Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.10.0
    2024.10.0
    2024.9.0
    2024.7.0

    Zscaler events

    Zscaler events

    Zscaler logs are mapped to the following FortiNDR Cloud event types. Events from Zscaler can be identified by source="Zscaler".

    DNS

    Field Comments
    answers Zscaler provides a single answer.
    qtype This is derived from qtype_name, so it may be missing for unexpected values.
    rcode This is derived from rcode_name, so it may be missing for unexpected values.
    rcode_name Zscaler also uses this as an error field, so it may contain unexpected values that are passed through.
    src.ip

    Flow

    Field Comments
    dst.ip
    dst.ip_bytes
    dst.port
    duration
    proto The values are mostly passed through from Zscaler. Some values will match and others will not.
    service The values are mostly passed through from Zscaler. Some values will match and others will not.
    src.ip
    src.ip_bytes
    src.port
    total_ip_bytes
    upload_percent

    HTTP

    Field Comments
    headers.content_type Zscaler may be translating some values into human-readable forms (for example, Flash).
    method Zscaler provides a value of CONNECT for HTTPS.
    referrer Zscaler does not provide the scheme (for example., http://).
    request_len
    response_len
    src.ip
    status_code
    uri
    user_agent

    SSL

    Every HTTPS request will have both an HTTP and SSL event. SSL events are only available for HTTPS. Also, Zscaler documentation suggests that it can be configured to intercept SSL. In that case, the cipher and version field represents the server, which may be different from the values for the client.

    Field Comments
    cipher Zscaler values are passed through without conversion.
    dst.ip
    src.ip
    server_name
    server_name_indication
    version Zscaler values are converted, but unexpected values will be passed through.
    Previous
    Next

    Zscaler events

    Zscaler events

    Zscaler logs are mapped to the following FortiNDR Cloud event types. Events from Zscaler can be identified by source="Zscaler".

    DNS

    Field Comments
    answers Zscaler provides a single answer.
    qtype This is derived from qtype_name, so it may be missing for unexpected values.
    rcode This is derived from rcode_name, so it may be missing for unexpected values.
    rcode_name Zscaler also uses this as an error field, so it may contain unexpected values that are passed through.
    src.ip

    Flow

    Field Comments
    dst.ip
    dst.ip_bytes
    dst.port
    duration
    proto The values are mostly passed through from Zscaler. Some values will match and others will not.
    service The values are mostly passed through from Zscaler. Some values will match and others will not.
    src.ip
    src.ip_bytes
    src.port
    total_ip_bytes
    upload_percent

    HTTP

    Field Comments
    headers.content_type Zscaler may be translating some values into human-readable forms (for example, Flash).
    method Zscaler provides a value of CONNECT for HTTPS.
    referrer Zscaler does not provide the scheme (for example., http://).
    request_len
    response_len
    src.ip
    status_code
    uri
    user_agent

    SSL

    Every HTTPS request will have both an HTTP and SSL event. SSL events are only available for HTTPS. Also, Zscaler documentation suggests that it can be configured to intercept SSL. In that case, the cipher and version field represents the server, which may be different from the values for the client.

    Field Comments
    cipher Zscaler values are passed through without conversion.
    dst.ip
    src.ip
    server_name
    server_name_indication
    version Zscaler values are converted, but unexpected values will be passed through.
    Previous
    Next