zscaler.ziacloud.zia_advanced_settings module – Updates the advanced settings configuration in the ZIA Admin Portal

Note

This module is part of the zscaler.ziacloud collection (version 2.0.4).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_advanced_settings.

New in zscaler.ziacloud 2.0.0

Synopsis

  • Updates the advanced settings configuration in the ZIA Admin Portal

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

api_key

string

A string that contains the obfuscated API key.

auth_bypass_apps

list / elements=string

Cloud applications that are exempted from cookie authentication

auth_bypass_url_categories

list / elements=string

URL categories that are exempted from cookie authentication

auth_bypass_urls

list / elements=string

Custom URLs that are exempted from cookie authentication for users

basic_bypass_apps

list / elements=string

Cloud applications that are exempted from Basic authentication

basic_bypass_url_categories

list / elements=string

URL categories that are exempted from Basic authentication

block_connect_host_sni_mismatch

boolean

Indicates whether CONNECT host and SNI mismatch

i.e., CONNECT host doesn’t match the SSL/TLS client hello SNI is blocked or not

Choices:

  • false

  • true

block_domain_fronting_apps

list / elements=string

Applications that are exempted from domain fronting

block_domain_fronting_on_host_header

boolean

A Boolean value indicating whether to block HTTP and HTTPS transactions that have an FQDN mismatch

Choices:

  • false

  • true

block_http_tunnel_on_non_http_ports

boolean

A Boolean value indicating whether HTTP CONNECT method requests to non-standard ports are allowed or not

i.e., requests directed to ports other than the standard HTTP and HTTPS ports, 80 and 443

Choices:

  • false

  • true

block_non_compliant_http_request_on_http_ports

boolean

Indicates whether to allow or block traffic that is not compliant with RFC HTTP protocol standards

Choices:

  • false

  • true

block_non_http_on_http_port_enabled

boolean

Indicates whether non-HTTP Traffic on HTTP and HTTPS ports are allowed or blocked

Choices:

  • false

  • true

cascade_url_filtering

boolean

Indicates whether to apply the URL Filtering policy even when the Cloud App Control policy already allows a transaction explicitly

Choices:

  • false

  • true

client_id

string

The client ID for OAuth2 authentication.

client_secret

string

The client secret for OAuth2 authentication.

cloud

string

The Zscaler cloud name provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

  • "beta"

  • "production"

digest_auth_bypass_apps

list / elements=string

Cloud applications that are exempted from Digest authentication

digest_auth_bypass_url_categories

list / elements=string

URL categories that are exempted from Digest authentication

digest_auth_bypass_urls

list / elements=string

Custom URLs that are exempted from Digest authentication

dns_resolution_on_transparent_proxy_apps

list / elements=string

Cloud applications to which DNS optimization on transparent proxy mode applies

dns_resolution_on_transparent_proxy_exempt_apps

list / elements=string

Cloud applications that are excluded from DNS optimization on transparent proxy mode

dns_resolution_on_transparent_proxy_exempt_url_categories

list / elements=string

URL categories that are excluded from DNS optimization on transparent proxy mode

dns_resolution_on_transparent_proxy_exempt_urls

list / elements=string

URLs that are excluded from DNS optimization on transparent proxy mode

dns_resolution_on_transparent_proxy_ipv6_apps

list / elements=string

Cloud applications to which DNS optimization for IPv6 addresses on transparent proxy mode applies

dns_resolution_on_transparent_proxy_ipv6_exempt_apps

list / elements=string

Cloud applications that are excluded from DNS optimization for IPv6 addresses on transparent proxy mode

dns_resolution_on_transparent_proxy_ipv6_exempt_url_categories

list / elements=string

IPv6 URL categories that are excluded from DNS optimization on transparent proxy mode

dns_resolution_on_transparent_proxy_ipv6_url_categories

list / elements=string

IPv6 URL categories to which DNS optimization on transparent proxy mode applies

dns_resolution_on_transparent_proxy_url_categories

list / elements=string

URL categories to which DNS optimization on transparent proxy mode applies

dns_resolution_on_transparent_proxy_urls

list / elements=string

URLs to which DNS optimization on transparent proxy mode applies

domain_fronting_bypass_url_categories

list / elements=string

URL categories that are exempted from domain fronting

dynamic_user_risk_enabled

boolean

Indicates whether to dynamically update user risk score by tracking risky user activities in real time

Choices:

  • false

  • true

ecs_for_all_enabled

boolean

Indicates whether or not to include the ECS option in all DNS queries, originating from all locations and remote users.

