Remote users (SASE / SSE)
Special Note Regarding Zscaler/Vectra SASE Press Release
If you found this article as a result of the recent Vectra AI June 2025 press release above, please note that the new functionality with Zscaler SASE solutions is currently in Public Preview for Vectra (Early Access for Zscaler) and is planned to become Generally Available (GA) soon. The new functionality ingests ZIA traffic captured by Zscaler in their cloud through a Vectra vSensor deployed specifically for this remote user traffic that isn't present on the corporate network where other Vectra Sensors already capture traffic. ZIA is already supported when used inside corporate networks where Vectra Sensors are capturing the traffic. ZPA traffic is also already supported though a different integration.
Zscaler ZIA and ZPA Support
Vectra has two different integrations with Zscaler. Please see the below articles for full details:
Zscaler Private Access (ZPA)
Vectra can ingest ZPA LSS logs and use that data to attribute the remote workers behaviors to host entity objects in the Vectra system. The app connector to app/service traffic is captured by virtual or physical Vectra network sensors just like any other network traffic. This allows the remote user traffic that is source NAT'd from the app connector to be mapped to each remote worker instead of the app connector. The resulting Vectra host entity objects are named by ZPA username in the Vectra system.
Zscaler Internet Access (ZIA)
Detailed in Zscaler ZIA Integration and Optimization
For customers wishing to secure ZIA traffic, Vectra has two options. They are on-prem capture which is an older method that has been supported for several years and the new PCAP ingestion method that is currently in private preview. If your ZIA deployment is using ZIA Z-Tunnel 1.0 on your premises (no remote users, and no other sources, or GRE/IPSEc), then the on-prem capture option meets the use case. This option is easier to deploy and has less cost. If your ZIA deployment is using Z-Tunnel 2.0 or includes remote users then the new PCAP ingestion option is required. For full details on both integration methods for ZIA traffic, see the link above.
PCAP Ingestion Overview:
Zscaler is configured to create PCAPNG files of ZIA traffic that is destined for the internet. The captures are written to an S3 bucket that both Zscaler and Vectra can access. Vectra then retrieves the PCAPNG files and ingests the captured traffic into a vSensor deployed in the same region as the S3 bucket. The vSensor is paired to your Vectra Brain, which can be located anywhere the sensor can reach, and sends an enriched metadata stream to the Brain for further processing. Since remote workers can have IP addresses that overlap with corporate networks, subnets are assigned by the Vectra administrator to map ZIA devices to when observed in the Vectra AI platform. The resulting Vectra host entity objects are named by ZPA device ID in the Vectra system.
Netskope Cloud TAP
Detailed in Netskope Cloud TAP Integration
With Cloud TAP, Netskope can tap your connections as they traverse their gateway processes, and save a copy to cloud storage. This copying is continuous and the data is stored in a proprietary format, split into many BLOBs. You must provision a bucket from your organization’s cloud storage provider as an object store to accept the copy of traffic. Customers can then install "Stitcher" software from Netskope, along with a Vectra vSensor in the same cloud environment. The Stitcher app will retrieve the traffic from the object store and replay it to the Vectra vSensor for ingestion into the Vectra platform.
Other SSE/SASE Vendors
Vectra plans to add additional support in the future. Please watch for Vectra news releases and for this article to be updated with links to other integration guides as additional options become available.
Last updated
Was this helpful?