Skip to main content

URLs Export to Excel

Export comprehensive URL data from your entire Zscaler ZIA configuration to Excel with advanced analysis, categorization insights, and security risk detection.

Video Tutorial

Overview

The URL Export feature consolidates all URLs from across your Zscaler environment into a single, analyzable Excel report. Unlike manual exports that only capture custom URL categories, ZHERO's export includes URLs from:

  • Custom URL categories
  • Firewall rules (direct URL usage)
  • Advanced settings
  • PAC files
  • App Profiles
  • SSL inspection exceptions
  • And more

Requirement: One API Configuration

Required Setup

The URL Export feature requires One API access for URL lookup functionality. This is a one-time configuration.

See the One API Setup Guide for detailed instructions.

Once configured, ZHERO maintains this information in the background for instant URL lookups.

Using URL Export

Accessing the Feature

  1. Log into Zscaler ZIA Admin Portal
  2. ZHERO automatically enhances the interface
  3. Look for the "Export" button (added by ZHERO)
  4. Click "URLs to XLSX"
URL Export Button Location

Generation Process

After selecting columns:

  1. ZHERO retrieves URL data from ZIA
  2. For URLs not yet analyzed, performs One API lookups
  3. Progress indicator shows status
  4. Export typically takes 1-5 minutes (depending on config size)
  5. Excel file downloads automatically

File naming: zhero-url-export-[tenant]-[date].xlsx

Understanding the Excel Report

Key Columns Explained

URL

The configured URL or FQDN exactly as it appears in Zscaler.

Examples:

  • example.com (exact match)
  • *.example.com (wildcard)
  • .example.com (leading dot wildcard)

Is Wildcard

Boolean indicator if URL contains wildcard characters.

Wildcard patterns detected:

  • Starts with ..cdn.com
  • Contains **.example.com

Why it matters: Wildcards multiply security surface area exponentially.

Policy Impact

Number of policies where this URL is referenced.

Format: 11 or 11+ (if disabled policies also reference it, or advanced settings)

Includes:

  • Active policies (primary number)
  • Disabled policies (indicated by +)
  • All policy types (firewall, URL filtering, forwarding, etc.)

Use case: Identify high-impact URLs that affect many policies.

Custom Categories

Lists custom URL categories containing this URL.

Values:

  • SSL-Exclusions, Allow-Partners (comma-separated list)
  • (none) (URL used in settings but not in categories)

Use case: Understand URL organization and find consolidation opportunities.

Zscaler Categories

Standard Zscaler categories for this URL (via One API lookup).

Examples:

  • Social Networking, Entertainment
  • CDN, Content Server
  • (not categorized) (URL not in Zscaler database)

Use case: Identify redundant blocks, understand URL nature.

Filtering Tip

Use "Contains" filter (not exact match) when filtering categories. URLs often belong to multiple categories, and "contains" ensures you find all matches.

Cloud Application

Cloud application name if URL is recognized as SaaS/cloud service.

Examples:

  • Salesforce
  • Microsoft 365
  • Zoom
  • (blank) (not a recognized cloud app)

Use case: Instead of excluding individual URLs, consider excluding the entire cloud app for cleaner SSL exception policies.

Related URLs - Generic

Shows more generic wildcards that might already cover this specific URL.

Example:

URL: specific.example.com
Related Generic: *.example.com, .example.com

Use case: Identify redundant specific entries covered by existing wildcards.

Related URLs - Specific

Shows more specific URLs covered by this wildcard.

Example:

URL: *.itunes.apple.com
Related Specific: play.itunes.apple.com, bag.itunes.apple.com

Use case: Understand scope of wildcard impact, validate if all specific URLs are intentional.

Premium Columns

Premium Feature

These columns are available in ZHERO Premium.

Firewall Rules

Lists firewall rules where this URL is directly referenced (not in categories).

Format: Rule-Name-1, Rule-Name-2

Use case: Understand URL usage beyond categories, find consolidation opportunities.

PAC Files

Shows which PAC files reference this URL.

Format: PAC-File-Name (line 45)

Use case: Verify PAC file accuracy, identify outdated entries.

App Profiles

Lists App Profiles using this URL as VPN gateway or similar.

Use case: Track critical infrastructure URLs, ensure proper documentation.

