Understood regarding the firewall. Is IPsec an option? Zscaler supports the use of IPsec tunnels, with the caveat that the bandwidth maximums are not the same as with GRE. and failover is different However, unlike GRE, you don’t need to come from a fixed IP with an IPsec tunnel.
You can force people to sign into the Z App using the “STRICT ENFORCEMENT” flag when it is installed: https://help.zscaler.com/z-app/customizing-zscaler-app-install-options-msi#se. You can also use Kerberos and IWA: https://help.zscaler.com/zia/about-kerberos-authentication.
The traffic flowing through the Z App may not show the URLs the users are requesting, but the Zscaler portal will! As we move forward with the Z App, it is planned that eventually there will be a full tunnel option. (The current version forwards web traffic.) To that end, netflow tools may not see more of the traffic – this will still be available within Zscaler. We also announced an exciting product, Zscaler Digital Experience (ZDX) at Zenith Live recently that may give you additional exciting options when it comes to visibility in the future!
If you’re looking to cross-correlate information with your netflow tools and have a SIEM and Nanologging with Zscaler, there is also the option to stream Nanologs to the SIEM.