Zscaler ZPA
Please see SASE/SSE Deployment Guide Links for more details on SASE/SSE support along with links to other supported solutions.
Feature Overview Video (Vimeo):
Demonstration Video:
About ZPA and Vectra’s Support of ZIA
The Zscaler Private Access (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access. ZPA decouples applications from the physical network so you can provide seamless connectivity to private internal applications and assets whether they are in the cloud, the data center, or both. It also adjusts dynamically to network changes, so you can move your resources without impacting user access.
Vectra’s support of ZPA is a key component of Vectra’s ZTNA (Zero Trust Network Access) strategy. For additional guidance related to Vectra and ZTNA, here is some articles on Vectra’s public website:
While ZPA is for connecting users to an enterprise's internal applications, Zscaler Internet Access (ZIA) is for connecting users to public applications on the internet. Vectra has a Zscaler ZIA Integration and Optimization article that provides configuration advice.
Document Purpose and Use
This integration guide provides an overview of Vectra's integration for customers who have deployed Zscaler Private Access (ZPA). It includes the instructions necessary to onboard the ZPA logs into.
Solution – Key Components
As shown in the conceptual design above, Vectra attribution to behaviors undertaken by remote workers are the byproduct of observations of traffic via Vectra Sensors and ZPA logs generated by the Log Streaming Service (LSS). These logs are sourced preferably from a dedicated App Connector group used only for LSS, contain data related to the activities brokered through your App Connectors that are used for ZPA traffic, and when forwarded to the Vectra Brain, form the basis of this integration. The Vectra Brain serves as an Enterprise Log Receiver in ZPA parlance.
Architecture and Performance Guidance
Vectra recommends a dedicated App Connector group for log forwarding
This will separate data plane (ZPA network) and log forwarding traffic from each other and prevent any potential service degradation that could affect access to ZPA apps within a customer environment
Using an App Connector Group will also distribute LSS load and provide for some redundancy
Note this is not a requirement but it is highly recommended
Vectra can process approximately 3000 LSS log events per second in a Brain
Vectra requires TCP transport over port 4639 in JSON format without encryption
If a customer is using an intermediary host, such as a SIEM or Central Log Management server, to collect the LSS logs and then forward them to the Vectra Brain, Vectra requires the logs to be in the same format as if there were no intermediary.
Network traffic in between the App Connectors and the customer’s private apps is required to be captured with Vectra Sensors
Please work with your SE and/or installation team to help ensure the proper traffic is captured
It is recommended to position the App Connectors that are used to broker LSS traffic to the Vectra Brain in the same network location or subnet that the Vectra Brain is located in
This will help to reduce latency
This will possibly eliminate the need to open up firewall rules to allow the App Connector to speak to the Vectra Brain
This will also help to alleviate any concerns with the App Connector to Brain traffic being in the clear
Attribution of Traffic to ZPA Users
Vectra Sensors (virtual or physical) capture network traffic as normal in customer environments. The Sensors will then forward the metadata to the Brain for analysis. The Brain will attribute traffic that is observed coming from the App Connectors used for private app access into Host containers that are attributed to the ZPA user based on the ZPA LSS log information received.
Below is an example of a New Host Detection on one of Vectra’s internal servers. The username and Sensor name have been blurred out, but you can see the naming convention for ZPA hosts should be [email protected]. All Vectra Detections will function normally.
Drilling into the ZPA-Host in the Details section you can see the Host ID Artifacts including First Seen attribute:
Doing a simple search on the Hosts page for zpa with a status of all will show identified ZPA hosts with or without an active Threat/Certainty score:
Log Format Example
User Activity is the ZPA LSS log that Vectra requires for the integration. The full user activity log contains many more pieces of information than shown below. The below represents the data that Vectra requires for the integration. The additional fields can be filtered out at the source if desired. Vectra will ignore the additional data if it is present in the log stream. There is no Vectra requirement to pre-filter the log at the source.
Vectra ZPA Integration Configuration Instructions
Prerequisites
Vectra account with Role permissions including View and Edit for Settings - Zscaler Private Access.
Configuration Instructions (Vectra)
After logging in to your Vectra UI, navigate to Configuration > SETUP > External Connectors > Zscaler Private Access (ZPA) and click the Edit or pencil icon.
Configure the ZPA settings as directed below. An example screenshot follows.
Ensure the feature is enabled at the top
Enter the IPs that your Brain will be receiving LSS logs from the in ZPA Log Forwarder area. These will be the IPs of the you App Connectors that you can see in your ZPA admin console. Use the +Add button to add additional Log Forwarder IPs as required.
Enter the IPs of the App Connectors that you use for ZPA traffic in your environment in the ZPA Connector IPs area.
Click Save when done.
Once you have saved you will return to the External Connectors screen where you can see the status of the ZPA integration. An example screenshot is below. Please note the following:
You must also complete the ZPA LSS Configuration Instructions below before the integration becomes operational.
It is recommended to complete the Vectra side of the configuration first to avoid sending LSS logs to Vectra before it is configured to receive them.
Log counts shown are an average, so it is possible to see non whole numbers
It can take up to 10 min for numbers to change as this data is polled
A Green checkmark means that logs are coming in, in the proper format
Some reasons why the integration may fail include
Log format is incorrect - Not JSON, intermediary has altered them in some way, etc
Inability of the App Connector used for LSS to reach the Brain which may be firewall related
Not sending all the required logs as specified earlier in the document
Sending more logs than the Brain can process, resulting in some logs being dropped
ZPA LSS Configuration Instructions
Prerequisites
Administrative access to the ZPA Administrative Console
Supporting Material
Official Zscaler ZPA support documentation may be useful to reference while making these configurations:
Configuration Instructions (Zscaler LSS)
Log in to the Zscaler management portal
Go to Administration > Log Receivers
Click Add Log Receiver - The Add Log Receiver window appears
In the Add Log Receiver window, configure the following tabs:
Name - Provide a name for this receiver. For Example: Vectra LSS Receiver.
Domain/IP - Provide the management IP address or hostname of the Vectra Brain
TCP Port - 4639 Note: This port is not configurable today
Ensure the TLS Encryption is Disabled.
Connector Groups - Select a connector group to act as the log forwarder that can reach the Brain’s IP or hostname.
Log Stream - For additional information regarding limiting fields sent see this link. Essentially you can just modify the Log Stream Content section to remove fields that you do not want forwarded to Vectra while leaving the required fields listed earlier in this document. You do not need to do this step. It is optional as Vectra will ignore the extra fields.
Log Type - Select User Activity.
Log Template - Select JSON.
Log Stream Content - Leave as Default or modify as required per the above guidance
Policy - Leave as default unless you would like to add any specific restrictions on the logs
Click next, and if all looks good click Save
Congratulations! You have now completed all of the required integration steps. You can review the status of the integration in the External Connectors screen as per the earlier guidance.
Last updated
Was this helpful?