
New Dataset
The following dataset for application vulnerabilities was added: ApplicationCVEDescription of VulnerabilityOracle E-Business SuiteCVE-2025-61882A remote code execution vulnerability in Orac...
New ThreatParse Rule
The following new ThreatParse rule that detects exploits of application vulnerabilities was added: Application/Rule NameCVE IDDescriptionSolarWinds - Untrusted Data DeserializationCVE-2025-40551</td...
Python-Based Handlers for Vulnerable Application Datasets
Python-based handlers are used to create and manage custom vulnerable application datasets (CVE datasets). Python-based handlers replace the earlier.the earlier YAML-based approach and this update enables more accurate and realistic simulation of modern vulnerabilities and attack scenarios. <p...
Cloud Deception with GCP
You can integrate Google Cloud Platform (GCP) with Zscaler Deception and deploy various GCP-specific resources as decoys. These decoys help detect malicious activities originating from adversaries within or outside your organization, depending on the type and configuration of the...
Gen AI MCP Server Decoys
You can deploy a generative AI (Gen AI) Model Context Protocol (MCP) server decoy that mimics a standard MCP server. The MCP server decoy integrates an AI application or a Large Language Model (LLM) chatbot with applications and decoy tools to generate fake responses. <a cl...
RADIUS Decoys
RADIUS decoys that mimic real RADIUS servers can be deployed on your internal network via Internal decoys. These decoys respond to authentication attempts, lure the attackers, and divert any threat targeting your RADIUS network. <a class="image-icon" href="#deception-rn-rad...
Terraform Support for Cloud Deception
Cloud Deception provides Terraform support for deploying Zscaler Deception components and decoys in the Amazon Web Services (AWS) and Azure clouds. You can download a ready-to-use Terraform package that includes all configuration files required to provision the Deception resource...
Update to Amazon GuardDuty Containment Configuration
The command to create a role for Amazon GuardDuty containment is updated to create a common role to access the AWS account instead of a tenant-specific role. See image. To learn more, see <a href="https://he...
VPC Configuration Updates in AWS Cloud Deception
You can deploy RDS and VM image decoys in the Amazon Web Services (AWS) cloud by specifying the VPC or subnet information. See image. Deploying RDS and VM image decoys in the default VPC is no l...
Accessing Error Logs for Endpoint Agents
An icon to access error logs was added for endpoint agents. See image. <img src="https://help.zscaler.com/dow...
AI-Powered Recommendations for Threat Intelligence Decoys
Zscaler Deception leverages AI to generate Threat Intelligence (TI) decoy recommendations with preselected hostnames, datasets, server banners, etc. This simplifies decoy creation and deployment, and reduces manual effort. <a class="image-icon" href="#deception-rn-ai-ti-dec...
Deprecation of Keychain-Based Lures
Keychain-based lures in macOS landmine policies are no longer supported. To learn more, see Configuring the Session Lures Module....
OS Upgrade for Decoy Connectors and Aggregators
The operating system for Decoy Connectors and Aggregators was upgraded to FreeBSD 14.3....
User Interface Changes and Enhancements
The following UI changes were made to the Zscaler Deception Admin Portal: • On the Agents page (Endpoint Settings > Agents), a Client Connector Version column was added. This column provides information on the Zscaler Client Connector version used on the endpoints.</p...
AI-Powered Recommendations for Zero Trust Network Decoys
Zscaler Deception analyzes your Zscaler Private Access (ZPA) deployment and leverages AI to generate Zero Trust Network decoy recommendations with preselected datasets, banners, services, and ports. This simplifies decoy creation and deployment, and reduces manual effort. <...
Dashboard Enhancements
The Zscaler Deception dashboard includes the following enhancements: • The following advanced queries are available in the Select Query drop-down menu: • Internal - High Priority Threat Detection • Active Directory Threat Detection • Identity Thre...
New ThreatParse Rules
The following new ThreatParse rules that detect exploits of different application vulnerabilities were added: ApplicationCVE IDVulnerability DescriptionIvanti Endpoint Manager MobileCVE-2025-4427An authe...