Choices:

  • false

  • true

ecs_object

dictionary

The ECS prefix that must be used in DNS queries when the ECS option is enabled.

external_id

string

The ECS external ID.

id

integer

The internal ECS ID.

name

string

The ECS name.

enable_admin_rank_access

boolean

Indicates whether ranks are enabled for admins to allow admin ranks in policy configuration and management

Choices:

  • false

  • true

enable_dns_resolution_on_transparent_proxy

boolean

whether DNS optimization is enabled or disabled for Z-Tunnel 2.0 and transparent proxy mode traffic

e.g., traffic via GRE or IPSec tunnels without a PAC file.

Choices:

  • false

  • true

enable_evaluate_policy_on_global_ssl_bypass

boolean

Indicates whether policy evaluation for global SSL bypass traffic is enabled or not

Choices:

  • false

  • true

enable_ipv6_dns_optimization_on_all_transparent_proxy

boolean

Indicates whether DNS optimization is enabled or disabled for all IPv6 transparent proxy traffic

Choices:

  • false

  • true

enable_ipv6_dns_resolution_on_transparent_proxy

boolean

whether DNS optimization is enabled or disabled for IPv6 traffic sent via Z-Tunnel 2.0 and

transparent proxy mode traffic e.g., traffic via GRE or IPSec tunnels without a PAC file.

Choices:

  • false

  • true

enable_office365

boolean

A Boolean value indicating whether Microsoft Office 365 One Click Configuration is enabled or not

Choices:

  • false

  • true

enable_policy_for_unauthenticated_traffic

boolean

Indicates whether policies that include user and department criteria can be configured and applied for unauthenticated traffic

Choices:

  • false

  • true

enforce_surrogate_ip_for_windows_app

boolean

Enforce Surrogate IP authentication for Windows app traffic

Choices:

  • false

  • true

http2_nonbrowser_traffic_enabled

boolean

Indicates whether or not HTTP/2 should be the default web protocol for accessing various applications at your organizational level

Choices:

  • false

  • true

http_range_header_remove_url_categories

list / elements=string

URL categories for which HTTP range headers must be removed

kerberos_bypass_apps

list / elements=string

Cloud applications that are exempted from Kerberos authentication

kerberos_bypass_url_categories

list / elements=string

URL categories that are exempted from Kerberos authentication

kerberos_bypass_urls

list / elements=string

Custom URLs that are exempted from Kerberos authentication

log_internal_ip

boolean

A Boolean value indicating whether to log internal IP address present in X-Forwarded-For (XFF) proxy header or not

Choices:

  • false

  • true

password

string

A string that contains the password for the API admin.

prefer_sni_over_conn_host

boolean

Indicates whether or not to use the SSL/TLS client hello Server Name Indication SNI

for DNS resolution instead of the CONNECT host for forward proxy connections

Choices:

  • false

  • true

prefer_sni_over_conn_host_apps

list / elements=string

Applications that are exempted from the preferSniOverConnHost setting

private_key

string

The private key for JWT-based OAuth2 authentication.

provider

dictionary

A dict containing authentication credentials.

api_key

string

Obfuscated API key.

client_id

string

OAuth2 client ID.

client_secret

string

OAuth2 client secret.

cloud

string

Zscaler cloud name.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

  • "beta"

  • "production"

password

string

Password for the API admin.

private_key

string

Private key for OAuth2 JWT.

sandbox_cloud

string

Sandbox Cloud environment.

sandbox_token

string

Sandbox API Key.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

Choices:

  • false ← (default)

  • true

username

string

Email ID of the API admin.

vanity_domain

string

Vanity domain for OAuth2.

sandbox_cloud

string

The Sandbox cloud environment for API access.

sandbox_token

string

A string that contains the Sandbox API Key.

sipa_xff_header_enabled

boolean

Indicates whether or not to insert XFF header to all traffic forwarded from ZIA to ZPA

Including source IP-anchored and ZIA-inspected ZPA application traffic.

