Zscaler Internet Access (ZIA) MCP Server
Create a powerful Model Context Protocol (MCP) server for Zscaler Internet Access in minutes with our AI Gateway. This guide walks you through setting up seamless cloud security integration with web gateway capabilities and instant API authentication.
About Zscaler Internet Access API
Zscaler Internet Access (ZIA) is a cloud-native security service edge (SSE) platform that provides secure internet and web gateway services. The API enables comprehensive management of security policies, user access, threat protection, and data protection capabilities.
Key Capabilities
- Web Security: URL filtering, malware protection, sandboxing
- Data Protection: DLP, CASB, file type control
- User Management: Authentication, user policies, locations
- SSL Inspection: Decrypt and inspect encrypted traffic
- Bandwidth Control: Application control, QoS policies
- Threat Intelligence: Real-time threat feeds, IoC management
- Cloud App Control: SaaS application visibility and control
- Reporting: Analytics, logs, and compliance reports
API Features
- RESTful API: JSON over HTTPS
- API Key Authentication: Secure access
- Rate Limiting: Fair usage policies
- Bulk Operations: Mass policy updates
- Activation: Policy deployment control
- Audit Trail: Change tracking
- Sandbox Integration: Advanced threat analysis
- Real-time Updates: Immediate policy enforcement
What You Can Do with Zscaler ZIA MCP Server
The MCP server transforms Zscaler ZIA API into a natural language interface, enabling AI agents to:
Security Policy Management
-
URL Filtering
- "Block access to gambling sites"
- "Allow YouTube for marketing team"
- "Create custom URL category"
- "Update blocked URL list"
-
Malware Protection
- "Enable advanced threat protection"
- "Configure sandbox settings"
- "Set file type policies"
- "Update AV scanning rules"
-
SSL Inspection
- "Enable SSL inspection for users"
- "Exclude banking sites from inspection"
- "Configure certificate policies"
- "Manage SSL bypass list"
User & Authentication
-
User Management
- "Add new user to system"
- "Assign user to department"
- "Update user policies"
- "Bulk import users"
-
Authentication
- "Configure SAML integration"
- "Set up LDAP sync"
- "Enable MFA requirements"
- "Manage auth exemptions"
-
Location Management
- "Add branch office location"
- "Configure location policies"
- "Set bandwidth limits"
- "Manage IP addresses"
Data Protection
-
DLP Policies
- "Create credit card DLP rule"
- "Block file uploads to personal storage"
- "Configure PII detection"
- "Set DLP notifications"
-
Cloud App Control
- "Block unsanctioned cloud apps"
- "Allow Office 365 access"
- "Monitor Shadow IT"
- "Control app features"
-
File Type Control
- "Block executable downloads"
- "Scan PDF files"
- "Allow specific file types"
- "Configure quarantine"
Network Security
-
Firewall Policies
- "Create outbound firewall rule"
- "Block specific ports"
- "Allow application traffic"
- "Configure NAT policies"
-
Bandwidth Management
- "Set bandwidth limits"
- "Prioritize business apps"
- "Throttle streaming"
- "Configure QoS"
-
DNS Security
- "Block malicious domains"
- "Configure DNS filtering"
- "Set sinkhole addresses"
- "Monitor DNS queries"
Monitoring & Analytics
-
Security Analytics
- "Show blocked threats today"
- "List top blocked categories"
- "Track malware detections"
- "Monitor policy violations"
-
User Activity
- "Show user web activity"
- "Track bandwidth usage"
- "Monitor risky users"
- "Generate user reports"
-
Threat Intelligence
- "View threat dashboard"
- "Track zero-day threats"
- "Monitor C&C traffic"
- "Export IoC data"
Administration
-
Policy Activation
- "Activate pending changes"
- "Schedule activation"
- "Review changes"
- "Rollback policies"
-
Admin Management
- "Create admin account"
- "Set role permissions"
- "Configure audit settings"
- "Manage API keys"
-
System Configuration
- "Configure cloud locations"
- "Set global policies"
- "Manage licenses"
- "Configure integrations"
Prerequisites
- Access to Cequence AI Gateway
- Zscaler ZIA tenant
- Admin credentials
- API key generation permissions
Step 1: Configure Zscaler ZIA API Access
1.1 Generate API Key
- Log in to Zscaler ZIA Admin Portal
- Navigate to Administration API Key Management
- Click Add API Key
- Configure:
- Key Name: "AI Gateway Integration"
- Admin Account: Select admin user
- Key Expiration: Set appropriately
1.2 Configure Base URL
Your ZIA cloud name determines the base URL:
https://<cloudname>.api.zscalerbeta.net(Beta)https://<cloudname>.api.zscaler.net(Production)
1.3 Note Credentials
Save:
- Cloud Name
- API Key
- Admin Username
- Admin Password
1.4 Configure IP Allowlist (Optional)
- Go to Administration Admin Portal Settings
- Add AI Gateway IP addresses
- Enable API access restrictions
Step 2-4: Standard Setup
Follow standard steps to access AI Gateway, find Zscaler ZIA API, and create MCP server.
Step 5: Configure API Endpoints
- Base URL:
https://<cloudname>.api.zscaler.net/api/v1 - Cloud Name: Your ZIA instance name
- API Version: v1
- Click Next
Step 6: MCP Server Configuration
- Name: "Zscaler ZIA"
- Description: "Cloud security web gateway"
- Session Timeout: 30 minutes
- Click Next
Step 7: Configure Authentication
- Authentication Type: API Key + Basic Auth
- API Key: From API Key Management
- Username: Admin username
- Password: Admin password
- Session Management: Enable cookie handling
Available Zscaler ZIA API Operations
Security Policy APIs
-
URL Filtering
- URL categories
- Custom categories
- URL lookup
- Allow/block lists
-
Security Policies
- Malware policies
- Advanced threat
- File policies
- SSL policies
User Management APIs
-
Users
- Create/update users
- User groups
- Departments
- VIP users
-
Authentication
- SAML config
- Auth exemptions
- Identity providers
Data Protection APIs
-
DLP
- DLP dictionaries
- DLP rules
- Incident management
- EDM configuration
-
Cloud Apps
- Application control
- Sanctioned apps
- Cloud app rules
Network APIs
-
Locations
- Location management
- Location groups
- VPN credentials
- GRE tunnels
-
Firewall
- Filtering rules
- NAT rules
- Application control
Admin APIs
- Configuration
- Activation
- Admin accounts
- Audit logs
- API sessions
Step 8-10: Complete Setup
Configure security settings, choose deployment options, and deploy your server.
Using Your Zscaler ZIA MCP Server
With Claude Desktop
{
"servers": {
"zscaler-zia": {
"url": "your-mcp-server-url",
"auth": {
"type": "custom",
"api_key": "your-api-key",
"username": "admin@company.com",
"password": "your-password",
"cloud_name": "your-cloud"
}
}
}
}
Natural Language Commands
- "Block all social media sites for contractors"
- "Enable SSL inspection for all users except executives"
- "Show me today's threat detection summary"
- "Create DLP rule to prevent SSN uploads"
- "Add new branch office location with split tunneling"
API Integration Example
// Initialize MCP client
const mcpClient = new MCPClient({
serverUrl: 'your-mcp-server-url',
auth: {
type: 'custom',
apiKey: 'your-api-key',
username: 'admin@company.com',
password: 'your-password',
cloudName: 'your-cloud'
}
});
// Authenticate and get session
const session = await mcpClient.zscaler.authenticate();
console.log(`Session established, expires in ${session.expiresIn} seconds`);
// Create URL filtering rule
const urlRule = await mcpClient.zscaler.createURLFilteringRule({
name: 'Block Malicious Sites',
order: 1,
protocols: ['HTTP', 'HTTPS'],
urlCategories: [
'MALWARE_SITES',
'PHISHING',
'BOTNETS',
'SPAM_URLS'
],
action: 'BLOCK',
state: 'ENABLED',
description: 'Block known malicious websites',
locations: ['ALL'],
groups: ['ALL'],
departments: ['ALL'],
users: ['ALL']
});
// Create custom URL category
const customCategory = await mcpClient.zscaler.createCustomURLCategory({
name: 'Approved Cloud Storage',
description: 'Company-approved cloud storage services',
urls: [
'box.com',
'dropbox.com/business',
'drive.google.com',
'onedrive.live.com'
],
dbCategorizedUrls: [],
customCategory: true,
type: 'URL_CATEGORY'
});
// Configure DLP rule
const dlpRule = await mcpClient.zscaler.createDLPRule({
name: 'Protect Financial Data',
order: 1,
protocols: ['HTTP', 'HTTPS', 'FTP'],
fileTypes: ['ALL'],
dlpDictionaries: [
{ id: 1, name: 'Credit Cards' },
{ id: 2, name: 'US Social Security Numbers' },
{ id: 5, name: 'Financial Statements' }
],
minSize: 0,
action: 'BLOCK',
state: 'ENABLED',
description: 'Block uploads of financial data',
locations: ['ALL'],
locationGroups: ['ALL'],
groups: ['ALL'],
departments: ['ALL'],
users: ['ALL'],