User Interface Changes and Enhancements
The following tabs were renamed in the Zscaler Deception Admin Portal: OldNewSettings > User & Roles > SSOSettings > User & Roles > IdP ProvidersSettings > Users & Rol...
View Landmine Policies in Landmine-Based Events
The landmine.applied_policies field is added to the Events page in the Zscaler Deception Admin Portal. With this field, you can view the landmine policies associated with the endpoints that generate landmine-based events. See...
Customization of Landmine Agent's Service Name in macOS Endpoints
The landmine agent's service name in macOS endpoints can be customized to prevent the agent from being fingerprinted. See image. To learn more, see <a href="https://help.zscaler.com/deception/custo...
Gen AI Adaptive Decoys
You can deploy a generative AI (Gen AI) adaptive decoy, which dynamically adjusts to attackers' requests, and provides contextually appropriate responses using AI. See image. To learn more, see <a href...
Generative AI Decoys in Azure
You can create generative AI decoys in Microsoft Azure using OpenAI models. The generative AI decoys are interactive, and you can customize the decoys to generate fake responses to lure attackers into entering more prompts. <a class="image-icon" href="#rn-gen-ai-azure-decoy...
IPv6 Decoys
You can configure an IPv6-enabled subnet or VLAN to deploy IPv6-enabled Internal decoys. For an IPv6-enabled subnet or VLAN, you can either configure DNS servers using IPv6-based DHCP or an IPv6-based gateway/mask. To configure an IPv6-enabled subnet or VLAN, go to Settings > Top...
Custom Names for File Decoys
You can add custom names for file decoys created using preconfigured file datasets. See image. To learn more, see <a href="https://help.zscaler.com/deception/configuring-file-decoys-module" target="_...
Datalist Keys with Value Restrictions
Zscaler Deception supports datalist keys with value restrictions. When you select specific keys while creating a datalist, the maximum number of values that can be added is restricted to 20. The following keys have value restrictions: • Endpoint - Browser Lures Usernames...
Deprecation of Using a Decoy Connector as a Proxy
Zscaler no longer supports using a Decoy Connector as a proxy to landmine agents....
Generative AI Decoys in AWS
You can create generative AI decoys in AWS using foundation models that are optimized for Amazon Bedrock. The generative AI decoys are interactive, and you can customize the decoys to generate fake responses to lure attackers into entering more prompts. You can also log the promp...
Generative AI Lures Authentication
You can enable the Authentication option when configuring a generative AI decoy service. When enabled, adversaries can use decoy credentials deployed via browser lures or file decoys to authenticate and access the decoy. The authentication feature makes the decoys look more reali...
Mark Events or Attackers as Unsafe
You can select an event or attacker and mark it as unsafe. When you mark an event or attacker as unsafe, the allowlist rules are removed, and the attacker is flagged for further investigation. See image. To learn...
Multiple Accounts and Regions in Azure Cloud Deception
You can set up cloud deception with Microsoft Azure for multiple accounts. Azure decoys can be deployed across multiple regions within the same account. See image. To learn more, see <a href="https://he...
New Criteria in Landmine Policies
The following new criteria for selecting endpoints were added to landmine policies: Selection CriterionDescriptionDNS Hostname (Specific)To select endpoints based on their FQDNs by specifying the complete FQDN value<...
OS Upgrade on Decoy Connectors and Aggregators
The operating system for Decoy Connectors and Aggregators was upgraded to FreeBSD 14.2....
Requirement to Run Deployment Script in Microsoft Azure
Following the latest update of Zscaler Deception, customers with an existing deployment of cloud decoys in Microsoft Azure must run the Azure deployment script to sync settings. This is required to ensure continued normal operation of the health check function app deployed by Deception in the Azu...
Shares Service Enhancements
When configuring the Shares service in a network decoy, you can disable the Guest Accessible option to specify custom user credentials for accessing the shared folder. See image. To learn more, see <a hr...
Support for DbVisualizer Lures for macOS Endpoints
The DbVisualizer lure was added to Session Lures in landmine policies for macOS endpoints. See image. To learn more, see <a href="https://help.zscaler.com/deception/configuring-session-lures-module#mac-lures" targe...
