A
- ACL
- Access Control List. An ordered list of permit/deny rules on a router or firewall interface, evaluated top-down. The first match wins — order matters. Classic Cisco syntax:
access-list 101 permit tcp any host 10.0.0.5 eq 443. - App-ID
- Palo Alto's signature engine that identifies applications regardless of port, protocol or encryption — so a security rule says "allow Office 365" not "allow TCP/443". Decoders, decryption, app-signatures and heuristics work together inside the SP3 single-pass architecture.See also: SP3, SSL Inspection, Panorama
- App Connector
- Lightweight outbound-only broker inside the customer's data centre or VPC that lets ZPA reach private apps without inbound firewall rules. App Connectors dial out (TLS:443) to the nearest ZPA Public Service Edge — the user is never on the same network as the app.See also: ZPA, App Segment, PRA
- App Segment
- The smallest unit of access in ZPA — an FQDN, IP, or wildcard plus port/protocol, bundled with a Segment Group and Server Group. "Allow finance group → app-segment FIN-SAP" is a typical policy. Segments inherit double-encrypted micro-tunnels via App Connectors.See also: ZPA, App Connector, Z-Tunnel
- ATP
- Advanced Threat Protection. Zscaler's signature + heuristic engine that blocks C2 callbacks, fraud, botnets, browser exploits and cryptomining in real time on the ZIA proxy. Configured per URL Category or globally; logs land in Nanolog.See also: ZIA, Nanolog, IPS
- Audit Log
- Tamper-evident record of who-did-what-when inside an admin console — policy edits, user logins, exports. Separate from traffic/web logs. In Zscaler, the Audit Log is queryable for 6 months and exportable via NSS/LSS.See also: NSS, LSS
- Authentication Frequency
- How often a user is forced to re-authenticate to the proxy/broker. In ZIA it controls Surrogate IP / SAML refresh; in ZPA it tunes ZCC reauth. Tighter = better security, looser = better UX. Common: 8h for ZIA, 7-30d for ZPA depending on risk.See also: Surrogate IP, ZCC, SAML
B
- BAF (Browser Access)
- Zscaler's clientless ZPA mode — users reach internal web apps through a browser-rendered URL like
app.customer.b.zscaler.com, no ZCC required. Ideal for contractors and BYOD. App Connector still does the broker work; TLS is reterminated at the PSE.See also: ZPA, PRA, App Connector - BGP
- Border Gateway Protocol — the routing protocol that runs the public Internet, also used inside large enterprises (iBGP). Path-vector, TCP/179, attributes like AS-PATH and LOCAL_PREF decide best path. Zscaler peers BGP with customers over GRE/IPSec for branch deployments.See also: GRE, IPSec
- Branch Connector
- Zscaler's branch appliance / VM that forwards server-initiated and IoT traffic from a branch to ZIA/ZPA without needing ZCC on each device. Pair-deployed for HA, no inbound ports required.See also: ZIA, ZPA, Cloud Connector
- BSOD
- Blue Screen of Death — Windows kernel panic. Service-desk shorthand: ask for the STOP code (e.g.
DRIVER_IRQL_NOT_LESS_OR_EQUAL) and the dump file atC:\Windows\Minidump\. ZCC has historically been implicated in NDIS driver BSODs; check the version against Zscaler's known-issues list.