Advanced Settings

Other advanced ZIA settings where URL is configured.

Use case: Complete visibility into URL usage across all ZIA components.

Common Use Cases

Use Case: Find Redundant Blocks

Goal: Identify URLs in block categories that are already blocked elsewhere.

Steps:

  1. Filter Custom Categories for your block category (e.g., "Block-Legacy")
  2. Use "Contains" filter on Zscaler Categories for already-blocked categories:
    • pornography
    • miscellaneous or unknown
    • gambling
  3. Count results - these are redundant blocks
  4. Verify your URL filtering policies already block these categories
  5. Safe to remove from custom block category

Real example: One tenant had 1,422 redundant blocks (out of 2,000 URLs in block category).

Use Case: Detect Critical CDN Wildcards in SSL Exceptions

Goal: Find dangerous wildcard CDN URLs in SSL exclusion categories.

Security Critical

This use case identifies serious security vulnerabilities that create blind spots in SSL inspection.

Steps:

  1. Filter Custom Categories for SSL exclusion categories:
    • SSL-Exclusions
    • SSL-Bypass
    • No-Inspection
  2. Filter Is Wildcard for TRUE
  3. Use "Contains" filter on Zscaler Categories for CDN
  4. Review results - these are critical security holes

Why this matters:

  • CDNs allow anyone to publish content for minimal cost
  • Includes potential malware distribution
  • Wildcard CDN in SSL exception = complete bypass for all content on that CDN
  • Example: *.akamaized.net can serve millions of different domains

Real example: Found *.akamaized.net in SSL exceptions handling 2TB/month traffic.

Remediation:

  1. Identify specific FQDNs needed (e.g., specific-app.akamaized.net)
  2. Replace wildcard with specific FQDNs
  3. Test thoroughly
  4. Document reason for each exception
Premium Feature

ZHERO Premium automatically highlights these critical findings with smart analysis directly in your ZIA interface.

Use Case: Consolidate Using Cloud Applications

Goal: Replace individual URL exceptions with cloud app exceptions.

Steps:

  1. Filter Cloud Application column to exclude blanks
  2. Review which URLs are recognized cloud apps
  3. For SSL exceptions, consider using "Exclude Cloud App" instead of individual URLs
  4. Results in cleaner, more maintainable policy

Example:

Instead of excluding:

  • salesforce.com
  • force.com
  • salesforceliveagent.com
  • salesforce-sites.com

Use: Cloud App exclusion for "Salesforce" (covers all variations automatically)

Use Case: Optimize Wildcard Usage

Goal: Use Related URLs columns to optimize wildcard vs specific URL usage.

Scenario A: Remove redundant specific URLs

  1. URL: specific.example.com
  2. Related Generic shows: *.example.com already configured
  3. Result: Specific URL is redundant, remove it

Scenario B: Validate wildcard scope

  1. URL: *.itunes.apple.com
  2. Related Specific shows: 23 specific URLs
  3. Review: Are all 23 intentional?
  4. Result: May need to narrow wildcard scope

Tips & Best Practices

Efficient Filtering

Use "Contains" for Categories

  • ❌ Don't: Select individual categories from dropdown
  • ✅ Do: Use "Contains" text filter
  • Why: URLs belong to multiple categories; "contains" finds all matches

Combine Multiple Filters

  • Filter by wildcard AND category AND policy impact simultaneously
  • Example: Is Wildcard = TRUE + Custom Categories contains "SSL" + Zscaler Categories contains "CDN"
  • URL Inventory: Understand where ZHERO discovers URLs across your entire ZIA configuration (categories, firewall rules, PAC files, advanced settings, and more)
  • URL Manipulation: Implement changes identified in your Excel analysis with efficient bulk operations, filtering, and category management
  • URL Analysis & Management Guide: Complete workflow combining inventory, export, analysis, and optimization for systematic URL management
  • ONEAPI Setup: Configure ONEAPI credentials for automatic URL categorization (required for this feature)

Next Steps

  1. Configure ONEAPI for automatic URL lookup and categorization
  2. Generate your first URL export to understand current configuration
  3. Identify optimization opportunities using the common use cases above
  4. Use URL Manipulation to implement improvements
  5. Establish regular export and review cycles for continuous optimization