Choices:

  • false

  • true

sni_dns_optimization_bypass_url_categories

list / elements=string

URL categories that are excluded from the preferSniOverConnHost setting

i.e., prefer SSL/TLS client hello SNI for DNS resolution instead of the CONNECT host for forward proxy connections

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

track_http_tunnel_on_http_ports

boolean

A Boolean value indicating whether to apply configured policies on tunneled HTTP traffic sent via a CONNECT method request on port 80

Choices:

  • false

  • true

ui_session_timeout

integer

Specifies the login session timeout for admins accessing the ZIA Admin Portal

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

Choices:

  • false ← (default)

  • true

username

string

A string that contains the email ID of the API admin.

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

zscaler_client_connector1_and_pac_road_warrior_in_firewall

boolean

Indicates whether to apply the Firewall rules configured without a specified location criteria

or with the Road Warrior location to remote user traffic forwarded via Z-Tunnel 1.0 or PAC files

Choices:

  • false

  • true

Notes

Note

  • Check mode is not supported.

Examples

- name: Gather Information Details of a cloud application control rule by Name
  zscaler.ziacloud.zia_cloud_app_control_rules_info:
    provider: '{{ provider }}'
    auth_bypass_urls:
      - ".newexample1.com"
      - ".newexample2.com"
    dns_resolution_on_transparent_proxy_apps:
      - "CHATGPT_AI"
    basic_bypass_url_categories:
      - "NONE"
    http_range_header_remove_url_categories:
      - "NONE"
    kerberos_bypass_urls:
      - "test1.com"
    kerberos_bypass_apps: []
    dns_resolution_on_transparent_proxy_urls:
      - "test1.com"
      - "test2.com"
    enable_dns_resolution_on_transparent_proxy: true
    enable_evaluate_policy_on_global_ssl_bypass: true
    enable_office365: true
    log_internal_ip: true
    enforce_surrogate_ip_for_windows_app: true
    track_http_tunnel_on_http_ports: true
    block_http_tunnel_on_non_http_ports: false
    block_domain_fronting_on_host_header: false
    zscaler_client_connector1_and_pac_road_warrior_in_firewall: true
    cascade_url_filtering: true
    enable_policy_for_unauthenticated_traffic: true
    block_non_compliant_http_request_on_http_ports: true
    enable_admin_rank_access: true
    http2_nonbrowser_traffic_enabled: true
    ecs_for_all_enabled: false
    dynamic_user_risk_enabled: false
    block_connect_host_sni_mismatch: false
    prefer_sni_over_conn_host: false
    sipa_xff_header_enabled: false
    block_non_http_on_http_port_enabled: true
    ui_session_timeout: 300

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

rules

list / elements=dictionary

A list of cloud application control rules that match the specified criteria.

Returned: always

Sample: [{"access_control": "READ_WRITE", "actions": ["ALLOW_WEBMAIL_VIEW", "ALLOW_WEBMAIL_ATTACHMENT_SEND"], "applications": ["GOOGLE_WEBMAIL", "YAHOO_WEBMAIL", "WINDOWS_LIVE_HOTMAIL"], "browser_eun_template_id": 0, "cascading_enabled": false, "enforce_time_validity": false, "eun_enabled": false, "eun_template_id": 0, "id": 552617, "name": "Webmail Rule-1", "order": 2, "predefined": false, "rank": 7, "state": "DISABLED", "type": "WEBMAIL"}]

Authors

  • William Guilherme (@willguibr)