C
- CASB
- Cloud Access Security Broker — the security layer between users and SaaS apps that enforces DLP, shadow-IT visibility, and posture. Zscaler offers Inline CASB (in the proxy path) and Out-of-Band CASB (API-connected to M365, Google Workspace, Salesforce).See also: DLP, OOB CASB, SSE
- CBI (Cloud Browser Isolation)
- Renders risky web pages in a remote disposable container and streams pixels to the user — clicks, downloads, copy/paste can all be governed. Used by ZIA for unknown-risk URLs and by ZPA-BAF for clientless private-app access on unmanaged devices.See also: BAF, URL Filtering
- CDL (Cortex Data Lake)
- Palo Alto's cloud log store. Firewalls, Prisma Access and Cortex XDR all forward logs to CDL; queries from Strata Logging Service, XDR, and XSOAR all read from it. Retention is licence-driven (typically 30/90/365 days).See also: Prisma Access, Panorama
- CDN
- Content Delivery Network — distributed cache (Cloudflare, Akamai, Fastly) that serves static + dynamic content from a PoP near the user. CDNs share the IP-anycast playbook with Zscaler PSEs and can complicate SSL inspection and geolocation.See also: GeoDNS, PSE
- CGNAT
- Carrier-Grade NAT. ISP-side NAT that shares one public IP across many subscribers (100.64.0.0/10). Breaks Surrogate IP, geolocation, and IP-based allow-lists — common cause of ZIA "wrong user" issues on mobile / home networks.See also: NAT, Surrogate IP
- CIDR
- Classless Inter-Domain Routing — the modern way to write IP ranges:
10.0.0.0/24means 256 addresses. Replaces the old Class A/B/C boundaries. Mastery: know/30= 4 IPs (2 usable),/24= 256,/16= 65k. - Cloud App Control
- ZIA policy module that gives per-SaaS-category control — e.g. allow LinkedIn but block uploads, allow ChatGPT but block file attachments, allow Dropbox-corporate but block Dropbox-personal. Sits on top of URL Filtering with deeper App-ID-style inspection.See also: URL Filtering, CASB
- Cloud Connector
- Zscaler appliance/VM deployed inside AWS/Azure/GCP that forwards workload-to-internet and workload-to-private-app traffic into ZIA/ZPA. Replaces the "punch a NAT gateway out to the internet" pattern with a Zero Trust path.See also: ZIA, Branch Connector
- Cloud Firewall
- The L3/L4 (and limited L7) firewall service inside ZIA — handles non-web ports (SSH, SMTP, custom TCP/UDP) that the web proxy doesn't terminate. Has its own rule base, NAT rules, and DNS Control sub-module.See also: ZIA, DNS Control
- CSR
- Certificate Signing Request — a Base64 PKCS#10 blob containing a public key + identity (CN, SANs, O, OU). Generated by the server, signed by a CA, returned as a certificate.
openssl req -new -newkey rsa:2048 -nodes -keyout x.key -out x.csr.See also: SSL Trust Store, SSL Inspection
D
- DEI bit
- Drop Eligible Indicator — the single bit in an 802.1Q VLAN tag (formerly called CFI) that marks a frame as preferred-to-drop under congestion. Combined with PCP (priority) it gives QoS hints on trunks.See also: VLAN, TPID, Trunk
- DHCP
- Dynamic Host Configuration Protocol — DORA exchange (Discover, Offer, Request, Ack) leases IP + gateway + DNS to clients. UDP/67 server, UDP/68 client. Option 82 is the relay-agent insertion used by ISPs and enterprise security tools to map MAC → port.
- DLP
- Data Loss Prevention. Inspects outbound content (HTTPS bodies, emails, SaaS uploads) for sensitive data — credit cards, SSN, PII, source code. Modes: exact-data-match (EDM), indexed-document-match (IDM), pattern (regex/dictionary), OCR for images. Block, alert, or quarantine.See also: EDM, IDM, OCR, CASB, Inline DLP
- DMZ
- Demilitarised Zone. A semi-trusted network segment between Internet and internal LAN where public-facing servers live (web, SMTP, DNS). Zero Trust models replace the DMZ with ZPA brokering — apps stay private, no inbound exposure.See also: Zero Trust, ZPA
- DNS Control
- ZIA's DNS-layer policy: block malicious or category-based domains, force DoH/DoT to Zscaler's resolver, prevent DNS tunnelling, log all queries. Sits inside the Cloud Firewall module but inspected even when web traffic isn't proxied.See also: Cloud Firewall, ZIA
- DTLS
- Datagram TLS — TLS adapted for UDP. ZCC's Z-Tunnel 2.0 uses DTLS for the data plane (low-latency, no head-of-line blocking) with TLS as the fallback. Same crypto guarantees as TLS, no stream reliability.See also: Z-Tunnel, ZCC, QUIC
- DTP
- Dynamic Trunking Protocol — Cisco-proprietary that auto-negotiates an access/trunk link.