User Interface Changes and Enhancements
The option to select multiple entries and delete them was added to the Policies page (Landmine > Policies). See image. <a class="ck-anchor" id="deception-policies-multi-selec...
View Allowlisted Rules
When an event or attacker is marked as safe due to an allowlist rule, you can view the specific rule that triggered the action on the Event Logs page. See image. To learn more, see <a href="https://help.zscaler.com/de...
Customizing an Interactive Generative AI Decoy
When deploying an interactive generative AI decoy using high-interaction datasets, you can customize the decoy using the following decoy types: • UI: Allows you to configure a custom user interface (UI) application using the theme builder available in the Zscaler Decepti...
Export Event Fields in JSON
Deception supports exporting event fields in JSON format. You can export all the event fields and use them for further analysis and investigation. See image. To learn more, see <a href="https://help.zscaler.com/decep...
Integration with Amazon GuardDuty
Zscaler Deception supports integration with Amazon GuardDuty to isolate and contain attackers who interact with decoys by blocking access to those users across AWS resources. See image. <a...
Multiple Accounts and Regions in AWS Cloud Deception
You can set up cloud deception with AWS for multiple accounts. AWS decoys can be deployed across multiple regions within the same account. See image. To learn more, see <a href="https://help.zscaler.com/decept...
New Datasets
New Application DatasetsThe following application datasets were added: ApplicationCVE/StaticDescription of VulnerabilityGrafanaHigh interactionGrafana open source software enables you to query,...
New ThreatParse Rules
The following ThreatParse rules that detect exploits of different application vulnerabilities were added: ApplicationCVE IDDescriptionJournyxCVE-2024-6893Improper Restriction of XML External Entity Refer...
QoS Rate Limit for Threat Intelligence (TI) Decoys
An attacker generating 1,000 events via a TI decoy is blocked for one hour, and a Quality of Service (QoS) event is generated. A cool-down period of two hours applies to the QoS events, and no new QoS event is generated during this period for the same attacker....
ZPA Containment Support for ZIdentity-Enabled Tenants
Support for containment with Zscaler Private Access (ZPA) is extended to ZIdentity-enabled tenants. If a user is contained with ZPA, then real apps become inaccessible and only app decoys remain accessible. To learn more, see <a href="https://help.zscaler.com/deception/containment-configura...
Breach Predictor
Service - zscalerbp.net
AI Assist Dashboard
To learn more about getting access to this feature, contact your Zscaler Account team. The Breach Predictor AI Assist dashboard uses AI and machine learning analysis to provide a dynamic view of the threats that are affecting or could affect your organization....
Integration with SIEM Applications
Breach Predictor lets you send event data to security information and event management (SIEM) applications (e.g., CrowdStrike Next-Gen SIEM and Splunk) so that you can take direct action on threats with a holistic view of your organization's threat landscape. You can i...
User Threat Profile Page
The Breach Predictor User Threat Profile page (Breach Predictor Portal > Users) gives you an overview of how threats are affecting users across your organization, broken down by MITRE ATT&CK stage, department, threat type, and geography. The Overview tab uses charts and gr...
Various Updates to the Breach Predictor Portal
The Breach Predictor Portal contains extensive updates that improve the overall look, feel, and usability, including new charts, graphs, and filtering options, as well as updated data visibility. To learn more, see <a href="https://help.zscaler.com/breach-predictor/using-zs...
Improved Integration with Log Data
To help you more easily identify which logs produce the threat information you see in the Zscaler Breach Predictor Portal, the Zscaler service includes company logos as part of the threat data on the Findings page (Breach Predictor Portal > Findings) and the Events page (Breach P...
Improvements to Policy Recommendations
In addition to existing policies (i.e., Sandbox and URL Filtering), the Zscaler service analyzes your File Type Control and SSL Inspection policies when making policy recommendations based on threat information in the Zscaler Breach Predictor Portal. After you click the name of a...
Updates to Zscaler Breach Predictor
To learn more about getting access to Zscaler Breach Predictor for your organization, contact your Zscaler Account team. Policy RecommendationsBreach Predictor includes policy recommendations based on its analysis of your organization's risk of a...
