ZIA features vs on-premise solutions

Hi all!

Wanna check, is there any portal or resources that zscaler have for comparison between zscaler feature to other traditional on-premise solutions? e.g. firewall can be replace by fwass, dlp with zscaler dlp etc

Thank You!

There could be but better ask Zscaler to do you some workshops and meeting for free as a potential customer.

  1. ZPA.

ZPA replaces the Remote access VPN and this is nice:

Also you can now have malware and dlp scanning by sending first the traffic to ZIA and then the ZPA:

  1. ZIA

For on-prem proxy/firewall vs ZIA from my view as everyone became remote you better not send the traffic first to your on -prem systems then to the Internet but directly to internet through Zscaler and it will autoscale and do SSL decrtyption as on prem-firewalls seem to not be able to handle that part as well and they can’t autoscale, so here are two pointers as if SSL decryption is needed and the workforce is mostly remote then Zscaler is really good. Also most firewalls tend to downgrade to the lowest possible SSL cipher as they are not designed for SSL decryption in large volumes and you can see this in a traffic capture of the SSL. You an always add SSL broker like F5 SSL Orchestrator but it is expensive. About on-prem Zscaler is still good as ipsec or gre tunnels the traffic will go to nearest Zscaler data center but with remote workers Zscaler takes the gold medal. Also even without ZPA, Zscaler ZIA works with most VPN agents as traffic can be split-tunneled so the corporate traffic will go through the VPN but the internet one will go the Zscaler ZIA (Best Practices for Zscaler Client Connector and VPN Client Interoperability | Zscaler).

Zscaler is also better than the other cloud proxy vendors that were before that on-prem vendors as Zscaler is designed for the cloud and not first being an on-prem solution then going to the cloud.

You can also ask for the Gartner report to be shared with you from Zscaler’s side that compares Zscaler to the other cloud or on-prem proxy vendors.

  1. DLP

Zscaler is cloud based DLP so it scans web traffic (http/https) but agent DLP tend to catch more stuff as data at rest but they cause system issues from my experience like high CPU, slowness and for developers they really slow the code compilation so it is a little bit of tradeoff between agent based DLP vs cloud/firewall based DLP but as a Zscaler DLP vs other cloud of firewall DLP zscaler is really good as they have a lot of options like exact data match, indexed data match etc (DLP Indexed Document Match) and Zscaler even has integration with Microsoft Information Protection to use their labels in the DLP as Microsoft and Zscaler are have a good partnership (Defining Microsoft Information Protection Labels for Custom DLP Dictionaries | Zscaler).

  1. Zscaler Cloud Firewall vs other cloud firewall or on-prem firewalls:

The Zscaler firewall is really easy to use and it autoscales when there is more traffic compared to the on-prem firewalls to use but they still need to add the option of creating custom signatures for applications or IPS signatures for the customers, so if you want an easy firewall it is great but for more complex stuff check with Zscaler about the things I mentioned and when they will be added as it could be soon. Also Zscaler has SD-WAN partners as for the office to Zscaler traffic:

  1. CASB, Web Isolation and sandboxing

You did not ask for this but Zscaler has advanced options like native Isolation, In-line CASB that is really important that the cloud app traffic is not send to another solution that will cause bad performance for the cloud apps like Salesforce, Slack etc. Also the Zscaler uses native sandboxing for content analisys and on-prem proxy need to send to this to a cloud or have another expensive on-prem system for this.


I forgot to add that the Zscaler Firewall has the so needed DNS security and control:

Thank you for the information!

1 Like

Another good thing to know is that the customers may use the public Edges for ZPA and ZIA but then if there is a lot of traffic from other customers, it can cause issue but Zscaler offers Private and Virtual Edges that are dedicated for the customer and it is good to have this option as most ZTNA solutions are either dedicated or shared between customers but Zscaler has the two options depending on the customer budged. The zscaler virtual edge is hosted by Zscaler but it is dedicated and private edges are installed in the customer environment like on-prem solutions: