Zscaler ZIA Disaster Recovery
Disaster Recovery with Zscaler: Understanding the Process
Overview of Zscaler Disaster Recovery (DR)
- The discussion begins with an introduction to Zscaler's disaster recovery scenarios, including blackouts and catastrophic failures.
- It is emphasized that when the entire Zscaler cloud is down, the default behavior of the Zscaler Client Connector (ZCC) is to send traffic directly to the internet without protection.
Triggering Disaster Recovery
- To trigger DR, DNS text records are utilized. A preconfigured DNS hostname in the ZCC app profile allows for this process.
- In a disaster scenario, admins can log into their DNS provider to update the DNS text record, which then instructs the ZCC on how to handle traffic.
Configuration Steps for DR
- Key steps include creating a predefined action list for DR events, setting up a DNS text record with specific parameters, configuring app profiles, and establishing standard operating procedures (SOP).
- Testing can be conducted either through simulations or during actual disaster events.
Practical Demonstration of Configuring DR
- A practical demonstration shows how to create a DNS text record (
dr.zia.domain.com) and set its parameters such as version and trigger status.
- Verification of the DNS text record confirms it is correctly configured before proceeding with app profile adjustments.
App Profile Configuration
- The configuration involves enabling disaster recovery options within app profiles and selecting forwarding actions like direct internet access or blocking all internet access.
- Options also include allowing only pre-selected sites by either Zscaler or customer-defined pack URLs.
Finalizing and Testing DR Activation
- After updating settings in the admin portal, best practices suggest setting TTL values low (recommended 30 seconds).
- Once changes are made, clients will wait for a periodic check (200 seconds), but updates can be forced manually if needed.
Conclusion of Demonstration
- The session concludes with confirmation that DR has been successfully triggered and that users now have direct internet access under safe mode conditions.