ZS update

Kingran, EXACTLY Zscaler uses proxies and Palo routers.

The lie is that Microsoft advises to turn Zscaler off when using 365. This derived from a more than 2 year old blog that does not mention Zscaler and only says “most” proxies. And yet Palo inferred this also means Zscaler, which it does not. That is a lie or an intentional misdirection.

This is the closest I can find to turn off Zscaler https://help.zscaler.com/zia/saml-scim-configuration-guide-a… and that is not turning off Zscaler.

Find substantiation for Palo’s comment that Microsoft advises turning off Zscaler when using 365. If you can find substantiation for this you will be doing all of us a great service.

All Microsoft advises, in a 2 year old blog is proxies should generally not be used w 365. Does not say that this means their featured and utterly integrated security partner Zscaler.

I will very much appreciate someone proving Palo correct.

Btw I remember getting blow back when I said Symantec’s troubles were
Zscaler focused as well. But you know, nothing to learn here.

Find something that shows Palo was not lying. I cannot find everything and if I missed it I really will appreciate being set straight. We all will appreciate this as that is what this forum is for.

Thank you.



Oh here we go, exact language Palo used today:


And it does not say turn Zscaler off.

Let me know if this substantiates Palo’s comment that Microsoft recommends turning off Zscaler as it breaks 365.

Hint: it doesn’t. But this is what Palo wanted us to believe by their statement. Why does Palo need to put out such a “misdirection” trash talking

What else that Palo is stating is misdirection or untruthful?



I with the help of many others have dug into this issue deeply. Palo has not had an investor’s conference in 2 years. Why now?

We grew our next-generation security business, Prisma and Cortex, by 89% this past year, which compares well with the 3 – somebody calls them 3 horsemen or horse people or horse companies of security or the darlings. We’re just envious of their valuations, so we feel compelled to compare ourselves with them.

There you go… :slight_smile:

1 Like


Wrong link. Did not clear my cache. This is the correct link.

No, Microsoft is not advising to turn off Zscaler to run 365 because it breaks it.



Last comment on it. Palo’s
statement is an absolute lie. The recommendation only goes to bow to properly set up Zscaler with 365 if you are not using 365 through your browser.

One has to further wonder why Palo was intentionally this misleading? Why? If their product is superior why not stick w integrity?

All’s fair in business I guess.

But yeah it’s a lie. So what else is Palo trying to sell us in this manner?




When Office 365 applications are used within a web browser
Basically to use ZS you have to forgo native apps and use them within Web-browser, which organizations don’t like. To break-it in simple english, you will not be using desktop Outlook or skype, instead have to use browser based outlook and skype. I think that’s a limitation.

Moving on…

Basically, to overcome what ZS has done is took the entire IP range for O365 and wrote an exception. Great, it works for O365. Now, is it truly scalable? Meaning, can you do this for all sorts of application? I don’t know.

I don’t think MS will say don’t use ZS, but still insists you cannot use proxies and proxies cannot overwrite IP, or header, etc. Now, ZS basically created an exception for O365.

1 Like

But yeah it’s a lie. So what else is Palo trying to sell us in this manner?

I think PANW pointing that ZS architecture is based on “proxies” and proxies break O365. Now, you (Tinker is) are saying ZS basically written an exception for O365, or in other words, ZS is basically going to skip inspecting the SSL traffic bound to O365, remember the advantage of proxies, it allows ZS to inspect SSL packets, now ZS is going to forgo that for O365…

You are saying that is misrepresenting by PANW, but PANW is trying to make a nuanced point of that basically ZS firewall’s selling point is unlike on-premise firewall, we can inspect SSL traffic, is broken for O365, or for any applications which doesn’t want “proxies” to mess with its traffic.

You call PANW is misrepresenting, I think PANW is making a very nuanced point here. I will leave it here…


If I sell my ZS now, it will go up. But if I hold or buy more, it will go down! That’s the George Costanza rule. Better to laugh a bit and not worry too much.


Kingran, aren’t most cloud based apps web browser based? It seems o365 is one of the few exceptions. And if there are more that’s only a way for zs to differentiate themselves from other proxy based security companies.


aren’t most cloud based apps web browser based?

Well… browser is by default the front-end for most modern applications and HTTP is the standard protocol… now, there are applications where you may not use either… to give a dump example, say I might host a FTP server… and I may not have to provide a browser or HTTP based access to it, but it may be very important from my enterprise point of view and I have to protect it… and my access policies are written such that, any tampering the URL or packet, which is what the proxy based firewall does, may compromise my access policies…

I know this is not a neat example… something I could think of on the fly…

The point is there are many applications that may not like the payload to be re-written… but the industry is moving away from that for scalability to SSL offloading…

Well… browser is by default the front-end for most modern applications and HTTP is the standard protocol…

Outlook Anywhere runs on 443/HTTPS so I don’t understand why ZS wouldnt support that. Are we sure thats accurate? Outlook has been able to support this for about a decade now.