urlCategories: ['WEBMAIL', 'PERSONAL_STORAGE'],
excludedUrlCategories: ['APPROVED_CLOUD_STORAGE'],
notificationTemplate: {
id: 1,
name: 'DLP Violation Notice'
}
});
// Add user with specific policies
const user = await mcpClient.zscaler.createUser({
name: 'john.doe@company.com',
email: 'john.doe@company.com',
groups: [
{ id: 123, name: 'Sales Team' }
],
department: {
id: 456,
name: 'Sales'
},
comments: 'New sales team member',
tempAuthEmail: 'john.doe@company.com',
adminUser: false,
type: 'USER'
});
// Configure location with policies
const location = await mcpClient.zscaler.addLocation({
name: 'Boston Branch Office',
description: 'Boston office location',
country: 'US',
state: 'MA',
city: 'Boston',
vpnCredentials: [
{
type: 'UFQDN',
fqdn: 'boston.company.com',
preSharedKey: 'secure-psk-key'
}
],
ipAddresses: ['203.0.113.0/24'],
ports: '80,443,8080-8090',
vpnEnabled: true,
sslScanEnabled: true,
zappSSLScanEnabled: true,
bandwidthControl: {
uploadBandwidth: 100, // Mbps
downloadBandwidth: 500 // Mbps
}
});
// Create application control rule
const appControlRule = await mcpClient.zscaler.createAppControlRule({
name: 'Control Streaming Applications',
order: 2,
applications: [
'YOUTUBE',
'NETFLIX',
'SPOTIFY',
'TWITCH'
],
action: 'CAUTION',
state: 'ENABLED',
description: 'Warn users about streaming during business hours',
timeWindows: [
{
name: 'Business Hours',
startTime: '09:00',
endTime: '17:00',
days: ['MON', 'TUE', 'WED', 'THU', 'FRI']
}
],
locations: ['ALL'],
groups: ['ALL'],
departments: ['ALL'],
excludedDepartments: [
{ id: 789, name: 'Marketing' }
]
});
// Configure SSL inspection
const sslInspectionRule = await mcpClient.zscaler.createSSLInspectionRule({
name: 'SSL Inspection Policy',
order: 1,
protocols: ['HTTPS'],
state: 'ENABLED',
description: 'Inspect SSL traffic except for sensitive sites',
locations: ['ALL'],
groups: ['ALL'],
departments: ['ALL'],
users: ['ALL'],
urlCategories: ['ALL'],
excludedUrlCategories: [
'BANKING',
'HEALTH',
'GOVERNMENT'
],
excludedDomains: [
'*.mybank.com',
'*.healthcare-provider.com'
]
});
// Create firewall filtering rule
const firewallRule = await mcpClient.zscaler.createFirewallRule({
name: 'Block Unauthorized Ports',
order: 1,
state: 'ENABLED',
action: 'BLOCK',
description: 'Block non-standard ports',
sourceIpGroups: ['ALL'],
destIpGroups: ['ANY'],
destPorts: [
{ start: 1, end: 79 },
{ start: 81, end: 442 },
{ start: 444, end: 65535 }
],
protocols: ['TCP', 'UDP'],
locations: ['ALL'],
groups: ['ALL'],
departments: ['ALL']
});
// Configure bandwidth control
const bandwidthRule = await mcpClient.zscaler.createBandwidthRule({
name: 'Limit Streaming Bandwidth',
order: 1,
bandwidthControl: {
uploadLimit: 10, // Mbps
downloadLimit: 50 // Mbps
},
applications: ['YOUTUBE', 'NETFLIX', 'STREAMING'],
urlCategories: ['STREAMING_MEDIA'],
locations: ['ALL'],
groups: ['ALL'],
departments: ['ALL'],
excludedGroups: [
{ id: 999, name: 'Executives' }
]
});
// Get security dashboard data
const dashboard = await mcpClient.zscaler.getSecurityDashboard({
from: new Date(Date.now() - 24 * 60 * 60 * 1000), // Last 24 hours
to: new Date()
});
console.log('\nSecurity Summary:');
console.log(`Blocked Threats: ${dashboard.blockedThreats}`);
console.log(`Malware Detected: ${dashboard.malwareCount}`);
console.log(`Phishing Attempts: ${dashboard.phishingCount}`);
console.log(`DLP Violations: ${dashboard.dlpViolations}`);
console.log(`Policy Violations: ${dashboard.policyViolations}`);
// Monitor user activity
const userActivity = await mcpClient.zscaler.getUserActivity({
user: 'john.doe@company.com',
from: new Date(Date.now() - 7 * 24 * 60 * 60 * 1000),
to: new Date(),
