Zscaler Commands

aup

To configure Zscaler acceptable user policy (AUP) parameters, use the aup command in zscaler location settings configuration (config-zscaler-location-settings) mode.

aup { disabled | block-internet-until-accepted false | force-ssl-inspection false | timeout time }

Syntax Description

disabled

Only this option is qualified for use.

block-internet-until-accepted false

Only the false option is qualified for use.

force-ssl-inspection false

Only the false option is qualified for use.

timeout time

Use the value 0.

Command Default

disabled

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# aup disabled
Device(config-zscaler-location-settings)# aup block-internet-until-accepted false
Device(config-zscaler-location-settings)# aup force-ssl-inspection false
Device(config-zscaler-location-settings)# aup timeout 0

auth-required

To configure Zscaler authentication, use the auth-required command in zscaler location settings configuration (config-zscaler-location-settings) mode. To disable Zscaler authentication, use the no form of this command.

auth-required false

no auth-required

Syntax Description

false

Disables the authentication.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

This command is enabled by default.

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to disable the authentication:

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# auth-required
Device(config-zscaler-location-settings)# auth-required false

caution-enabled

To enable or disable Zscaler caution notification, use the caution-enabled command in zscaler location settings configuration (config-zscaler-location-settings) mode.

caution-enabled false

Syntax Description

false

Only this option is qualified for use.

Command Default

false

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# aup disabled
Device(config-zscaler-location-settings)# aup block-internet-until-accepted false
Device(config-zscaler-location-settings)# aup force-ssl-inspection false
Device(config-zscaler-location-settings)# aup timeout 0
Device(config-zscaler-location-settings)# caution-enabled false

datacenters

To configure Zscaler custom data centers, use the datacenters command in zscaler location settings configuration (config-zscaler-location-settings) mode. To disable Zscaler custom datacenters, use the no form of this command.

datacenters primary-data-center primary-data-center1

no datacenters primary-data-center primary-data-center1

Syntax Description

primary-data-center primary-data-center1

Configures primary data center.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to custom primary data center:

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# datacenters
Device(config-zscaler-location-settings)# datacenters primary-data-center vie1-vpn.zscalerthree.net

ips-control

To configure the Zscaler intrusion prevention service (IPS), use the ips-control command in zscaler location settings configuration (config-zscaler-location-settings) mode.

ips-control false

Syntax Description

false

Only this option is qualified for use.

Command Default

false

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# ips-control false

ofw-enabled

To enable or disable the firewall for a Zscaler location, use the ofw-enabled command in Zscaler location settings configuration mode. To disable the firewall for a Zscaler location, use the no form of this command.

ofw-enabled false

no ofw-enabled

Syntax Description

false

Disables the firewall for each location.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

This command is enabled by default.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example shows how to disable the firewall for a location:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# ofw-enabled false

secure-internet-gateway

To configure secure internet gateway, use the secure-internet-gateway command in SD-WAN configuration (config-sdwan) mode.

secure-internet-gateway zscaler { organization | partner-base-uri | partner-key | password | username }

organization

Organization

partner-base-uri

Base URI to be used for the APIs

partner-key

Partner API Key to authenticate with API gateway

password

Password of Zscaler partner account

username

Username of Zscaler partner account

Command Default

Command Modes

SD-WAN configuration (config-sdwan)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to configure location settings mode:

Device(config)# sdwan                                                                        
Device(config-sdwan)# secure-internet-gateway
Device(config-secure-internet-gateway)# zscaler organization cisco-dev.com
Device(config-secure-internet-gateway)#zscaler partner-base-uri admin.zscalerthree.net/api/v1
Device(config-secure-internet-gateway)#zscaler partner-key SAGv4U2lwh9R
Device(config-secure-internet-gateway)#zscaler username sig-dev@cisco-dev.com
Device(config-secure-internet-gateway)#zscaler password $8$O0i/6etiDQSqcm+B4yetJDPaYBx1x0wQujnz3pqQG7s=

ssl-scan-enabled

To configure Zscaler Secure Sockets Layer (SSL) protocol scan to protect HTTP traffic, use the ssl-scan command in zscaler location settings configuration (config-zscaler-location-settings) mode. To disable this command, use the no form of this command.

ssl-scan-enabled false

no ssl-scan-enabled

Syntax Description

false

Disables the SSL scan in location settings.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

This command is disabled by default.

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to disable SSL scan:

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# ssl-scan-enabled false

surrogate display-time-unit

To display the duration for which the Zscaler service maps a private IP address to a user, use the surrogate display-time-unit command in Zscaler location settings configuration mode. To restore the default value, use the no form of this command.

surrogate display-time-unit [ DAY | HOUR | MINUTE ]

no surrogate display-time-unit

Syntax Description

DAY

(Optional) Displays the number of days of mapping between a private IP address and a user.

HOUR

(Optional) Displays the number of hours of mapping between a private IP address and a user.

MINUTES

(Optional) Displays the number of minutes of mapping between a private IP address and a user.

Command Default

The default display time unit is 60 seconds.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example shows how to configure the duration in minutes for which the Zscaler service maps a private IP address to a user:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# surrogate display-time-unit MINUTE

surrogate idle-time

To specify how long after a completed transaction, the Zscaler service mapping to a private IP address of a user is retained, use the surrogate idle-time command in Zscaler location settings configuration mode. To remove the Zscaler service mapping to a private IP address of a user, use the no form of this command.

surrogate idle-time idle-time

no surrogate idle-time

Syntax Description

idle-time

Specifies the time in minutes until which the Zscaler service mapping between the private IP address and a user is retained.

