Skip to content

Zscaler Firewall

Zscaler Firewall

About

Zscaler Cloud Firewall enables fast, secure on- and off-network connections and local internet breakouts for all your user traffic, without any hardware or software to manage.

Purpose-built for today's digital world, Zscaler Cloud Firewall ensures you can securely access the internet and handle all web and non-web traffic, across all ports and protocols, with infinite elastic scalability and unbeatable performance. Your users get consistent protection no matter what device they’re using or where they are—at home, the office, HQ, or on the road.

Product Details

Vendor URL: Zscaler Firewall

Product Type: Firewall

Product Tier: Tier II

Integration Method: Custom

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: ZSCALER_FIREWALL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Firewall metadata.product_name
Zscaler metadata.vendor_name
event.cdip / event.sdip target.ip
event.cdport target.port
event.nwapp target.application
event.destcountry target.location.country_or_region
event.devicehostname principal.asset.hostname
event.csip principal.ip
event.csport principal.port
event.user principal.user.userid
event.department principal.user.department
event.locationname principal.user.office_address.name
event.ssip src.ip
event.ssport src.port
event.tsip intermediary.ip
event.proto or "UNKNOWN_IP_PROTOCOL" network.ip_protocol
event.outbytes network.sent_bytes
event.inbytes network.received_bytes
ALLOW or BLOCK security_result.action
event.ipcat security_result.category_details
event.rulelabel security_result.rule_name
event.threatname security_result.threat_name
event.ipsrulelabel security_result.rule_id
event.threatcat security_result.summary

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT
other Destination Port NETWORK_HTTP
Dest Port 80, 8080, 443 NETWORK_CONNECTION

Log Sample

{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Jul 15 12:29:00 2022","user":"john.doe@company-domain.com","department":"Technology%20and%20Operations%20Admin","locationname":"US%20-%20City","cdport":"443","csport":"55013","sdport":"443","ssport":"59944","csip":"10.123.1.1","cdip":"10.1.1.164","ssip":"10.10.60.51","sdip":"10.1.1.208","tsip":"10.1.1.1","tunsport":"0","tuntype":"ZscalerClientConnector","action":"Allow","dnat":"No","stateful":"Yes","aggregate":"Yes","nwsvc":"Mortgage director","nwapp":"office365","proto":"TCP","ipcat":"Office_365","destcountry":"United States","avgduration":"157000","rulelabel":"Office%20365%20One%20Click%20Rule","inbytes":"7797","outbytes":"4584","duration":"157","durationms":"157000","numsessions":"1","ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"DESKTOP-HOSTNAME","devicehostname":"DESKTOP-HOSTNAME"}}

Sample Parsing

metadata.event_timestamp = "2022-07-15T12:29:00Z"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "Zscaler"
metadata.product_name = "Firewall"
principal.hostname = "DESKTOP-HOSTNAME"
principal.user.userid = "john.doe@company-domain.com"
principal.user.department = "Technology%20and%20Operations%20Admin"
principal.user.office_address.name = "US%20-%20City"
principal.ip = "10.123.1.1"
principal.port = 55013
principal.asset.hostname = "DESKTOP-HOSTNAME"
principal.asset.ip = "10.123.1.1"
src.ip = "10.10.60.51"
src.port = 59944
src.asset.ip = "10.10.60.51"
target.ip = "10.1.1.164"
target.ip = "10.1.1.208"
target.port = 443
target.application = "office365"
target.location.country_or_region = "United States"
intermediary.ip = "10.1.1.1"
security_result.threat_name = "None"
security_result.rule_name = "Office%20365%20One%20Click%20Rule"
security_result.summary = "None"
security_result.action = "ALLOW"
security_result.rule_id = "None"
network.sent_bytes = 4584
network.received_bytes = 7797
network.ip_protocol = "TCP"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon