Configuring the BlueApp for Zscaler

Role Availability Read-Only Investigator Analyst Manager

To configure the BlueApp for Zscaler, you must first have the information listed in the Zscaler documentation, which includes the following:

  • An API subscription
  • An enabled API key
  • An API admin account

To acquire Zscaler configuration details

  1. Log in to the Zscaler admin page using your Zscaler credentials.
  2. Go to Administration > API Key Management.

    The page displays the base Uniform Resource Identifier (URI) and API key.

  3. Copy the base URI and key value to your clipboard or a secure location. You will need to enter them in USM Anywhere to configure the AlienApp.

To connect the Zscaler API to USM Anywhere

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the information you collected previously:

    • Base URI
    • Username
    • Password
    • Zscaler API Key
  7. Click Save.
  8. Verify the connection.

    After USM Anywhere completes a successful connection to the Zscaler APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Zscaler connection.

The BlueApp for Zscaler and the BlueApp for LevelBlue Secure Remote Gateway

Because both the BlueApp for Zscaler and the BlueApp for LevelBlue Secure Remote Gateway share configuration components through BlueApp for Zscaler, configuring one BlueApp will cause the other to appear as configured in your My Apps page. This is expected behavior. Do not delete or disable the BlueApp for Zscaler or the BlueApp for LevelBlue Secure Remote Gateway. Changes to one BlueApp will cause configuration errors with the other BlueApp.

Forward Syslog Messages to BlueApp for Zscaler

To fully integrate USM Anywhere with the BlueApp for Zscaler, you can configure syslog forwarding in the Zscaler device to send events to your sensor. To collect logs from Zscaler Nanolog Streaming Service (NSS), you can add an NSS feed for alerts and enter the USM Anywhere Sensor IP address for the SIEM. See Adding NSS Feeds for Alerts for detailed instructions from the vendor.

However, the BlueApp for Zscaler can also act on events not generated from Zscaler. The actions you can use with this BlueApp take the source or destination IP addresses from any event or alarm and place them in an allowed list or blocked list, and then send it to Zscaler. See BlueApp for Zscaler Actions for details.