Range: 0–4294967295

Command Default

Disabled; no default number is specified.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example specifies the time until which the Zscaler service mapping between the private IP address and a user is retained:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# surrogate idle-time 43

surrogate ip

To enable the Zscaler service to map a user to a private IP address so that it can apply the user's policies, use the surrogate ip command in Zscaler location settings configuration mode. To disable the Zscaler service to map to a private IP address, use the no form of this command.

surrogate ip false

no surrogate ip

Syntax Description

false

Disables the mapping of a user to a device IP address.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

By default, this command is set to false.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example shows how to disable surrogate ip:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# surrogate ip false

surrogate ip-enforced-for-known-browsers

To use the existing mapping between IP address and user (acquired from surrogate IP) to authenticate users sending traffic from known browsers, use the surrogate ip-enforced-for-known-browsers command in Zscaler location settings configuration mode. To disable the user authentication from known browsers, use the no form of this command.

surrogate ip-enforced-for-known-browsers false

no surrogate ip-enforced-for-known-browsers

Syntax Description

false

Disables the Zscaler service to authenticate users on browsers with cookies or other configured authentication mechanisms.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

This command is enabled by default.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example shows how to disable authenticating users who send traffic from known browsers:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# surrogate ip-enforced-for-known-browsers false

surrogate refresh-time

To configure the length of time that the Zscaler service can use to map between IP address and user, use the surrogate refresh-time command in Zscaler location settings configuration mode. To remove the refresh time for revalidation of surrogacy, use the no form of this command.

surrogate refresh-time refresh-time

no surrogate refresh-time

Syntax Description

refresh-time

Specifies the length of time that the Zscaler service can use to map between IP address and user for authenticating users who sends traffic from known browsers.

Range: 0–4294967295

Note

 

We recommend that you set the refresh time to a time period shorter than that you specified for the idle time to disassociation.

Command Default

This command is disabled by default.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example specifies the length of time that the Zscaler service can use to map between IP address and user:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# surrogate refresh-time 0

surrogate refresh-time-unit

To view the duration of time that the Zscaler service takes to map IP address to a user, use the surrogate refresh-time-unit command in Zscaler location settings configuration mode. To restore the default display of time, use the no form of this command.

surrogate refresh-time-unit [ DAY | HOUR | MINUTE ]

no surrogate refresh-time-unit

Syntax Description

DAY

Displays number of days of mapping between a private IP address and a user for authenticating users who send traffic from a known browser.

HOUR

Displays the number of hours of mapping between a private IP address and a user for authenticating users who send traffic from a known browser.

MINUTES

(Optional) Displays the number of minutes of mapping between a private IP address and a user for authenticating users who send traffic from a known browser.

Command Default

Disabled; no default value is specified.

Command Modes


zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Security Configuration Guide.

The following example shows how to display the duration in minutes for which the Zscaler service maps a private IP address to a user who sends traffic from a known browser:

Device (config)# sdwan
Device (config-sdwan)# service sig vrf global
Device (config-sdwan-vrf-global)# zscaler-location-settings
Device (config-zscaler-location-settings)# surrogate refresh-time-unit MINUTE

tunnel-options

To configure tunnel options, use the tunnel-options command in interface tunnel configuration (config-interface-tunnel1) mode.

tunnel-options tunnel-set secure-internet-gateway-zscaler tunnel-dc-preference { primary-dc | secondary-dc } source-interface interface-name number

tunnel-options

Tunnel interface configuration

tunnel-set

Tunnel mapping to application type

secure-internet-gateway-zscaler

Tunnel to secure-internet-gateway zscaler

tunnel-dc-preference

Tunnel setup preference to data-center

primary-dc

Tunnel setup to primary data-center

secondary-dc

Tunnel setup to secondary data-center

source-interface

Tunnel source interface

Command Default

None.

Command Modes

Interface Tunnel configuration (config-interface-tunnel1)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to configure location settings mode:


Device(config)# sdwan 
Device(config-sdwan)# interface Tunnel1                                                                    
Device(config-interface-Tunnel1)# tunnel-options tunnel-set secure-internet-gateway-zscaler tunnel-dc-preference primary-dc source-interface GigabitEthernet1

xff-forward-enabled

To configure Zscaler X-Forwarded-For (XFF) header in the HTTP to forward traffic, use the xff-forward command in zscaler location settings configuration (config-zscaler-location-settings) mode. To disable this command, use the no form of this command.

xff-forward-enabled false

no xff-forward-enabled false

Syntax Description

false

Disables the XFF forward HTTP header in location settings.

Only this option is qualified for use in Cisco SD-WAN Manager CLI templates.

Command Default

This command is disabled by default.

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to disable xff-forward:

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings
Device(config-zscaler-location-settings)# xff-forward-enabled false

zscaler-location-settings

To configure Zscaler location settings, use the zscaler-location-settings command in zscaler location settings configuration (config-zscaler-location-settings) mode.

zscaler-location-settings

This command has no keywords or arguments.

Command Default

Command Modes

zscaler location settings configuration (config-zscaler-location-settings)

Command History

Release Modification
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

The following example shows how to configure location settings mode:

Device(config)# sdwan                                                                        
Device(config-sdwan)# service sig vrf global
Device(config-vrf-global)# zscaler-location-settings