switchport mode dynamic auto/desirableare the dangerous defaults — an attacker plugged into an access port can negotiate a trunk and see every VLAN. Always disable:switchport mode access+switchport nonegotiate.See also: Native VLAN, VLAN Hopping, Trunk
E
- EDM
- Exact Data Match — DLP technique where the customer uploads a hashed database of sensitive records (e.g. real customer SSNs) and the DLP engine flags only exact matches, not pattern matches. High precision, near-zero false positives.See also: DLP, IDM
- EICAR
- The standard 68-byte test "virus" string every AV product must detect:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*. Used to verify malware scanning is actually live without using real malware.See also: ATP, WildFire - ELF (ELF magic bytes)
- Executable and Linkable Format — the Linux/Unix binary format. Magic bytes
7F 45 4C 46(the first 4 bytes spell "\x7FELF"). Zscaler File Type Control identifies ELFs by magic bytes, not just extension, so a renamed.txtstill gets flagged.See also: Magic Bytes, File Type Control - Endpoint
- Any user-controlled device — laptop, phone, tablet, kiosk. In Zero Trust, the endpoint is never inherently trusted: posture is checked (HIP / Device Posture), identity verified (SSO + MFA), and the connection is brokered (ZCC / App Connector).See also: HIP, ZCC, Zero Trust
- ESP
- Encapsulating Security Payload — the IPSec protocol that actually encrypts + authenticates payloads (IP proto 50). Paired with IKE which negotiates the SA. ESP can run in transport (host-to-host) or tunnel (gateway-to-gateway) mode.See also: IPSec, IKEv2
- EXE (PE magic bytes)
- Portable Executable — Windows binary format. Magic bytes
4D 5A("MZ" — the initials of Mark Zbikowski, a Microsoft engineer from the DOS era). File Type Control blocks even when extension is changed to.txtor.jpg.See also: Magic Bytes, File Type Control
F
- Federation Metadata URL
- The XML endpoint published by an IdP that contains SAML signing certs, SSO/SLO URLs, and entity IDs — Zscaler's SAML configuration imports it instead of pasting fields manually. Azure AD example:
https://login.microsoftonline.com/<tenant>/federationmetadata/2007-06/federationmetadata.xml.See also: SAML, IdP, SSO - File Type Control
- ZIA module that identifies files by magic bytes + true file type (not extension), then allows/blocks/quarantines per-direction per-user-group. Common policies: block
.exedownload from uncategorised sites, block.zipupload to webmail, scan all.pdfvia Sandbox.See also: Magic Bytes, EXE, ELF
G
- Gateway
- The first L3 hop a host sends to when the destination isn't on its local subnet — usually the LAN router or firewall. Configured statically or via DHCP option 3. In Zscaler-forwarded environments, the gateway is often a GRE/IPSec termination point pointed at a PSE.See also: GRE, PSE
- GeoDNS
- DNS resolution that returns different answers based on the resolver's geographic location — what gets you to the nearest Zscaler PSE, CDN edge, or game server. Built on anycast + EDNS Client Subnet hints.See also: PSE, CDN
- Global Counter
- Palo Alto debug counters exposed via
show counter global filter packet-filter yes— invaluable for "why is this packet getting dropped". Names likeflow_policy_deny,flow_no_session,tcp_drop_out_of_wndtell you exactly which stage dropped the packet.
H
- HA1 / HA2 / HA3
- Palo Alto High-Availability links. HA1 = control-plane heartbeat + config sync (TCP/28769). HA2 = data-plane session sync (UDP/29281). HA3 = packet forwarding between active/active peers. Always use a dedicated cable + backup HA1.
- HIP
- Host Information Profile. Palo Alto / Prisma posture-check object — encrypts disk? AV updated? OS version? Patches applied? Evaluated against a HIP Profile referenced in security policy; failing endpoints get re-routed or blocked.See also: Prisma Access, Endpoint
- HSTS Preload
- HTTP Strict Transport Security — server tells the browser "only ever talk to me over HTTPS". Preload means the domain is baked into Chrome/Firefox/Safari source so even the first request is HTTPS. Once preloaded, it is hard to roll back — gotcha for staging domains.