Risk360
Service - zscalerrisk.net
Risk Factors for DNS Security
The following factors under the Compromise category are available to quantify risk for your DNS-based traffic: • Blocking Critical DNS Domain Category • Blocking High Risk DN...
Risk Factors for Privileged Remote Access
The following factors under the Compromise category are available to quantify risk for Privileged Remote Access (PRA): • File Upload Inspection for Privileged Console • File...
HECVAT Risk Framework Support
The Risk360 service supports HECVAT compliance for risk assessment. See image. To learn more, see Assessing Compliance. </...
Risk Factors for SaaS Security Posture Management
The following factors under the Data Loss category are available to quantify risk for your SaaS Security Posture Management traffic: • Risky Third-Party App Usage • Risky Pos...
HITRUST Risk Framework Support
The Risk360 service supports HITRUST compliance for risk assessment. See image. To learn more, see Assessing Compliance. <d...
CAF Risk Framework Support
The Risk360 service supports Cyber Assessment Framework (CAF) for compliance and risk assessment. See image. To learn more, see Assessing Co...
CIS Risk Framework Support
The Risk360 service supports the Center for Internet Security (CIS) framework. See image. To learn more, see Assessing Compliance. </...
HIPAA & PCI DSS Risk Framework Support
The Risk360 service supports the following frameworks: • Health Insurance Portability and Accountability Act (HIPAA) • Payment Card Industry Data Security Standard (PCI DSS) To learn more, see <a href="https://help.zscaler.com/risk360/assessing-complian...
Enhanced Risk Frameworks
The following updates are available pertaining to risk frameworks: • Search for a technique by its name or the factor mapped to it on the compliance framework pages. • Download the framework as a CSV file. • Add, edit, or delete notes for techniques in framew...
DORA & NIS2 Risk Framework Support
The Risk360 service supports the following frameworks: • Digital Operational Resilience Act (DORA) See image. • Network and Information Security Directive 2 (NIS2) See i...
Operating Entity Risk Report
A weekly and on-demand Operating Entity Risk Report is added to the Reports page to conduct portfolio risk assessment by quantifying risk at the operating entity level. You can also change the entity source for the report. Se...
Data Loss Prevention Factors
The following factors under the Data Loss category are available in the Risk360 Admin Portal that quantifies risk for your Data Loss Prevention (DLP) traffic: • Data in Motion • Data at Rest...
Cyber Insurance Addendum Report
You can download the Cyber Insurance Addendum Report, a comprehensive quarterly and on-demand report of your zero trust security posture. See image. To learn more, see <a href="https://help.zscaler.com/risk360...
Factor for Posture Profiles Not Used in Access Policies
The factor Posture Profiles Not Used in Access Policies under the Lateral Propagation category is available to quantify risk for access policies without a device posture profile. See image. To learn more, see <...
Support for ISO 27001 Framework
The Risk360 service supports the ISO/IEC 27001:2022 for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) for your organization. See image. To learn...
Support for Custom Peer Score Settings
You can add custom strategies for peer score calculations and switch between them to view peer scores calculated based on different attributes such as industry vertical, geographical region, and revenue range. See image....
Support for NIST SP 800-53
The Risk360 service supports the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 that provides guidance on selecting, implementing, and assessing security and privacy controls for federal information systems and organizations. This publicatio...
Support for Gen AI Risk Factors
The Risk360 service supports three generative AI factors under the Data Loss category to quantify your organization's risk for user data privacy, sensitive data loss, and usage risk when interacting with generative AI apps. S...
Risk Management Mitigation Strategy Report
You can download the Risk Management Mitigation Strategy Report that outlines the mitigation strategy for important risk factors impacting your organization's cyber risk. This report is autogenerated once a week. See imag...
Support for Deception Risk Factors
The following 5 Deception factors are added to the Risk360 Admin Portal for your organization's risk quantification: Factor NameRisk CategoryInternal Decoys DeployedLateral PropagationZero Trust Net...