They do support that. As I said whopper from Palo. Read the link I posted a few posts ago about the one click set up option.

Zscaler is not a perfect solution. But it is the best solution for 365. Palo is literally trash talking Zscaler.



Palo’s statement is an absolute lie. …But yeah it’s a lie. So what else is Palo trying to sell us in this manner?


Find below the paper from ZS on O365 deployment. Here is the statement from ZS " In compliance with Microsoft, Zscaler does not inspect Office 365 traffic"


This is the point I was making y’day. IF ZS’s claim is they are superior than on-premise firewall because they can inspect SSL, etc. When it comes to O365 ZS is not doing any inspection. If my security software is not inspecting my data, why even use that firewall?

If I am the customer, Why would I buy a firewall product, which is not going to do any inspection? I think that question could become pretty significant for ZS to answer. At the least, Palo has raised a serious doubt in the minds of buyers or done a successful “FUD” as many love to call here.

For many customers, they are going to be okay with O365 traffic not getting inspected, but for really large enterprises, it creates a situation there could be other applications (read as applications that are hosted @ cloud providers, where the IP’s could be significantly changing due to dynamic scaling, or due to using cloud provider resource such as load balancer’s instead of fixed IP’s) which will also be impacted.

I think so far ZS has not answered the issue convincingly.


about the Costanza rule…if you are longer term long then you should sell a little bit so it will go up for the rest of your ZS holding, and you are going to make a killing. Just sell a tiny tiny bit to trigger the rise. The smallest % sold, the less remorse you will have that you didn’t make the money on that part.

I think we are making much too much about what a competitor said. we should be more focused on how ZS can and will capture its market with the position it has right now.

It’s funny how silent the board is about CRWD, ZM and SMAR that have just reported. These stocks are down big. Reports not good enough? decelerating growth? yeah right from triple digits growth it has fallen to only double! How silent it is in general when the highest flying SaaS stocks are dropping when the market is rising. Not sure if there is an appetite to buy more after such bruising on the concentrated portfolios we are talking about here.

Make no mistake about it. I think the businesses we are talking about here are just fine and doing well. But the market has decided to cut their valuation somewhat. In the shorter term a good portion of the returns in those high-flying SaaS have been their stretched valuation, and that could be taken away at any time and in a snap of the fingers. Is the party over for now?



One small example, at my current company. Small to midsize financial firm, 350 employees, @10 actual IT engineers and security admins support, 3 offices but 90% EEs concentrated in HO.

We had up until beginning of this year that classic network hardware and software to support. Routers, switches, ports to onpremise VMWare and dedicated servers, data protection SW, URL restriction management, threat detection, patching constantly.

All of that hardware, software and patching support gone. Replaced by ZS. All internet traffic is routed through ZS. Which is what our business wants - the last thing our business managers want to hear is how much money we need in staff and green $ to spend on managing routers & switches etc.


All of that hardware, software and patching support gone. Replaced by ZS

So just to be clear, your company switched to ZS and got rid of all the routers, switches?

Find below the paper from ZS on O365 deployment. Here is the statement from ZS " In compliance with Microsoft, Zscaler does not inspect Office 365 traffic"…I think so far ZS has not answered the issue convincingly.


That is a requirement for ALL security products, not just ZScaler.

“Deep packet inspection specifically SSL inspection - Skype for Business uses pseudo TLS which is used in media setup. This is not supported by most inspection devices such as proxies and firewalls, including host based security software; which is why we ask customers not to inspect Office 365 traffic.”


But it is the best solution for 365. Palo is literally trash talking Zscaler.


  1. Zscaler uses proxies
  2. Zscaler says they are not inspecting O365 traffic
  3. The reason they are not inspecting O365 traffic is to comply with Microsoft, in other words, if they inspect the data then it will break the connection and will not work. In simpler words, if you want O365 to work, then you have to bypass ZS firewall and not inspect the traffic.

Which of this you disagree, or consider as lie or “trash talking”? Why avoiding inspecting the O365 traffic is the best solution? If that is the best solution every product can offer the best solution, all they have to do is “NOTHING”, why would a customer pay to ZS to do “NOTHING”?

What am I missing?

What am I missing?

You’re missing that ZScaler does not inspect O365 traffic not as a weakness of ZScaler, but due to Microsoft’s request that NOBODY inspect O365 traffic.


NOBODY inspect O365 traffic.

I am not sure about “NOBODY”, I understand ZS cannot. There are NW/ security products that do work with O365. I am purposefully avoiding PANW here, so that we can focus on the issue with ZS and O365.

See blog post, that discusses this bit more in details.