- HTTP/3
- The third major HTTP version, runs over QUIC (UDP/443) instead of TCP. Faster handshake, no head-of-line blocking, mandatory TLS 1.3. SSL Inspection products that only handle TCP/443 see it as opaque UDP — Zscaler intercepts QUIC by blocking UDP/443 and forcing fallback to HTTP/2.See also: QUIC, SSL Inspection
I
- IAS (now NPS)
- Internet Authentication Service — the old Microsoft RADIUS server, renamed Network Policy Server (NPS) from Server 2008 onward. Still doing AAA for VPN concentrators, 802.1X switches, and wireless APs in many enterprises.See also: NPS, LDAP
- IdP
- Identity Provider — the system that authenticates users and issues SAML/OIDC assertions (Azure AD / Entra, Okta, Ping, Google). Zscaler is the Service Provider (SP) that trusts the IdP's signed assertion to log a user in.See also: SAML, SSO, SCIM
- IDM
- Indexed Document Match — DLP technique where the customer fingerprints whole documents (NDAs, design specs, M&A files), and the engine flags partial matches when fragments of those documents are exfiltrated.See also: DLP, EDM
- IKEv2
- Internet Key Exchange v2 (RFC 7296). The control protocol that negotiates IPSec SAs — phase 1 sets up the IKE_SA, phase 2 sets up the CHILD_SA for actual traffic. UDP/500 + UDP/4500 (NAT-T). Faster reconnect than IKEv1, MOBIKE supports IP changes.See also: IPSec, ESP
- Inline DLP
- DLP that runs in the live traffic path — every HTTPS upload, every SaaS POST is inspected before it leaves. ZIA's Inline DLP works on decrypted SSL streams; latency-sensitive but catches data before it lands. Contrast with API/OOB CASB which scans after upload.See also: DLP, SSL Inspection, OOB CASB
- IOC
- Indicator of Compromise — a hash, IP, domain, URL, mutex, or registry key associated with a known attack. Threat-intel feeds push IOCs to firewalls, SIEMs and EDRs for blocking and alerting. STIX/TAXII is the standard transport.See also: IPS, ATP
- IPS
- Intrusion Prevention System — signature + anomaly engine that blocks exploits in real time (SQLi, RCE, buffer-overflow patterns). Lives inside ZIA's ATP module, Palo Alto's Threat Prevention, Suricata/Snort etc. Tuned via severity + confidence to avoid false positives.See also: ATP, IOC
J
K
- KDC
- Key Distribution Center — the Kerberos trusted third party that issues TGTs and service tickets. In a Windows AD domain, every Domain Controller IS a KDC. UDP/88 + TCP/88. Clock-skew > 5 min between client and KDC = silent auth failure.See also: Kerberos, LDAP
- Kerberos
- Ticket-based authentication protocol (MIT, 1980s) — three-headed dog because there are three parties: client, server, KDC. Used by Active Directory for domain logon, SMB, MSSQL etc. Common gotchas: SPN duplicates, time skew, encryption-type mismatch.See also: KDC, LDAP
- Kryterion (Webassessor)
- Online proctoring + exam delivery platform used by Palo Alto Networks (PCNSE / PCNSA), Cisco DevNet, and many vendor certs. Sentinel client locks down the machine; webcam + screen recording is mandatory. Pre-check at kryteriononline.com saves a lot of stress on exam day.See also: PCNSE
L
M
- MAC Address
- Media Access Control address — 48-bit L2 hardware identifier (e.g.
