Would the ZPA support DLP for the internal applications and WAF granual control on the rules/signatures?


After reading About the ZPA Cloud Architecture | Zscaler I think that the Zscaler App connector acts as a SSL client to the real application and this is why the Zscaler services actually are able to see the decrypted traffic if I am not wrong. Maybe in this way the Zscaler service supports the new WAF like Inspection feature ““Web Application Security”” Zscaler Private Access Inspection | Web Application Security - YouTube , so if the ZPA sees the decrypted application traffic it should be able to do DLP?

Also for the new Web Application Firewall feature that is the ‘’'‘Web Application Security"’ can you write custom signatures/rules or to be able to turn off a rule/sugnature that triggers a false postive just for the affected user-agen, source ip address, URL, hostname? Basically I am asking what granual control you have on the rules/signatures (just enable, disable or something more)?

Maybe the DLP is on the Zscaler road map.

After playing with ZPA it seems that it still does not have DLP and the only option seems is to send to traffic ZIA for DLP and it seems that zscaler can help with that:

The solution seems to use a forwarding policy on the ZIA to send the traffic to the ZPA. As the traffic goes first though the ZIA the Malware scanninng and sandboxing, DLP and IPS signatures for non-web traffic can be used on the traffic and then the traffic goes to the ZPA: