All scripts
sase
Expert
3–10 min
Zscaler ZIA/ZPA Policy Auditor
ZIA firewall + URL rules: shadow detection, ANY/ANY overpermissive, disabled rules, ZPA app segments without policy, posture bypass, DLP pattern overlap and HTML report.
Zscaler ZIA
Zscaler ZPA
You're viewing a preview
The full script, parameters, and execution console are available with a free account.
Already have access? Sign in →
Capabilities
- ZIA OAuth API
- Firewall+URL rule audit
- Shadow rule detection
- ANY/ANY overpermissive flag
- ZPA app segments without policy
- Posture bypass check
- DLP overlap
Required inputs
Parameters the script accepts. Defaults shown; some are vendor- or context-gated.
| Parameter | Type | Default | Notes |
|---|---|---|---|
Flag disabled rules flag_disabled | bool | true | — |
Flag any/any rules flag_any | bool | true | — |
Audit ZPA segments check_zpa | bool | true | — |
Sample inventory schema
Authoritative shape of the device/policy data this script consumes.
No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.
Expected output
Reference terminal output the script should produce — used as a stylistic and structural target.
terminal
[2026-06-12] INFO Zscaler ZIA: pulling firewall + URL filtering rules... RULE TYPE ISSUE STATUS Allow-All-Web url any/any allow OVERPERMISSIVE ← Block-Malware url - OK Legacy-FTP fw disabled 287d STALE ← ZPA: 3 app segments with no access policy ← Summary: 1 overpermissive · 1 stale · 3 ZPA gaps