Skip to main content
McAfee MVISION Cloud

Automatic Proxy Configuration for Zscaler

Define governance policies in MVISION Cloud using Service Groups and then sync all the URLs to Zscaler as Custom Categories to enforce these policies.

NOTE: Your Zscaler account must have admin permissions in order to set up URL categories to sync with MVISION Cloud.

You can configure MVISION Cloud Service Groups to sync to Zscaler manually or automatically:

  • Automatic. Use the following instructions to sync to Zscaler automatically.
  • Manual. If at any time you want to continue using the manual integration method, download the config file on the CLR screen. But be aware, this download action will approve any unapproved changes in the service groups.

Once you have integrated your Zscaler edge device using the MVISION Cloud wizard, provide API credentials to connect to Zscaler. 

  1. On the Settings > Integrations > Firewall/Proxy page, click Provide API Credentials
    zscaler_api1.png
  2. In the Provide API Credentials dialog, enter your Zscaler API credentials. (Ask your Zscaler admin if you don't have this information.)
    • Zscaler Instance
    • User Name
    • Password
    • API Key
    • Select I acknowledge that MVISION Cloud will store these credentials...
      zscaler_api2.png
  3. Click Authenticate
  4. When your API credentials are successfully authenticated, you will see a message that says your URLs have sycned to Zscaler, and the Status is Connected
    zscaler_connected.png

After authentication, note that only Service Groups that do not require approvals are synced. Other Service Groups require you to Approve Changes in order for them to sync.

The MVISION Cloud Service Group that is now synced creates a Custom Category in Zscaler with the same name and a prefix of "SHN" for easy identification. Now you can create and enforce App Control Policies on these Custom Categories in Zscaler. 

When a URL group is synced with a Custom Category, it leaves a message in Zscaler that states, "This category is created by integrating with a MVISION Cloud Service Group."

If MVISION Cloud is ever disconnected from Zscaler, MVISION Cloud sends an email to administrators. 

Custom Category Best Practices

  • Zscaler has a limit of 48 Custom Categories. If you reach this limit, MVISION Cloud will display an error, and send an email to notify the admin. 
  • We recommend that you DO NOT edit the URLs in Zscaler Custom Categories created using MVISION Cloud Service Groups. Otherwise, your changes will be overwritten the next time MVISION Cloud synchronizes to Zscaler. 
  • If you add URLs to your Zscaler Custom Category, MVISION Cloud will not sync them back to the Service Group. And they will not be deleted if you delete your Service Group, which may cause inconsistencies. 

Delete Skyhigh Service Groups

  • If you delete a Service Group in MVISION Cloud that IS NOT associated with a Zscaler policy, the Custom Category will be deleted in Zscaler the next time MVISION Cloud syncs. 
  • If you delete a Service group in MVISION Cloud that IS associated with a Zscaler policy, the URLs will be removed from the Custom Category in Zscaler the next time MVISION Cloud syncs. MVISION Cloud will also add a message that the URLs were removed. For best practices, you should remove this empty Custom Category. 
  • In Zscaler, rename your policy to URL filtering policy.

image.png

Troubleshooting

Zscaler has a limit of 25,000 URLs created across all Categories. If you see the following error, you have exceeded the URL limit. 

zscaler_error_urls.png

MVISION Cloud will also send an email to notify the admin. 

To correct the problem, edit the integration to limit the number of URLs that are mapped. You can deselect Service Groups to remove them using the configuration wizard.  

  • Was this article helpful?