Skip to main content

URL Inventory in ZHERO

Understand how ZHERO provides comprehensive URL visibility by tracking every location where URLs appear throughout your Zscaler ZIA configuration.

Overview

Unlike the standard Zscaler interface that isolates URL visibility within specific configuration sections, ZHERO maintains a comprehensive inventory of every URL reference across your entire ZIA tenant. This cross-configuration visibility reveals hidden relationships and ensures you understand the full impact of any URL-related change.

Why URL Inventory Matters

When you need to modify or remove a URL, understanding where it's used is critical:

  • Impact Analysis: Know which policies and settings will be affected
  • Hidden Dependencies: Discover URLs referenced in less known advanced settings
  • Configuration Audit: Verify URLs aren't orphaned or duplicated across settings
  • Troubleshooting: Quickly identify why a URL is being processed unexpectedly
  • Compliance: Document complete URL usage for audit trails

Without ZHERO's inventory, discovering all URL references would require manually exploring dozens of configuration pages—and you'd likely miss hidden references.

Where ZHERO Finds URLs

ZHERO automatically discovers and tracks URLs from every ZIA configuration element:

1. Custom URL Categories

Location: Administration → URL Categories

The most obvious location where administrators manage URL lists. ZHERO enhances this standard view with:

  • Policy impact indicators
  • Automatic URL Lookup via ONEAPI
  • Related URL detection (wildcard/specific relationships)
  • Cross-reference to other configuration areas using the same URLs

Common usage: Block lists, allow lists, SSL inspection exceptions

2. Firewall Rules

Location: Policy → Firewall Control → Any Rule → Destination IP → IP Address or Wildcard FQDN

Firewall rules can reference URLs directly as destination addresses without using URL categories. These are particularly difficult to track in the standard interface.

Why it matters: Direct URL usage in firewall rules bypasses URL categories, creating hidden policy layers that aren't visible when viewing category usage alone.

Example: A firewall rule blocking access to malicious-site.com by FQDN won't show up when viewing the URL in category context.

3. Advanced Settings - Authorization Bypasses

Location: Administration → Advanced Settings → Authentication Exemptions → Exempted URLs

In the advanced settings, there are some settings that can reference URLs for authorization bypass scenarios.

Why it matters: These settings are buried deep in configuration and easily overlooked during URL audits.

4. Advanced Settings - FTP Configuration

Location: Policy → Firewall → FTP Controls → Allowed URLs

FTP-related firewall settings can include URL references.

Why it matters: Legacy protocol settings are rarely reviewed but can still reference URLs that impact security.

5. Destination IP Groups

Location: Administration → IP & FQDN Groups → Destination IPv4 Groups

While primarily for IP addresses, destination groups can also contain FQDNs. These FQDN entries are URLs that ZHERO tracks.

Why it matters: URLs hidden inside IP groups are usually forgotten or overlooked. ZHERO makes this transparent.

Example: An IP group named "Critical Servers" might contain backup.company.com alongside IP addresses.

6. App Profiles

Location: Mobile Portal → App Profiles → Any App Profile → App and IP Bypass → VPN gateway bypass

App Profiles can reference URLs in VPN Gateway Bypass settings.

Why it matters: These FQDNs will be totally bypassed by ZIA so knowing and maintaining them is fundamental

7. PAC Files

Location: Administration → Hosted PAC Files

Proxy Auto-Configuration (PAC) files contain JavaScript that can reference numerous URLs for:

  • Direct connection exceptions
  • Proxy selection logic
  • Domain matching rules

Why it matters: PAC files can contain dozens or hundreds of URL references. ZHERO parses PAC file content and tracks individual URL mentions with line numbers.

Example: if (shExpMatch(host, "*.microsoft.com")) → ZHERO tracks *.microsoft.com with reference to the PAC file and line number.

8. Malware scan exceptions

Location: Policy → Malware Protection → Security Exceptions → Do Not Scan Content from these URLs

Malware scan exceptions can reference URLs that are excluded from scanning.

Why it matters: These URLs are excluded from scanning, so knowing and maintaining them is fundamental

How ZHERO Inventory Works

Automatic Discovery

ZHERO automatically:

  1. Scans Configuration: Retrieves all configuration elements via ZIA API
  2. Parses URL References: Identifies URLs, FQDNs, and wildcards across all settings
  3. Builds Relationship Map: Creates cross-references between URLs and configuration elements
  4. Updates in Real-Time: Reflects configuration changes as they occur

No manual setup required—inventory tracking happens automatically when ZHERO is installed.

Viewing URL References

When you examine any URL in ZHERO:

  1. Open the URL in a category or search for it (Cmd/Ctrl + K)
  2. Click the on the url to drill down and view complete usage
  3. ZHERO displays all references organized by type:
    • Firewall rules
    • URL categories
    • App profiles
    • Advanced settings
    • PAC files
    • IP destination groups
    • And more

ZHERO automatically identifies relationships between:

  • Wildcard → Specific: *.example.com covers app.example.com, www.example.com
  • Specific → Wildcard: app.example.com is covered by *.example.com, .example.com

This bidirectional mapping helps identify:

  • Redundant specific URLs covered by wildcards
  • Scope of wildcard patterns
  • Potential conflicts between specific and wildcard rules

Integration with Other ZHERO Features

URL Export to Excel

The URL Export feature leverages ZHERO's inventory to provide comprehensive reporting:

  • Exports URLs from all discovered locations, not just categories
  • Shows policy impact counts reflecting complete usage across all settings
  • Includes firewall rule names, PAC file references, app profile usage
  • Provides complete audit trail of URL usage

URL Manipulation

URL Manipulation features use inventory data to:

  • Show policy impact badges reflecting all usage (not just categories)
  • Provide complete context
  • Enable informed operations with full visibility

Analysis Templates

ZHERO's automated analysis templates leverage inventory to:

  • Detect redundant URLs across multiple configuration sections
  • Identify security risks from URLs in multiple conflicting policies
  • Find optimization opportunities by understanding complete URL lifecycle
  • Alert on potential misconfigurations involving URL relationships

Technical Details

Inventory Update Frequency

ZHERO refreshes its URL inventory:

  • On Extension Load: Complete inventory scan when ZHERO starts
  • On Configuration Change: Incremental updates when you modify settings
  • On Manual Refresh: Force refresh via ZHERO settings

Performance Considerations

ZHERO's inventory system is designed for efficiency:

  • Inventory data cached locally in browser
  • Only changed configuration elements re-scanned
  • Background updates don't impact ZIA performance
  • Typical inventory build time: 10-40 seconds (depending on config size)

Accuracy and Completeness

ZHERO's inventory includes:

  • ✅ All URLs discoverable via ZIA API
  • ✅ FQDNs in firewall rules and IP groups
  • ✅ URLs in PAC file content (with line numbers)
  • ✅ URLs in advanced settings across all policy types
  • ✅ Wildcard and specific URL relationships

Next Steps

  1. Explore ZHERO's URL inventory by searching for specific URLs in your configuration
  2. Click drill-down icons to view complete reference lists
  3. Export URL inventory to Excel for comprehensive documentation
  4. Use inventory insights to identify cleanup opportunities
  5. Combine inventory visibility with manipulation features for efficient configuration optimization