Managing network security and security policies across on-premises or off-premises data centers, cloud applications, and other computing environments is complex and expensive.

Two top-tier security solutions come together to accelerate your digital transformation. Tufin’s integration with the zero-trust Zscaler Internet Access™ solution provides centralized visibility into Zscaler Secure Access Service Edge (SASE) policy rules, as well as security policies across your multi-vendor network devices and cloud resources.

Centralize visibility and control

Holistic visibility into Zscaler policies along side the broader multi-vendor ecosystem of policies, simplifies planning, troubleshooting and compliance reporting.

Key features include:

  • Rule Viewer — Instantly view Zscaler Cloud Firewall rules directly from the Tufin console. Users can identify overly permissive rules and view comprehensive data sets for each rule, including the last time a rule was modified
  • Rule Change Tracker —Tufin monitors and highlights Zscaler Cloud Firewall rule changes in real time, including what was changed and when, for compliance, risk analysis and rapid troubleshooting.
  • Rule filter — Rule can be filtered by locations, apps, URL category, and users for faster resolution of security and connectivity issues


Adopt Zscaler Internet Access™ while improving visibility and control over the rest of your network infrastructure.

  • Gain real-time visibility into all network and cloud architecture and associated security configurations.
  • Simplify the design and management of network and cloud segmentation.
  • Reduce access change times from days to minutes.
  • Gain real-time, app and service-level visibility into all cloud assets, services, and traffic (North/South and East/West).
  • Improve cloud application and data protection.
  • Automate the design and deployment of security policy.
  • Leverage security policy within CI/CD automation pipelines.


Drive visibility and collaboration across network and cloud teams.

A centralized security policy engine for both on-premises networks and cloud-native platforms ensures end-to-end security for enterprise apps, assets, and cloud workloads. Tufin delivers security policy visibility across AWS, Microsoft Azure and Google Cloud Platform.

Rule Viewer

Rule Change Tracker

Rule filter

Rule Viewer

Tufin’s Rule Viewer enables network administrators to gain an instant view of Zscaler Cloud Firewall rules directly from the Tufin console, for fast analysis. Users can view rule attributes — sources, destinations, users, applications. The Rule Viewer also provides rule metadata, such as when the rule was last modified, the certification status if rule certification is being enforced via Tufin, and if the rule is overly permissive and should therefore be modified or removed

Rule Viewer

Tufin console: Zscaler Cloud Firewall Rule Viewer

Rule Change Tracker

To ensure continuous compliance and enable faster troubleshooting, Tufin monitors and highlights Zscaler Cloud Firewall rule changes — what was changed, when, by whom, and whether there’s a comment or a reference associated with it. Tufin records every policy revision, maintaining a complete policy history as it evolves over time. Administrators can quickly retrieve and view the Zscaler policy as it existed at a previous point in time. A side-by-side comparison helps admins review changes to identify and fix misconfigurations. This can be invaluable when a change unexpectedly blocks access to a critical asset, enabling auditors to immediately view what has changed since the last audit

Rule Change Tracker

Tufin Console: Revision History and Change Comparison

Rule filter

Admins can filter rules by locations, apps, URL category, and users, for faster resolution of security and connectivity issues

Rule filter

Tufin Console: Rule Viewer

How it Works

Adding Zscaler Cloud Firewall to Tufin is fast and easy. Users simply go to SecureTrack+ ‘Monitoring’ and select ‘Zscaler Cloud Firewall’ as an additional environment to monitor. The Zscaler Cloud Firewall rules are then automatically retrieved by Tufin and added into Tufin SecureTrack+.

Tufin and Zscaler Integration in Action

Related Resources


What is Security Service Edge (SSE)?

SSE is defined by Gartner as a convergence of cloud-based network security services delivered from a purpose-built cloud platform. It is considered a subset of the secure access service edge (SASE) framework. SSE architecture is dedicated entirely to delivering security services.

What is Zscaler Internet Access?

Zscaler Internet Access is a cloud-native security service edge (SSE) solution. It is a a SaaS solution to simplify network security and operations for cloud- and mobile-first enterprises. It boasts a seamless user experience.

How does Zscaler ZIA work?

All users, apps, devices, and locations get always-on threat protection based on identity and context. It provides inline inspection of all internet traffic, including SSL decryption, with a suite of “AI-powered” cloud security services. Zscaler claims to stop ransomware, zero-day malware, and advanced attacks leveraging threat intelligence from 300 trillion daily signals.

What is Zscaler Private Access?

Zscaler applies the principles of least privilege to give users direct connection to private applications hidden from the Internet.while eliminating unauthorized access and lateral movement. A cloud native service, ZPA can be deployed in hours to replace legacy VPNs and remote access tools with a holistic zero trust platform.

What is the Zscaler Cloud Firewall?

It is a zero-trust, next-generation firewall that enables speedy, secure network connections for all internet traffic, including SSL encrypted traffic. This next-gen firewall (NGFW) and cloud security platform offers unlimited scalability and provides ongoing, consistent protection for users across your corporate network, no matter their device or location.

Zscaler Cloud Firewall allows teams to:

  • Provide DNS security with local resolutions that maintain performance while protecting users from malicious sites and DNS tunneling
  • Proxy everything that appears to be HTTP/HTTPS, DNS, or FTP traffic with an advanced deep packet inspection engine
  • Inspect and identify advanced threats and hidden attacks, even on non-standard ports
  • Maintain security with a cloud intrusion prevention system (IPS) that runs 24/7
  • Gain cloud-delivered threat protection with presence on the global edge
  • Enact URL filtering and configure policy rules
  • Attain superior cloud security outcomes from Zscaler’s Zero-Trust Exchange, a cloud-native security service edge (SSE) platform
  • Ensure quality user experience with direct-to-cloud architecture that optimizes ever user paths
  • Obtain end-to-end visibility into app and endpoint performance
  • Configure firewall policies and define rules for firewall filtering, NAT control, DNS control, and IPS control policies
What is Zscaler Zero Trust Exchange?

It is Zscaler’s cloud native platform that connects workloads, devices, and users instead of putting them on the corporate network. The platform verifies the identity and profile of the user, their device (including IoT devices), for workload through third-party access management providers.

The Zero Trust Exchange helps teams to:

  • Minimize attack surface, find threats hiding in encrypted traffic with SSL inspection, and protect against threats like malware
  • Overcome the pitfalls of traditional firewalls, including high false positives and attacks over encrypted traffic
  • Implement zero-trust software-defined WAN (SD-WAN) that harnesses connectivity to secure communications across branches, data centers, cloud services, SaaS, and public clouds
  • Eliminate site-to-site VPNs and enable application and network access across branch offices over the internet
What is the Zscaler Cloud Sandbox?

Zscaler Cloud Sandbox is a malware prevention engine that delivers inline, latency-free traffic inspection across web and file transfer protocols, including SSL/TLS.

Get the visibility and control you need to secure your enterprise.

Only Tufin provides automation and a unified security policy, from on-prem to cloud, across NetSec and DevOps.