ZPA Block access to untrusted networks (e.g. home office)

Hello All,

we are currently evaluating zscaler private access.
Our current company policy states that access from a corporate machine to resources in untrusted/home office network should be blocked. We are enforcing this via AnyConnect currently.
How can we enforce this behavior via ZPA. Currently i can access my fritzbox in home office when using ZIA+ZPA only.
For sure ip ranges cannot be statically defined because every home office or hotel network might have a different one.

Many thanks!

Philip

1 Like

Hi @D4rkie , Not sure if you can achieve this with Zscaler, since Zscaler is not a full tunnel VPN solution so it can’t redirect all traffic towards ZPA. Hence Local Network traffic can’t be controlled by ZPA.

Hi @rawat.pardeep, thanks for the reply! I would really wonder if it is not possible since ZPA claims to be a ZTNA solution where every access is controlled by Zscaler Policy enforcement nodes. In this case, such access is not secure in any way so it violates ZT principles.

Let´s see if anyone has any idea about it.

You could add all the RFC1918 addresses to a ZPA app segment so ZPA intercepts them.
Not sure if that would work as you would still need access to your default gateway and DNS on those addresses.

Hello @GordonWright ,
i added 192.168.0.0/16 and 172.16.0.0/12 to my ZPA app segement and it seems to work
Will continue verifying the topic.

1 Like

The Zero-Trust is more about the corporate network having Zer-Trust, not the machine having Zero-Trust itself. The reason AnyConnect did what you are wanting is because you didn’t use a Split-Tunnel configuration, which forced all traffic down the VPN tunnel. With ZPA, this is not the case. With Zero-Trust, you don’t blindly send all traffic, you selectively send traffic, which means any non-selected traffic will go somewhere still. ZPA isn’t meant to be a firewall solution. You could definitely add the RFC1918 subnets into an App Segment, but then, you no longer have Zero-Trust and have a VPN solution that is wide open and allows for all kinds of lateral movement.
What you want is the client-side firewall to manage connectivity when not on a corporate network, which can be done via the various profiles in the Windows Firewall, but honestly you will probably want something more powerful than the basic Windows Firewall.

Do one thing,

Create an application segment with your local home office subnet and make bypass always. ZCC will not forward those subnets , IPs to ZPA and will break out locally.

The issue with that is sometimes the home office subnet will overlap the main office subnet. Additionally, one cannot anticipate every home subnet that manufacturers use. I have seen everything from 192.168.0.0/24 to 10.0.0.0/8 and even 192.168.100.0/24.
Not that one can’t do this, just have to be careful and expect that things can go goofy and not 100% work all the times in every home environment.

Not everybody will have home network.
We shall allocate and reserve a specific subnet for home network and can request users to keep their home network on that subnet.

Also,
Can educate the user to disable zpa while not in use or wants to acces home networks.

This is a potential ask for ER. You can connect with your account team for ER.