Ability to Customize Breach Probability
You can edit the Zscaler-computed breach probability to the values of your choice using the Simulate toggle on the Monte Carlo Simulation page (Financial Risk > Monte Carlo Simulation). The organization's financial exposure is reevaluated based on new values. You can restore...
Enhanced Financial Risk Architecture
The following enhancements are available for the financial risk architecture in the Risk360 Admin Portal: • You can manage various settings for your organization's financial risk calculation from the Financial Risk Settings section on the Account page. <a c...
Business Insights
Service - zscaleranalytics.net
Schedule Daily Workplace Reports
A Daily option is added for the Time Period and Schedule drop-down menus when adding a new Workplace Report. See image. To learn more, see <a href="https://help.zscaler.com/business-insights/scheduling-workplace-reports"...
Customizing Views with Data Explorer
Use Data Explorer to build your own customized views of metrics to analyze data and save them as scheduled reports in the Business Insights Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/bu...
Filtering Options for Applications
You can filter insights on the All Applications page using the following options: Data Source, Growth Trend, ACV, Risk Index, Departments, Alternatives, Purchased Seats, Sanction Status, Contract Start Date, Contract End Date, or Tags. <a class="image-icon" href="#all-apps"...
Exporting Footfall Data
The Export button is added to the Footfall by the Time of the Day section for you to download the data as a CSV file when analyzing a workplace for a specific week or the last 7 days. See image. To learn more, see...
Support to Tag Applications and Contracts
You can use the Application Tags and Contract Tags features to link applications and contracts to user-defined tags. These tags can be used as a filtering option for viewing applications and contracts, respectively. See...
Filtering Footfall Data for a Workplace
When you select a 3-month time range for a workplace to analyze, you can select any 1 of 3 months to view insights for the Footfall by the Time of the Day section. See image. To learn more, see <a href="https://help.zs...
Additional Data for Workplace Reports
Scheduled workplace reports are enhanced with the following new columns in the CSV file, depending on the report type: • Office</...
Enhanced Offices and Discovered Locations
The following enhancements are available in the Business Insights Admin Portal for improved management of offices and discovered locations: • The Configured Offices page is renamed to the Offices page and moved under the Offices and Locations menu (Workplace > Offices...
Discover and View Insights for All ZIA Applications
You can view insights for all applications discovered from the ZIA data source instead of the current top 700 curated applications. If you choose to view all applications from the ZIA data source, the Users Overlap section becomes unavailable on the <a href="https://help.zscaler....
Support for Uploading Contracts to View Insights
You can upload application contracts established with your vendor to view insights such as application annual contract value (ACV), total contract value (TCV), spending overview, various deadlines, and more. See image. T...
Support to Schedule Workplace Reports
You can schedule attendance reports with various criteria for distribution to multiple email recipients. See image. To learn more, see <a href="https://help.zscaler.com/business-insights/about-workplace-reports" targe...
Support to Tag Workplaces
You can use the Tag Management feature to link workplaces to user-defined tags. These tags can be used as a filtering option for viewing workplace insights. See image. To learn more, see <a href="https://help.zscaler.com/business...
View State and Country Information for Workplaces
You can view the state and country information for workplaces on the Offices and Locations page. See image. To learn more, see <a href="https://help.zscaler.com/business-insights/about-offices-and-locations" target="_b...
ZIdentity
Service - zslogin.net
Support for Integrating Two Private Access Tenants
ZIdentity provides support for integrating two Private Access (ZPA) tenants at a time. This allows customers to manage multiple tenants through the Zscaler Admin Console. The following authentication scenarios are supported for Private Access tenants: For admins: <li...
ZIdentity for End Users
For new deployments, ZIdentity now provides support for end users. Admins can manage a single identity for end users across all Zscaler services. End users have an improved user experience, as Zscaler Client Connector enrollment is faster, and they can securely log in once and access any of the a...
NSS Integration with ZIdentity
You can now integrate Nanolog Streaming Service (NSS) and Cloud NSS with ZIdentity to stream ZIdentity logs to external <a href="https://help.zscaler.com/zia/integrating-vm-based-ns...
