Integrate Zscaler ZIA
You must have the Network integrations license pack to use this feature.
You can integrate Zscaler ZIA with Sophos Central so that it sends alerts to Sophos.
This integration uses a log collector hosted on a virtual machine (VM). Together they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.
This page describes integration using an appliance on ESXi or Hyper-V. If you want to integrate using an appliance on AWS, see Add integrations on AWS.
Key steps
The key steps in an integration are as follows:
- Add an integration in Sophos Central. In this step, you create an image of the appliance.
- Download and deploy the image on your VM. This becomes your appliance.
- Configure Zscaler ZIA to send data to the appliance.
Requirements
Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.
Add an integration
To add an integration, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
-
Click Zscaler ZIA.
The Zscaler ZIA page opens. You can add integrations here and see a list of any you've already added.
-
In Data Ingest (Security Alerts), click Add Configuration.
Note
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details.
Integration setup steps appears.
Configure the appliance
In Integration setup steps, you can configure a new appliance or use an existing one.
We assume here that you configure a new appliance. To do this, create an image as follows:
- Enter a name and description for the integration.
- Click Create new appliance.
- Enter a name and description for the appliance.
- Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.
-
Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.
-
Select DHCP to assign the IP address automatically.
Note
If you select DHCP, you must reserve the IP address.
-
Select Manual to specify network settings.
-
-
Select the Syslog IP version and enter the Syslog IP address.
You'll need this syslog IP address later, when you configure Zscaler ZIA to send data to your appliance.
-
In Protocol, select TCP.
When you configure Zscaler ZIA to send data to your appliance, you must make sure it uses the same protocol.
-
Click Save.
We create the integration and it appears in your list.
In the integration details, you can see the port number for the appliance. You'll need this later when you configure Zscaler ZIA to send data to it.
It might take a few minutes for the appliance image to be ready.
Deploy the appliance
Restriction
If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.
Use the image to deploy the appliance as follows:
- In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
- When the image download finishes, deploy it on your VM. See Deploy appliances.
Configure Zscaler ZIA
Configure Zscaler ZIA to send data to Sophos. This involves these main steps:
- Configure a Nanolog Streaming Service (NSS) server.
- Forward firewall logs.
- Forward web logs.
- Forward DNS logs.
Note
You can configure multiple instances of Zscaler ZIA to send data to Sophos via the same appliance. After you finish integration, repeat the steps in this section for your other instances of Zscaler ZIA. You don't need to repeat the steps in Sophos Central.
Configure an NSS server
Configure and deploy an NSS server.
We recommend deploying instances of both NSS for Web and NSS for Firewall. This ensures that you capture all relevant alert types. In most cases, you should deploy these on-premises so you can forward syslog to the Sophos log collector in your environment.
- Sign in to the Zscaler NSS web administration interface with administrator permissions.
- Click Administration > Settings > Nanolog Streaming Service.
- Follow the steps to size the NSS device. See What to know: NSS.
- Click Add NSS Server.
- Enter a name to identify this as an NSS server for streaming events to Sophos.
-
In Type, select NSS for Web or NSS for Firewall.
We recommend deploying one of each.
-
Set Status to Enabled.
- Click Save.
- Download and deploy the image to your platform, for example VMware or AWS.
For more details, see Understanding Nanolog Streaming Service (NSS).
For specific deployment guides, see Nanolog Streaming Service.
Next, you configure NSS to forward each type of logs you want.
Forward firewall logs
Configure Zscaler NSS to send firewall logs as follows:
- Sign in to the Zscaler NSS web administration interface with administrator permissions.
- Click Administration > Settings > Nanolog Streaming Service.
- Click the NSS Feeds tab.
- Click Add NSS Feed.
-
In the Edit NSS Feed dialog, configure these settings:
- Feed Name: Enter a descriptive name for the feed.
- NSS Type: Select NSS for Firewall.
- NSS Server: Select the NSS for Firewall server.
- Status: Click Enabled.
- SIEM IP Address: Enter the syslog IP address you specified in Sophos Central earlier.
- SIEM TCP Port: Enter the port generated for you in Sophos Central earlier.
- Log Type: Click Firewall Logs.
- Firewall Log Type: Click Both Session and Aggregate Logs.
- Feed Output Type: Select Custom.
-
Feed Output Format: Click the Copy icon on the far right of the string below to copy the string. Then, paste it into the field.
