Kingran, EXACTLY Zscaler uses proxies and Palo routers.
The lie is that Microsoft advises to turn Zscaler off when using 365. This derived from a more than 2 year old blog that does not mention Zscaler and only says “most” proxies. And yet Palo inferred this also means Zscaler, which it does not. That is a lie or an intentional misdirection.
I with the help of many others have dug into this issue deeply. Palo has not had an investor’s conference in 2 years. Why now?
We grew our next-generation security business, Prisma and Cortex, by 89% this past year, which compares well with the 3 – somebody calls them 3 horsemen or horse people or horse companies of security or the darlings. We’re just envious of their valuations, so we feel compelled to compare ourselves with them.
When Office 365 applications are used within a web browser
Basically to use ZS you have to forgo native apps and use them within Web-browser, which organizations don’t like. To break-it in simple english, you will not be using desktop Outlook or skype, instead have to use browser based outlook and skype. I think that’s a limitation.
Basically, to overcome what ZS has done is took the entire IP range for O365 and wrote an exception. Great, it works for O365. Now, is it truly scalable? Meaning, can you do this for all sorts of application? I don’t know.
I don’t think MS will say don’t use ZS, but still insists you cannot use proxies and proxies cannot overwrite IP, or header, etc. Now, ZS basically created an exception for O365.
But yeah it’s a lie. So what else is Palo trying to sell us in this manner?
I think PANW pointing that ZS architecture is based on “proxies” and proxies break O365. Now, you (Tinker is) are saying ZS basically written an exception for O365, or in other words, ZS is basically going to skip inspecting the SSL traffic bound to O365, remember the advantage of proxies, it allows ZS to inspect SSL packets, now ZS is going to forgo that for O365…
You are saying that is misrepresenting by PANW, but PANW is trying to make a nuanced point of that basically ZS firewall’s selling point is unlike on-premise firewall, we can inspect SSL traffic, is broken for O365, or for any applications which doesn’t want “proxies” to mess with its traffic.
You call PANW is misrepresenting, I think PANW is making a very nuanced point here. I will leave it here…
Kingran, aren’t most cloud based apps web browser based? It seems o365 is one of the few exceptions. And if there are more that’s only a way for zs to differentiate themselves from other proxy based security companies.
Well… browser is by default the front-end for most modern applications and HTTP is the standard protocol… now, there are applications where you may not use either… to give a dump example, say I might host a FTP server… and I may not have to provide a browser or HTTP based access to it, but it may be very important from my enterprise point of view and I have to protect it… and my access policies are written such that, any tampering the URL or packet, which is what the proxy based firewall does, may compromise my access policies…
I know this is not a neat example… something I could think of on the fly…
The point is there are many applications that may not like the payload to be re-written… but the industry is moving away from that for scalability to SSL offloading…
This is the point I was making y’day. IF ZS’s claim is they are superior than on-premise firewall because they can inspect SSL, etc. When it comes to O365 ZS is not doing any inspection. If my security software is not inspecting my data, why even use that firewall?
If I am the customer, Why would I buy a firewall product, which is not going to do any inspection? I think that question could become pretty significant for ZS to answer. At the least, Palo has raised a serious doubt in the minds of buyers or done a successful “FUD” as many love to call here.
For many customers, they are going to be okay with O365 traffic not getting inspected, but for really large enterprises, it creates a situation there could be other applications (read as applications that are hosted @ cloud providers, where the IP’s could be significantly changing due to dynamic scaling, or due to using cloud provider resource such as load balancer’s instead of fixed IP’s) which will also be impacted.
I think so far ZS has not answered the issue convincingly.
about the Costanza rule…if you are longer term long then you should sell a little bit so it will go up for the rest of your ZS holding, and you are going to make a killing. Just sell a tiny tiny bit to trigger the rise. The smallest % sold, the less remorse you will have that you didn’t make the money on that part.
I think we are making much too much about what a competitor said. we should be more focused on how ZS can and will capture its market with the position it has right now.
It’s funny how silent the board is about CRWD, ZM and SMAR that have just reported. These stocks are down big. Reports not good enough? decelerating growth? yeah right from triple digits growth it has fallen to only double! How silent it is in general when the highest flying SaaS stocks are dropping when the market is rising. Not sure if there is an appetite to buy more after such bruising on the concentrated portfolios we are talking about here.
Make no mistake about it. I think the businesses we are talking about here are just fine and doing well. But the market has decided to cut their valuation somewhat. In the shorter term a good portion of the returns in those high-flying SaaS have been their stretched valuation, and that could be taken away at any time and in a snap of the fingers. Is the party over for now?
One small example, at my current company. Small to midsize financial firm, 350 employees, @10 actual IT engineers and security admins support, 3 offices but 90% EEs concentrated in HO.
We had up until beginning of this year that classic network hardware and software to support. Routers, switches, ports to onpremise VMWare and dedicated servers, data protection SW, URL restriction management, threat detection, patching constantly.
All of that hardware, software and patching support gone. Replaced by ZS. All internet traffic is routed through ZS. Which is what our business wants - the last thing our business managers want to hear is how much money we need in staff and green $ to spend on managing routers & switches etc.
Find below the paper from ZS on O365 deployment. Here is the statement from ZS " In compliance with Microsoft, Zscaler does not inspect Office 365 traffic"…I think so far ZS has not answered the issue convincingly.
That is a requirement for ALL security products, not just ZScaler.
“Deep packet inspection specifically SSL inspection - Skype for Business uses pseudo TLS which is used in media setup. This is not supported by most inspection devices such as proxies and firewalls, including host based security software; which is why we ask customers not to inspect Office 365 traffic.”
But it is the best solution for 365. Palo is literally trash talking Zscaler.
Zscaler uses proxies
Zscaler says they are not inspecting O365 traffic
The reason they are not inspecting O365 traffic is to comply with Microsoft, in other words, if they inspect the data then it will break the connection and will not work. In simpler words, if you want O365 to work, then you have to bypass ZS firewall and not inspect the traffic.
Which of this you disagree, or consider as lie or “trash talking”? Why avoiding inspecting the O365 traffic is the best solution? If that is the best solution every product can offer the best solution, all they have to do is “NOTHING”, why would a customer pay to ZS to do “NOTHING”?