00:50:56:ab:cd:ef). First 24 bits = OUI (vendor), last 24 bits = NIC. Spoofable in software, so never used alone for authentication. ZCC fingerprints multiple identifiers including MAC for device posture. - Magic Bytes
- The first few bytes of a file that identify its true type, regardless of extension. PDF =
25 50 44 46("%PDF"), PNG =89 50 4E 47, ZIP =50 4B 03 04("PK"). Zscaler File Type Control inspects magic bytes to defeat extension-rename evasion.See also: File Type Control, EXE, ELF - MITM
- Man-in-the-Middle. Attacker (or proxy) sits between two parties, decrypts and re-encrypts traffic. ZIA's SSL Inspection is "authorised MITM" — a corporate CA installed on endpoints lets ZIA see HTTPS in clear text. Without endpoint cert install you get cert warnings.See also: SSL Inspection, SSL Trust Store
- MSS
- Maximum Segment Size — the largest TCP payload (not packet) one host will accept, negotiated in the SYN's MSS option. Typically MTU − 40 (IPv4 + TCP headers). Wrong MSS over a GRE/IPSec tunnel = silent black-hole; use MSS clamping (
1380for 1400-MTU tunnels).See also: MTU, GRE - MTU
- Maximum Transmission Unit — the largest L2 frame an interface will send (Ethernet default 1500). Drops below default when tunnels stack: GRE = 1476, IPSec = 1438-1400, GRE+IPSec = 1376. PMTUD ICMP blackhole is the most common "works for small files, hangs on big ones" symptom.See also: MSS, GRE, IPSec
N
- NAT
- Network Address Translation. Maps private IPs (RFC 1918) to public IPs as packets cross a router. Variants: SNAT (source), DNAT (destination), PAT (port-overload — the everyday "NAT"). Breaks end-to-end visibility — Zscaler uses XFF / Surrogate IP to recover the real user.See also: CGNAT, XFF, Surrogate IP
- Native VLAN
- The VLAN on an 802.1Q trunk whose frames are sent untagged. Mismatched native VLANs between switches cause silent cross-VLAN bleed; matching native VLAN on attacker port enables VLAN hopping. Best practice: use an unused dummy VLAN and tag everything.See also: VLAN, VLAN Hopping, Trunk
- Nanolog
- Zscaler's columnar, highly compressed log format and the cluster that stores it (Nanolog Cluster). Holds full transaction logs for 6 months online (extendable to 7 years with NSS-to-cloud). Compression ratio ~50:1.See also: NSS, Audit Log
O
- OAuth
- Open Authorization — delegated-access protocol (currently OAuth 2.0/2.1). Grants third-party apps scoped access to user resources via access tokens, without sharing the password. OIDC is OAuth 2.0 + identity layer (ID token). Foundation of modern SSO.See also: JWT, SSO, SAML
- OCR
- Optical Character Recognition. Extracts text from images/scanned PDFs so DLP can match policy on them — defeats the "screenshot the CC number" exfil trick. Adds latency, so usually scoped to specific user groups or risky destinations.See also: DLP, Inline DLP
- OOB (Out-of-Band) CASB
- API-connected CASB — instead of sitting in traffic, it connects to SaaS tenant APIs (M365, Google, Salesforce, ServiceNow) to scan data at rest, fix mis-configurations, and find shadow data. Complements Inline DLP for sanctioned-SaaS coverage.See also: CASB, Inline DLP, DLP
P
- PAC file
- Proxy Auto-Config — a JavaScript file (
FindProxyForURL(url, host)) the browser/OS evaluates per request to decide DIRECT vs PROXY. ZIA's default PAC atpac.<cloud>.netpicks the nearest PSE, bypasses internal hosts, and sends the rest through Zscaler.See also: ZIA, Forwarding Profile, PSE - Panorama
- Palo Alto's central management for firewalls, log collection and reporting. Pushes Device Groups + Templates to managed firewalls, aggregates logs into a hierarchy, can run as VM or M-series appliance. Prisma Access management lives next to Panorama.See also: Prisma Access, CDL
- PCAP
- Packet Capture — the file format (libpcap / pcapng) Wireshark, tcpdump and tshark read/write. Truth-source for any network problem: if it isn't in the PCAP it didn't happen. Capture at both ends to prove drop-direction.
- PCNSE
- Palo Alto Networks Certified Network Security Engineer — the L3 engineer cert. 75 questions, 80 min, proctored via Kryterion / Pearson VUE. Covers App-ID, Decryption, GlobalProtect, HA, Panorama, troubleshooting. Renewed every 2 years.See also: PCSAE, App-ID, Kryterion
- PCSAE
- Palo Alto Networks Certified Security Automation Engineer — Cortex XSOAR (formerly Demisto) automation cert. Focuses on playbooks, integrations, incident lifecycle, threat-intel management.See also: PCNSE
- Pinned App
- ZCC feature that ensures specific apps' traffic always uses the Zscaler tunnel even if the user toggles ZCC off — common for security-critical SaaS like banking or admin consoles. Configured under ZCC App Profile → Pinned Apps list.See also: ZCC, Z-Tunnel
- PRA (Privileged Remote Access)
- ZPA module that gives clientless, browser-based RDP/SSH/VNC to internal servers — full session recording, copy/paste/transfer controls, MFA gate, no jump-host needed. Replaces traditional bastion + Citrix-style PAM tools.See also: ZPA, BAF, RDP
Q
R
- RDP
- Remote Desktop Protocol — Microsoft's graphical remote-access protocol on TCP/3389 (also UDP/3389 for UDP transport). Heavily targeted by ransomware; should never face the Internet. PRA brokers clientless RDP without exposing the port.See also: PRA, SRTP
- Risk Score
- Numeric/letter rating Zscaler assigns to a user, device, app, or destination based on behaviour, posture and threat-intel. Feeds into policy — e.g. risky users get extra MFA, risky devices get isolated via CBI.See also: CBI, ZDX
- RPC
- Remote Procedure Call — call a function on another machine as if local. Microsoft RPC uses TCP/135 + dynamic high ports (49152-65535) — the bane of strict firewall admins. gRPC is the modern HTTP/2-based variant.
S
- SAML
- Security Assertion Markup Language 2.0 — XML-based SSO protocol. Browser POSTs a signed assertion from IdP to SP. Zscaler is the SP. Common debugging tool: SAML-tracer browser extension. ACS URL + Entity ID are the two values that go on every config screen.See also: IdP, SSO, Federation Metadata URL
- SASE
- Secure Access Service Edge — Gartner term (2019) for SSE + SD-WAN delivered as a single cloud service. Zscaler is the SSE half; many customers pair it with SD-WAN (VeloCloud, Versa, Meraki) for the WAN half.See also: SSE, SD-WAN
- SCIM
- System for Cross-domain Identity Management — the API standard for user/group provisioning from IdP to SaaS. Zscaler's SCIM endpoint pulls users + groups + attributes from Azure AD / Okta automatically, no nightly CSV upload.See also: IdP, LDAP
- SD-WAN
- Software-Defined WAN — replaces MPLS-only branches with overlays of multiple transports (broadband + LTE + MPLS). Adds dynamic path selection, app-aware routing, encrypted tunnels. Common pairings: VeloCloud, Versa, Silver Peak, Meraki MX, Fortinet Secure SD-WAN.See also: SASE, GRE
- SIPA
- Source IP Anchoring — ZPA feature that egresses a user's traffic from a specific source IP (e.g. customer's own public IP via Cloud Connector / Branch Connector). Solves SaaS apps that whitelist by IP even when the user is roaming.See also: ZPA, Cloud Connector
- SOC
- Security Operations Center — the team + tooling that monitors, detects and responds to incidents 24×7. L1 triages alerts, L2 investigates, L3 hunts + tunes. Zscaler logs flow into the SOC's SIEM via NSS/LSS.See also: NSS, LSS, IOC
- SP3 (Single-Pass Parallel Processing)
- Palo Alto's architecture: traffic is parsed once, then all engines (App-ID, User-ID, Content-ID, Decryption, Threat) inspect it in parallel rather than sequentially. The reason their throughput doesn't collapse when you enable more features.See also: App-ID, Panorama
- SRTP
- Secure Real-time Transport Protocol — encrypts + authenticates RTP voice/video streams. Used by Teams, Zoom, WebRTC. Random UDP ports — security proxies generally bypass SRTP rather than decrypt it.
- SSE
- Security Service Edge — Gartner term for the security half of SASE: SWG + CASB + ZTNA + FWaaS. Zscaler, Netskope, Palo Alto Prisma and Cisco Umbrella are the headline SSE vendors.See also: SASE, ZIA, ZPA
- SSL Inspection
- Decrypting HTTPS in the proxy path so URL/DLP/Malware engines can see plaintext, then re-encrypting outbound. Requires the corporate intermediate CA to be installed on every endpoint. Without it, all you can do is SNI-block or host-header-block.See also: MITM, SSL Trust Store, Inline DLP
- SSL Trust Store
- The set of root + intermediate CA certificates an OS/browser trusts. Windows = Cert Store, macOS = Keychain, Linux =
/etc/ssl/certs, Firefox = its own NSS store. SSL Inspection requires the Zscaler intermediate CA in every trust store on every managed endpoint.See also: SSL Inspection, CSR - SSO
- Single Sign-On — one login at the IdP grants access to many apps for the rest of the session. Implemented via SAML, OIDC, Kerberos or WS-Federation. Reduces password fatigue and the credential-stuffing attack surface.See also: SAML, OAuth, IdP
- STP
- Spanning-Tree Protocol (802.1D / 802.1w / 802.1s) — prevents L2 loops by electing a root bridge and blocking redundant ports. Classic 802.1D converges in 30-50s, RSTP in 1-2s. BPDU Guard + Root Guard are the safety belts on access ports.See also: RPST, VLAN
- Sub-Cloud
- A geographic / regulatory restriction inside a Zscaler cloud — forces a user's traffic to PSEs only in certain countries (e.g. EU-only for GDPR). Configured at policy level so a Frankfurt user never hits a Mumbai PSE even if it is geographically closer for a roamer.See also: ZIA, PSE
- Super-Category
