[VIDEO] Session Logging

One of the unique attributes of Zscaler Cloud Connector, given that the services it connects to (ZIA and ZPA) are cloud-based, is its ability to provide logging of cloud workload traffic from within the cloud itself. By now, if you’re familiar with ZIA or ZPA, you know that much of the organization’s traffic is logged from a security standpoint as it passes through the Zero Trust Exchange. Put simply, the Cloud Connector appliance and portal provide another perspective on this traffic by offering visibility into cloud workload traffic as it leaves the cloud. This, obviously, has merit in Troubleshooting - but also provides value in the fact that even cloud-native traffic that bypasses the Zero Trust Exchange can be logged. For many organizations, having this additional data point is invaluable when reviewing network traffic heuristics.

In this video, we’ll explore:
[0:00 to 1:13] What is Cloud Connector logging? And how does it differ from normal logging?
[1:13 to 1:14] What types of logs are available and how are they accessed?
[1:14 to 4:06] Demonstration of log collection
[4:06 to 4:41] What are the key takeaways?

Transcript

Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.

In this video, we’ll discuss how to leverage the logging functionality of the Zscaler Cloud Connector portal.

One of the unique attributes of Zscaler Cloud Connector, given that the services it connects to (ZIA and ZPA) are cloud-based, is its ability to provide logging of cloud workload traffic from within the cloud itself. By now, if you’re familiar with ZIA or ZPA, you know that much of the organization’s traffic is logged from a security standpoint as it passes through the Zero Trust Exchange. Put simply, the Cloud Connector portal provides another perspective on this traffic by offering visibility into cloud workload traffic as it leaves the cloud. This, obviously, has merit in Troubleshooting - but also provides value in the fact that even cloud-native traffic that bypasses the Zero Trust Exchange can be logged. For many organizations, having this additional data point is invaluable when reviewing network traffic heuristics.

Furthermore, this logging also adds an additional layer of visibility over traditional connectivity options like IPsec and GRE.

Be sure to check out the video on Nanolog Streaming Service integration with Cloud Connector as well. NSS gives us the ability to export the Cloud Connector logs to a SIEM or other event manager for further external processing.

You can access logging information from the Cloud Connector portal Analytics tab.

The tab is broken into three sections: Session Insights, DNS Insights, and Tunnel Insights.

Session Insights, as the name would suggest, provides logging on data path sessions that cross over the Cloud Connector appliances: such as the source and destination of traffic, originating VPC or VNet, protocol, port, and what the disposition of the traffic was.

DNS Insights provides visibility into DNS traffic that crosses the appliance. This is particularly useful in ZPA use-cases where the appliance is proxying traffic using synthetic IP addresses, but it also provides a bit of visibility into the domains being queried by cloud workloads that are outside the organization. You’ll find information on the DNS request itself, the resolved IP, and the disposition of the traffic.

Tunnel Insights provides a glimpse into the data tunnels that are created from the appliance towards the Zero Trust Exchange. Here, you can view the source VPC or VNet the Cloud Connector sits within, its public IP as well as the Zscaler IP address used to terminate the far end of the data tunnel.

All of these log outputs can be filtered as well, allowing administrators to zero in on specific hosts, timeframes, appliances, or a range of other criteria. Here, we will narrow down our Session Insights log to the previous 60 minutes and focus in on one of our cloud workloads at 10.2.1.81. Note the other criteria available for matching as well. Depending on your output, you may also choose to resort to any of the columns to bring more relevant data to the top.

Let’s generate a bit of traffic from one of our test hosts and follow it through the network. Logging in to our host at 10.2.1.81, let’s open a web browser and navigate to a few websites. First and foremost, some general connectivity checks to ip.zscaler.com and perhaps some random websites like Disney and ESPN. Of course, a staple in any engineering toolbag, let’s check our IP address with ipinfo.io. And maybe again through ipaddress.my. Interestingly, did you note how the IP address was different? One showed as an AWS address, the other showed as a ZIA address. Let’s check the logs to see what happened.

From the Session Insights tab, let’s narrow our logs down to our 10.2.1.81 host again. Here, we see our traffic to ESPN, Disney, ip.zscaler.com and ipinfo.io. Note how all of these use ZIA as the Forwarding Method. Our request to ipaddress.my, however, went Direct. This is because of a Forwarding Rule we have configured for that specific website. You can learn more about Traffic Forwarding rules in the Forwarding Policy video.

Moving into the ZIA dashboard, from the Web Insights log, we can review this same traffic as it was seen entering the Zero Trust Exchange.

– Cloud Connector appliances log control and data traffic within the Cloud Connector portal

– These logs provide a separate vantage point for engineers seeking to review network traffic as it passes out of the cloud

– Logs are split into three categories: Session, DNS, and Tunnel Insights. Each of these logs provides unique statistics on the traffic that passes through the Cloud Connector as well as the traffic originated by the Cloud Connector

– You can use Nanolog Streaming Service (NSS) to export these logs to an external event collector for further processing

1 Like