Has Zscaler change the reporting for displaying “User Meta Data” within the ZPA log? This was the only way to see if a ZPA session was passing or failing certain Posture Check. Now, the meta data won’t display for a least 24 hours. This is change is crazy.
We are working on a long term fix to address the logging anomaly. I have mentioned a sample scenario below to highlight when this issue could be seen.
Setup and sequence of events:
Access Policy1: Allow App_Seg1 for everyone if machine has Client_Cert (Posture Check)
Access Policy2: Block App_Seg1 for everyone
01Oct2021 10 AM GMT: Client machine does not have client cert
01Oct2021 11 AM GMT: Client tries to access App_Seg1 and is BLOCKED as machine fails posture check (no client cert) >> Transaction1 shows correct info about device posture (Posture Failed)
01Oct2021 5PM GMT: Client cert is pushed to the machine from GPO/SCCM
01Oct2021 5:05PM GMT: Transaction1 will be overwritten to show device posture passed
01Oct2021 6 PM GMT: Client tries to access App_Seg1 and is ALLOWED as machine passes posture check (client cert present) >> Transaction2 shows correct info about device posture (Posture Passed)