type: 'BLOCKED_TRANSACTIONS'
});
console.log(`\nUser Activity for ${userActivity.user}:`);
userActivity.activities.forEach(activity => {
console.log(`- ${activity.timestamp}: ${activity.action} - ${activity.url}`);
});
// Sandbox file analysis
const sandboxSubmission = await mcpClient.zscaler.submitToSandbox({
file: fileBuffer,
fileName: 'suspicious-document.exe',
forceAnalysis: true
});
// Wait for sandbox results
const sandboxReport = await mcpClient.zscaler.getSandboxReport({
md5Hash: sandboxSubmission.md5Hash,
details: 'full'
});
if (sandboxReport.verdict === 'MALICIOUS') {
// Add to block list
await mcpClient.zscaler.addToBlocklist({
md5Hash: sandboxReport.md5Hash,
sha256Hash: sandboxReport.sha256Hash,
fileName: sandboxReport.fileName,
malwareType: sandboxReport.malwareType,
action: 'BLOCK'
});
}
// Activate configuration changes
const activation = await mcpClient.zscaler.activateChanges({
comments: 'Deploy security policy updates'
});
console.log(`\nActivation Status: ${activation.status}`);
console.log(`Estimated Time: ${activation.estimatedTime} seconds`);
// Wait for activation to complete
await mcpClient.zscaler.waitForActivation({
activationId: activation.id,
timeout: 300000 // 5 minutes
});
// Generate compliance report
const complianceReport = await mcpClient.zscaler.generateReport({
type: 'COMPLIANCE',
reportName: 'Monthly Security Compliance',
filters: {
startTime: new Date('2025-01-01'),
endTime: new Date('2025-01-31'),
locations: ['ALL'],
departments: ['ALL']
},
sections: [
'SECURITY_POLICY_COMPLIANCE',
'DLP_VIOLATIONS',
'SSL_INSPECTION_COVERAGE',
'USER_RISK_SCORE'
],
format: 'PDF',
emailRecipients: ['security@company.com']
});
// Export logs for SIEM
const logs = await mcpClient.zscaler.exportLogs({
type: 'WEB',
from: new Date(Date.now() - 60 * 60 * 1000), // Last hour
to: new Date(),
format: 'JSON',
fields: [
'timestamp',
'user',
'srcip',
'dstip',
'url',
'action',
'threatname',
'dlpdictionary'
]
});
// Threat intelligence feed
const threatFeed = await mcpClient.zscaler.getThreatIntelligence({
type: 'RECENT_THREATS',
limit: 100,
categories: ['MALWARE', 'PHISHING', 'BOTNET']
});
threatFeed.threats.forEach(threat => {
console.log(`Threat: ${threat.name}`);
console.log(`Type: ${threat.type}`);
console.log(`First Seen: ${threat.firstSeen}`);
console.log(`IoCs: ${threat.indicators.join(', ')}`);
});
Common Use Cases
Web Security
- URL filtering and categorization
- Malware and threat protection
- Phishing prevention
- SSL/TLS inspection
Data Protection
- DLP policy enforcement
- Cloud app security
- File type control
- Sensitive data monitoring
Access Control
- User-based policies
- Location-based rules
- Time-based restrictions
- Department policies
Compliance
- Regulatory compliance
- Audit logging
- Policy reporting
- Incident management
Best Practices
-
Policy Design:
- Start with broad policies
- Use order for precedence
- Test before activation
- Document policy intent
-
Performance:
- Minimize SSL bypass
- Use location policies
- Optimize rule order
- Monitor activation time
-
Security:
- Regular policy reviews
- Monitor admin actions
- Use least privilege
- Enable MFA
Troubleshooting
Common Issues
-
Authentication Errors
- Verify API key validity
- Check admin credentials
- Confirm cloud name
- Review IP restrictions
-
Policy Conflicts
- Check rule order
- Review overlapping rules
- Verify group membership
- Test with policy simulator
-
Activation Issues
- Monitor activation queue
- Check for errors
- Verify all locations
- Review change summary
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- Zscaler Help: help.zscaler.com
Copyright © 2025 Cequence Security.