Zscaler Security

introduction this guide explains how to authenticate the zscaler security connector in swimlane using the following authentication methods api key authentication oauth 2 0 client credentials (zscaler native) you will generate credentials in the zscaler admin portal, collect the required identifiers, and configure the connector inside swimlane prerequisites zscaler access requirements you must have administrative access in the zscaler admin portal to create api tokens create oauth clients view tenant information assign api permissions required credentials during setup, you will collect zscaler api base url username password api token client id (oauth) client secret (oauth) tenant id scope authentication methods overview the zscaler security connector supports the following authentication methods api key authentication oauth 2 0 client credentials (zscaler native) oauth 2 0 client credentials – scopes when using oauth 2 0 client credentials authentication , zscaler requires explicit api scopes to be assigned to the oauth application scopes determine which zscaler services and configuration objects the connector can access scopes must be provided as an array of strings in the swimlane asset configuration recommended scopes the following scopes are required to support all major actions provided by the swimlane zscaler security connector, including firewall rules, url categories, ip groups, and activation of changes scope required for zia policy firewall filtering policy rules (create, update, delete), network services, ip source/destination groups supports read and write granular access levels zia admin activating configuration changes, managing tenant level configuration supports read and write granular access levels zia url url lookup, url categories, blacklist urls, add/remove urls from categories supports read and write granular access levels zia sandbox sandbox md5 reports and malware analysis supports read granular access levels read only vs read write considerations most swimlane actions modify configuration , so read write access is required if your use case is lookup only , you may restrict scopes to zia url zia sandbox this will break policy, firewall, and activation actions missing scopes commonly result in 403 forbidden or insufficient privilege errors scopes must be assigned in the zscaler admin portal to the oauth app after changing scopes, you must re issue the oauth token configuration changes will not take effect until the activate changes action is executed sources zscaler oauth & api authentication overview https //help zscaler com/zia/api zscaler internet access (zia) api documentation https //help zscaler com/zia/api/api overview zscaler admin portal – oauth apps https //help zscaler com/zia/configuring oauth 20 swimlane zscaler security connector docs https //docs swimlane com/connectors/zscaler security zscaler setup take the following steps to generate an api token log in to the zscaler admin portal navigate to administration > api keys click generate api token copy and securely store the generated token take the following steps to create an oauth client in the zscaler admin portal, navigate to administration > oauth apps click add oauth app enter an application name select client credentials as the grant type assign required scopes save the application copy the client id , client secret , and tenant id connector configuration in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the plus icon to open the configure your connector asset window select zscaler security from the asset type list fill in the asset settings and asset input as shown configuration – api key authentication field description required url zscaler api base url yes username zscaler username yes secret zscaler password yes api key zscaler api token yes verify ssl enable or disable ssl verification no http proxy proxy configuration no configuration – oauth 2 0 client credentials field description required url zscaler api base url yes tenant id zscaler tenant id yes client id oauth client id yes client secret oauth client secret yes scope oauth permission scopes yes verify ssl enable or disable ssl verification no http proxy proxy configuration no troubleshooting authentication failures may occur due to invalid api token or oauth credentials incorrect base url insufficient permissions or scopes ssl or proxy configuration issues verify credentials and permissions in the zscaler admin portal you have successfully authenticated the zscaler security connector in swimlane using zscaler native authentication