Can Zscaler replace WAF or DMZ tier 1 firewall for public internet access Company Public Web Server?
No, Zscaler is not the replacement of waf.
Zscaler is predominantly for outbound communication and internal application access through secure channel.
If you want to expose your application on internet , in this case zscaler solutions cannot be the replacement for WAF or Firewalls
ZPA does have some WAF-type functionality such as AppProtection signatures for things like OWASP Top 10, etc. However as Ramesh says we are not really a WAF replacement in general. WAF is typically used in front of applications that require access from the Internet. ZPA is used to either take applications dark from the Internet and access them, or to access those apps already dark behind firewalls.
There may be use cases for web based apps in particular, that you could grant access to partners, contractors, or other users that have accounts in an IdP, and you could take them dark on the internet and let them be accessed via ZPA.
I would like to see this added as well. While ZPA has some protections, it requires authentication. We would like to use this feature to protect some web servers without requiring authentication. We use cloudflare tunnels for this so the web server is not directly discoverable using port scans. It would be great to consolidate it all with Zscaler. The other issue with ZPA web access is the lack of a built in Zscaler CA so you have to rotate certificates every year which is not as straigthforward as one would hope.
This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.