📌 Purpose
This article guides using ZIA Analytics for effective troubleshooting of common Zscaler Internet Access (ZIA) issues. It focuses on leveraging ZIA’s built-in diagnostics, such as Web Insights, SSL Inspection Logs, Firewall Logs, and HTTP header traces.
🧰 Prerequisites
-
Admin access to the ZIA Admin Portal
-
Familiarity with Client Connector, PAC files, and Service Edges
-
Access to Zscaler Trust Portal: https://trust.zscaler.com
-
Test URL: https://ip.zscaler.com
🔎 Step-by-Step Troubleshooting Using ZIA Analytics
1. ✅ Confirm ZIA Service Status
-
Ask the end user to visit https://ip.zscaler.com.
-
Check that:
-
Service Status is ON in ZCC
-
Correct Data Center (ZEN) is used
-
Client details and authentication are shown
-
If no ZIA service is shown, verify:
-
Traffic is forwarded via PAC, GRE/IPSec, or ZCC
-
No local network or DNS issues.
2. 📊 Use Web Insights to Identify Policy and Access Issues
Go to:
ZIA Admin Portal → Analytics → Web Insights
-
Filter by user, timestamp, and destination
-
Look for:
-
Blocked requests
-
SSL errors
-
Inspection errors
-
-
Common error reasons: "Blocked due to SSL decryption failure", "URL Category block", "Unencryptable traffic"
Fix: Create SSL bypass rules or review Access/URL filtering policies.
3. 🔐 Use SSL Inspection
Check:
Policy → SSL Inspection
-
Ensure rules cover authentication and critical business apps
-
Look for unintended “Do Not Inspect” entries
-
Use HTTP Header capture from browser dev tools (Ctrl+Shift+I → Network tab) to verify inspection results.
4. 🌐 Use Firewall Insights for Connectivity Blocks
Go to:
Analytics → Firewall Insights
Use this to:
-
Check outbound port blocks
-
Identify IPS/Geo-IP rules blocking traffic
-
Investigate dropped or denied connections
🔁 Common Scenarios and Analytics Application
| Issue | Tool | Diagnosis Tips |
|---|---|---|
| No Internet Access | ip.zscaler.com, DNS tools, Analyzer | Validate PAC/GRE/IPSec; Check DNS & client routing |
| Website Load Failures | Web Insights, Header Traces | Check for inspection blocks, missing segments |
| Slow Access | MTR, Webload, Packet Capture | Confirm latency at hops or retransmissions |
| Authentication Errors | Web Insights, SAML logs | Check IdP certs, SAML config, user provisioning |
📚 Additional Resources
✅ Summary
Using ZIA Analytics tools effectively speeds up issue resolution by pinpointing exact failure points in traffic flow, authentication, or policy enforcement.