OAuth 2.0 Client Credentials Authentication for SCIM Provisioning
ZIdentity provides support to use OAuth 2.0 Client Credentials for authentication while configuring SCIM provisioning with external identity providers (IdPs). See image. <a class="ck...
Integration of Management Portal for Partners with ZIdentity
The Zscaler Management Portal for Partners is now integrated with ZIdentity. You can enable single sign-on (SSO) for partner logins and provide a unified authentication experience. You can assign roles and scopes to partner users migrated to ZIdentity from the Administrative Enti...
Common Domain for Multiple ZIdentity Tenants
ZIdentity provides support for using the same domain for multiple tenants within a single ZIdentity cloud environment. If two or more tenants share a common domain, users might be prompted to select their tenant from a drop-down menu during login. This experience is applicable to...
Enhancements to External Identities Certificate Management
The External Identities Certificate Management feature is updated with the following enhancements: Notification for SAML Certificate ExpirationIf any of the SAML certificates (IdP Certificate or SAML Request Signing and Decryption Certificate) are about to expire w...
Token Validators
You can create and use token validators in the ZIdentity Admin Portal to validate the JSON Web Token (JWT) that is used for authorization to access Zscaler services, like Zscaler Internet Access (ZIA). See image. To lea...
API Client Access Policy
You can now define API client access policy rules to manage the API client's access to specific resources within a set time frame. Administrators can define the policy rules and assign them to the required API clients. This allows you to control and manage authorization....
Updates to MFA
The SMS OTP authentication steps are updated and simplified. After entering the login ID and password, admins are no longer prompted to re-enter the country and phone number but can directly enter the SMS OTP for authentication. To learn more, see <a href="https://help.zscaler.com/zidentity...
Authentication Events in Audit Logs
Administrators can view authentication login and logout events on the Audit Logs page. This provides visibility into the user authentication activities within your tenant. See image. To learn more, see <a href="https://help...
APIs for Identity and Lifecycle Management
ZIdentity supports APIs that give you programmatic access for managing identity and authentication-related features. The APIs allow you to integrate with ZIdentity for seamless identity lifecycle management and API client management. To access and use the APIs, you must <a...
MFA for Admins Using External IdP
In ZIdentity, MFA is enabled for all new and existing identity providers (IdPs) by default. Admins authenticating through external IdPs have a 7-day grace period option to temporarily skip MFA. After the grace period, they are required to configure second-factor authentication in...
IdP-Initiated SSO Redirect
For new ZIdentity tenants enabled with Experience Center, the IdP-initiated SSO redirects users to Experience Center by default. To learn more, see About External Identity Providers....
Regenerate Registration Link
You can regenerate the one-time registration link if it becomes invalid after 72 hours. An email with a new registration link is sent to the registered email address, and this link remains valid for 24 hours. You can regenerate the registration link up to three times. After three...
Zscaler SDK for Mobile Apps
Service - ZSDK
Network Path and Filter Enhancements for the Global Insights Dashboard
The Global Insights dashboard includes Sankey visualizations to evaluate latency experience on network paths for devices connected between Zscaler and App Connectors. The dashboard also includes the following filters as part of the enhancement to focus on crucial details:</...
Global Insights Dashboard Enhancements
The Global Insights dashboard enhancements include: • A comparison table between Wi-Fi and cellular access on devices • An ISP Leaderboard that displays the most impacted internet service providers (ISPs) The interactive Th...
Browser Access
Leverage Browser Access to enforce strict user authentication by using your identity provider, which issues a JSON Web Token that limits web application access. See image. Contact Zscaler Support to enable t...
Global Insights Dashboard
Access the Global Insights dashboard to locate and monitor where your users' devices are distributed, view an overview of their digital experience performance, and see global threats that Zscaler detects and prevents. See image....
Device Profile
Enable more granular security controls by creating a device profile to maintain and enforce access to your application segments. After you create a device profile, you can then create an access policy that uses various criteria (e.g., hardware identifier, OS version) to evaluate...
Client Monitoring Dashboard
The Client Monitoring dashboard provides a high-level overview of users and their mobile devices by capturing important device details on usage, locations, operating systems, and hardware. See image. To learn more, see <a h...