- Zscaler's top-level URL Filtering grouping (e.g. News & Media) that bundles dozens of granular Categories (Newspapers, TV Stations, Magazines). Useful for broad rules; tune at Category level for precision.See also: URL Filtering, Cloud App Control
- SVI
- Switched Virtual Interface — a logical L3 interface on a multilayer switch tied to a VLAN (
interface Vlan10). Acts as the default gateway for hosts in that VLAN. Needsno shutdown+ an IP + a member access port to come up.See also: VLAN, Gateway - Surrogate IP
- ZIA feature that maps a source IP to a SAML-authenticated user for a configurable window — so non-browser apps (curl, native installers) on the same IP get policy applied as that user. Broken on CGNAT / shared-Wi-Fi by design.See also: ZIA, CGNAT, Authentication Frequency
T
- TND (Trusted Network Detection)
- ZCC mechanism that decides "am I on a trusted corporate LAN?" using DNS suffix, DNS server, hostname resolution, or HTTPS reachability of an internal URL. Matched against a Forwarding Profile that swaps PAC / Z-Tunnel / direct mode automatically.See also: ZCC, Forwarding Profile
- TPID
- Tag Protocol Identifier — the 2-byte EtherType that signals an 802.1Q VLAN tag (
0x8100) or an 802.1ad outer S-tag (0x88a8). Mis-matched TPIDs between switch ports = silent untagged dump.See also: VLAN, Q-in-Q, DEI bit - Trunk
- A switch port that carries multiple VLANs, each frame tagged with 802.1Q (except the native VLAN, which is untagged by default). Inter-switch and switch-to-router uplinks are trunks; user ports should NEVER be.See also: VLAN, Native VLAN, ISL
U
- URL Filtering
- Per-URL-category policy: block adult, allow social-media-only-during-lunch, coach on gambling. ZIA categorises every URL via its in-house classifier + crowd-sourced feedback; admins can override and create custom categories.See also: Cloud App Control, Super-Category, CBI
- User-Agent
- The HTTP header where the client identifies itself (browser, OS, version). Easily spoofed. Used by Zscaler Cloud App Control for app-fingerprinting and by URL Filtering to allow/deny per browser. Coming under deprecation pressure from Chrome's User-Agent Client Hints.
V
- VLAN
- Virtual LAN — a logical L2 broadcast domain identified by a 12-bit VLAN ID (1-4094) in the 802.1Q tag. Lets one physical switch carry many isolated segments. Inter-VLAN routing needs an SVI or router-on-a-stick.See also: SVI, Trunk, Native VLAN
- VLAN Hopping
- Attack that lets a host on one VLAN reach another. Two flavours: switch-spoofing (attacker negotiates a trunk via DTP) and double-tagging (inner tag survives native-VLAN strip on first switch, bleeds into target VLAN). Mitigate: disable DTP, change native VLAN, prune VLANs on trunks.See also: DTP, Native VLAN, VLAN
- VTP
- VLAN Trunking Protocol — Cisco-proprietary protocol that propagates VLAN database changes across a domain. Modes: server, client, transparent, off. A server with a higher revision number entering the network has wiped many production VLAN databases — best practice: VTP transparent or off.See also: VLAN, Trunk
- Voice VLAN
- A switch port can simultaneously be in an access VLAN (PC) and a Voice VLAN (IP phone). The phone learns its tag via CDP/LLDP-MED, sends voice tagged, passes the PC's untagged frames through. Saves a port per desk.See also: VLAN, Trunk
- VPN
- Virtual Private Network — encrypted tunnel that puts a remote device "on the LAN". Site-to-site VPNs join networks (IPSec/GRE); remote-access VPNs put users on the LAN (AnyConnect, GlobalProtect, FortiClient). Zero Trust (ZPA) replaces remote-access VPNs with per-app brokering.See also: IPSec, ZPA, Zero Trust
W
- WDS (was RIS)
- Windows Deployment Services — Microsoft's PXE-based OS imaging server, formerly RIS (Remote Installation Services). Boots clients via DHCP option 66/67, serves a boot image, then the install image. Lives in nearly every enterprise's imaging workflow.