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss-fw CEF:0|Zscaler|NSSFWlog|5.7|%s{action}|%s{rulelabel}|3| act=%s{action} suser=%s{login} src=%s{csip} spt=%d{csport} dst=%s{cdip} dpt=%d{cdport} deviceTranslatedAddress=%s{ssip} deviceTranslatedPort=%d{ssport} destinationTranslatedAddress=%s{sdip} destinationTrans latedPort=%d{sdport} sourceTranslatedAddress=%s{tsip} sourceTranslatedPort=%d{tsport} proto=%s{ipproto} tunnelType=%s{ttype} dnat=%s{dnat} stateful=%s{stateful} spriv=%s{location} reason=%s{rulelabel} in=%ld{inbytes} out=%ld{outbytes} deviceDirection=1 cs1=%s{dept} cs1Label=dept cs2=%s{nwsvc} cs2Label=nwService cs3=%s{nwapp} cs3Label=nwApp cs4=%s{aggregate} cs4Label=aggregated cs5=%s{threatcat} cs5Label=threatcat cs6=%s{threatname} cs6label=threatname cn1=%d{durationms} cn1Label=durationms cn2=%d{numsessions} cn2Label=numsessions cs5Label=ipCat cs5=%s{ipcat} destCountry=%s{destcountry} avgduration=%d{avgduration}\n
-
Duplicate Logs: Select Disabled.
- For the remaining fields, keep the default values.
- Click Save.
Forward web logs
Configure Zscaler to send web logs as follows:
- Sign in to the Zscaler NSS web administration interface with administrator permissions.
- Click Administration > Settings > Nanolog Streaming Service.
- Click the NSS Feeds tab.
- Click Add NSS Feed.
-
In the Edit NSS Feed dialog, configure these settings:
- Feed Name: Enter a descriptive name for the feed.
- NSS Server: Select the NSS for Web server.
- Status: Click Enabled.
- SIEM IP Address: Enter the syslog IP address you specified in Sophos Central earlier.
- SIEM TCP Port: Enter the port generated for you in Sophos Central earlier.
- Log Type: Click Web Log.
-
Feed Output Type: Click the Copy icon on the far right of the string below to copy the string. Then, paste it into the field.
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss CEF:0|Zscaler|NSSWeblog|5.7|%s{action}|%s{reason}|3| act=%s{action} reason=%s{reason} app=%s{proto} dhost=%s{ehost} dst=%s{sip} src=%s{cip} sourceTranslatedAddress=%s{cintip} in=%d{respsize} out=%d{reqsize} request=%s{eurl} requestContext=%s{ereferer} outcome=%s{respcode} requestClientApplication=%s{ua} requestMethod=%s{reqmethod} suser=%s{login} spriv=%s{location} externalId=%d{recordid} fileType=%s{filetype} destinationServiceNam e=%s{appname} cat=%s{urlcat} deviceDirection=1 cn1=%d{riskscore} cn1Label=riskscore cs1=%s{dept} cs1Label=dept cs2=%s{urlcat} cs2Label=urlcat cs3=%s{malwareclass} cs3Label=malwareclass cs4=%s{malwarecat} cs4Label=malwarecat cs5=%s{threatname} cs5Label=threatname cs6Label=%s{bamd5} cs6=md5hash rulelabel=%s{rulelabel} ruletype=%s{ruletype} urlclass=%s{urlclass} devicemodel=%s{devicemodel}\n
-
For the remaining fields, keep the default values.
- Click Save.
Forward DNS logs
Configure Zscaler to send DNS logs as follows:
- Sign in to the Zscaler NSS web administration interface with administrator permissions.
- Click Administration > Settings > Nanolog Streaming Service.
- Click the NSS Feeds tab.
- Click Add NSS Feed.
-
In the Edit NSS Feed dialog, configure these settings:
- Feed Name: Enter a descriptive name for the feed.
- NSS Type: Select NSS for Firewall.
- NSS Server: Select one of your NSS server instances.
- Status: Click Enabled.
- SIEM IP Address: Enter the syslog IP address you specified in Sophos Central earlier.
- SIEM TCP Port: Enter the port generated for you in Sophos Central earlier.
- Log Type: Click DNS Logs.
- Feed Output Type: Select Custom.
-
Feed Output Format: Click the Copy icon on the far right of the string below to copy the string. Then, paste it into the field.
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss-fw CEF:0|Zscaler|NSSDNSlog|5.7|%s{action}|%s{rulelabel}|3| suser=%s{login} cs1=%s{dept} cs1Label=department cs2=%s{reqaction} cs2Label=reqaction cs3=%s{resaction} cs3Label=resaction cs4=%s{reqtype} cs4Label=dns_reqtype cs5=%s{req} cs5Label=dns_req cs6=%s{res} cs6Label=dns_resp cn1=%d{durationms} cn1Label=durationms flexString1=%s{reqrulelabel} flexString1Label=reqrulelabel flexString2=%s{resrulelabel} flexString2Label=resrulelabel cat=%s{domcat} src=%s{cip} dst=%s{sip} dpt=%d{sport} spriv=%s{location} suid=%s{deviceowner} dvchost=%s{devicehostname}\n
-
Duplicate Logs: Select Disabled.
- For the remaining fields, keep the default values.
- Click Save.