Additional Data Path Tunnel Capabilities
Additional data path tunnel capabilities are added to increase support for tunnel evaluation. To learn more, see <a href="https://help.zscaler.com/zsdk/developer-reference" target="_blank" data-entity-type="node" data-entity-uuid="a4eaea17-e6fc-4d57-a395-09e7f43a7cbc" data-entity-substituti...
ZSDK Private Service Edges and Disaster Recovery
ZSDK Private Service Edges provide safe and secure access to your private applications. Disaster recovery allows your users to access applications in the event of a disruption that impacts Zscaler. When configuring a ZSDK Private Service Edge, you can enable Disaster Recovery for...
Platform - ZSDK Platform
ZSDK Platform 2.0 Enhancements and Fixes
• Support ZSDK integration with React Native. To learn more, see <a href="https://help.zscaler.com/zsdk/zsdk-integration-guide-using-react-native" target="_blank" data-entity-type="node" data-entity-uuid="42db1bac-d8d2-447b-9e30-a0da1945fd93" data-entity-substitut...
ITDR
Service - illusionblack.com
Update to Amazon GuardDuty Containment Configuration
The command to create a role for Amazon GuardDuty containment is updated to create a common role to access the AWS account instead of a tenant-specific role. See image. To learn more, see <a href="https://he...
Automatic Enablement of Active Directory Attribute Collection
Attribute Collection is enabled for all Active Directory scan configurations by default. This change applies to all customers, including customers who have been disabled in their environment. See image. To learn m...
User Interface Changes and Enhancements
The following user interface changes and enhancements were made to the Zscaler ITDR Admin Portal: • An icon to access error logs was added for server agents and endpoint agents. See...
Active Directory Privileged Account Tracking
The Active Directory (AD) Privileged Account Tracking page monitors anomalous login activity of users using a machine learning system. In addition to default privileged users, you can add up to 200 user accounts per AD domain for explicit tracking. Suspicious login activities are...
Enhanced PDF Reports
The following PDF reports are enhanced to improve clarity in analyzing the report data: • Entra ID Executive Summary Report • AD Executive Summary Report • Entra ID Delta Report • Active Directory Delta Report • Endpoint Credential Exposure Report Addi...
Updates to Server Agent-Based Threat Detection
The threat detection feature was updated to detect the following new attacks on a domain controller (DC) via a server agent: • Account Reconnaissance: An attack technique us...
User Interface Changes and Enhancements
The following tabs were renamed in the Zscaler ITDR Admin Portal: OldNewSettings > User & Roles > SSOSettings > User & Roles > IdP ProvidersSettings > Users & Roles >...
Active Directory Remediations
The Active Directory (AD) Remediations feature allows you to run remediation actions for risky AD identities from the Zscaler ITDR Admin Portal, enhancing the AD domain security posture. You must <a href="https://help.zscaler.com/itdr/enabling-remediation-server-agent" target="_b...
Identity Search
The Identity Search feature allows you to search for specific identities across identity platforms<span style="-webkit-text-stroke-width:0px;display:inline !important;float:none;font-family:Inter, sans-serif;fon...
ITDR Integration with ServiceNow
Zscaler ITDR supports integration with ServiceNow to track and assess issues across the Zscaler ITDR Admin Portal (AD domain, credential, Entra ID) along with bad changes detected in the AD domain and Entra ID. You can create a ServiceNow incident for an issue and track it in the...
Retention Period for Okta Logs
Okta system logs for threat detection are only retained for 14 days. You cannot modify this retention period. To learn more, see Viewing Affected AD User Account Details, <a hr...
Threat Detection
The threat detection feature enables you to detect threats on a domain controller using a server agent. Zscaler ITDR identifies these threats and enriches the data with contextual information for easier investigation and further analysis. The following types of attacks are detect...
User Interface Changes and Enhancements
The following user interface changes and enhancements were made to the Zscaler ITDR Admin Portal: • On the Password Analysis Dashboard (ITDR > Dashboard > Password Analysis), the Password Reuse pie charts legends were renamed to Identities without password reuse and I...