X
- XFF (X-Forwarded-For)
- HTTP header (
X-Forwarded-For: 10.1.2.3, 198.51.100.5) where each proxy in the chain appends the client IP it saw. Zscaler PSE adds XFF when forwarding upstream, so downstream apps can still see the real user. Trust XFF only from your own proxies, never from the Internet.See also: NAT, PSE, Surrogate IP
Z
- Z-App (ZCC)
- Older name for the Zscaler Client Connector — the endpoint agent that forwards ZIA + ZPA + ZDX traffic into the Zero Trust Exchange. Renamed ZCC around 2020.See also: ZCC
- Z-Tunnel 1.0 vs 2.0
- Z-Tunnel 1.0 = HTTP CONNECT tunnel — web traffic (80/443) only, can't carry non-web ports. Z-Tunnel 2.0 = full DTLS/TLS overlay — all ports, all protocols, packet-filter forwarding. 2.0 is the modern default; use 1.0 only for legacy MDMs that can't push a system extension.See also: ZCC, DTLS, Pinned App
- ZCC (Zscaler Client Connector)
- The Zscaler endpoint agent for Win/macOS/Linux/iOS/Android/ChromeOS. Handles SAML login, posture, traffic forwarding (Z-Tunnel 1.0/2.0), and policy fetch. Auto-updated via ZCC Portal; profiles (App / Forwarding / Trusted Network) drive its behaviour.See also: Z-Tunnel, TND, Forwarding Profile, Pinned App
- ZCCP
- Zscaler Certified Cybersecurity Professional — the certification family that covers ZIA Admin, ZIA Engineer, ZPA Admin, ZPA Engineer, ZDX Admin. Replaced the older ZCCA naming. Each track has a labs-heavy exam delivered via Kryterion.See also: ZDTA, Kryterion
- ZDTA
- Zscaler Digital Transformation Architect — the top-tier vendor cert (think "PCNSE of Zscaler"). End-to-end design + troubleshooting across ZIA, ZPA, ZDX. Two parts: written exam + hands-on lab.See also: ZCCP
- ZDX
- Zscaler Digital Experience — passive + synthetic monitoring of user → app paths from the ZCC agent. Measures DNS, TCP, TLS, page-load, app-score, ISP hops, device health. Catches "Zoom is slow" before the helpdesk ticket lands.See also: ZIA, ZPA, ZCC
- ZEN (deprecated → Service Edge)
- Zscaler Enforcement Node — the old name for what is now Public Service Edge / Private Service Edge / Virtual Service Edge. You'll still see "ZEN" in legacy docs, old config screens, and very-old certifications. Same thing, just renamed.See also: PSE
- ZIA
- Zscaler Internet Access — the cloud SWG: URL Filtering, SSL Inspection, AV/ATP, IPS, Cloud Firewall, DNS Control, DLP, CASB-inline, Sandbox, Browser Isolation, Bandwidth Control. The "ZIA half" of the Zero Trust Exchange.See also: ZPA, ZDX, PSE, Sub-Cloud
- ZIdentity
- Zscaler's identity layer — central place to register IdPs, define user groups, and feed identity context into ZIA/ZPA/ZDX policy without configuring SAML separately in each product.See also: IdP, SAML, SCIM
- ZPA
- Zscaler Private Access — cloud-delivered ZTNA. Replaces VPN: App Connectors dial out to the nearest PSE, users (or BAF browsers) connect to the PSE, the PSE brokers a double-encrypted micro-tunnel to the app. No inbound firewall holes.See also: App Connector, App Segment, BAF, PRA
- Zero Trust
- Security model where no entity (user, device, network segment) is trusted by default — every access is authenticated, authorised and continuously validated against context (identity, posture, risk score, destination). NIST 800-207 is the canonical spec. Zscaler is one implementation; BeyondCorp, Cloudflare Access, Tailscale are others.See also: ZPA, ZIA, SASE, HIP
No matches
Try a shorter query or browse by letter above.