Mark Events or Attackers as Unsafe
You can select an event or attacker and mark it as unsafe. When you mark an event or attacker as unsafe, the allowlist rules are removed, and the attacker is flagged for further investigation. See image. To learn...
New Criteria in Endpoint Credential Exposure and Threat Detection Policies
The following new criteria for selecting endpoints were added to endpoint credential exposure and threat detection policies: Selection CriterionDescriptionDNS Hostname (Specific)Select endpoints based on their FQDNs by sp...
New Endpoint Credential Exposure Type
The Local Security Authority (LSA) Protections scan type was added to check the registry keys to confirm if LSA protection is enabled. See image. To learn more, see <a href="https://help.zscaler.com/itdr/viewing-expo...
Password Reuse Analysis
On the Password Analysis dashboard (ITDR > Dashboard > Password Analysis), you can view the percentage of Active Directory (AD) users who have reused passwords. The data is represented in pie charts for both regular and privileged users. <a class="image-icon" href="#itdr-rn...
Standardized Role Assignments in Entra ID
Posture checks for Entra ID identities support both active and eligible role assignment types, providing an effective approach to role monitoring. For an affected Entra ID identity, you can view the role assignment type on the Roles > Entra tab. <a class="image-icon" href="...
User Interface Changes and Enhancements
The following user interface changes and enhancements were made to the Zscaler ITDR Admin Portal: • On the Entra tab (ITDR > Manage > Change Detection), a new column named Policy Enabled was added. This column shows you the status of policies, indicating whether a pol...
View Allowlisted Rules
When an event or attacker is marked as safe due to an allowlist rule, you can view the specific rule that triggered the action on the Event Logs page. See image. To learn more, see <a href="https://help.zscaler.com/it...
Active Directory and Entra ID Scan Delta Reports
The Delta Report feature enables you to effectively monitor changes in Active Directory (AD) domains and Entra ID tenants. This feature streamlines the process of monitoring, tracking, and responding to security posture changes over time. You can automatically compare two h...
Active Directory Monitoring with Server Agent
The ITDR server agent monitors Active Directory (AD) users and computer activities, providing insights to help you quickly address identity-based threats. You can download the server agent directly from the ITDR Admin Portal and run the installation command to complete the setup....
Copying Columns from Tables
You can copy specific columns from tables (up to 1,000 rows) and paste them into CSV, JSON, Notepad, or other compatible files across various modules (Identity Posture, Entra ID, Credential Exposure, Change Detection, etc.) in the ITDR Admin Portal. <a class="image-icon" hr...
Endpoint Credential Exposure Enhancements
The following enhancements are made to the Endpoint Credential Exposure module: • The following sections were added to the Endpoint Credential Exposure dashboard (ITDR > Dashboard > Endpoint Credential Exposure): • Domain risk ca...
Entra ID Remediations
The Entra ID Remediation Action feature allows you to automatically run remediation actions for risky Entra ID identities from the Zscaler ITDR Admin Portal, enhancing the Entra ID tenant security posture. You can run remediation actions for specific or multiple identities (in bu...
Export Event Fields in JSON
ITDR supports exporting event fields in JSON format. You can export all the event fields and use them for further analysis and investigation. See image. To learn more, see <a href="https://help.zscaler.com/itdr/ex...
Integration with Amazon GuardDuty
Zscaler ITDR supports integration with Amazon GuardDuty to isolate and contain attackers who interact with decoys by blocking access to those users across AWS resources. See image. <a class...
Risk Reduction Roadmap
The Risk Reduction Roadmap feature provides a proactive security approach to enhance the security posture of your identity infrastructure, including Active Directory (AD), Entra ID, and endpoints. An interactive in the Risk Reduction Roadmap section on the dashboard enables...
ZPA Containment Support for ZIdentity-Enabled Tenants
Support for containment with Zscaler Private Access (ZPA) is extended to ZIdentity-enabled tenants. If a user is contained with ZPA, then real apps become inaccessible and only app decoys remain accessible. To learn more, see <a href="https://help.zscaler.com/deception/containment-configura...