How to Add Custom Cloud Applications and Rules in Zscaler
Learn how to define custom cloud applications in Zscaler and create Cloud App Control rules to manage access, track usage, and enforce security policies.
Custom cloud applications give security teams granular control over access to business-specific or internal web apps that may not exist in Zscaler’s default application database. By defining your own cloud application entries, you can track usage and apply targeted security rules to allow, block, isolate, or apply quotas.
In this guide, we will walk through the two essential tasks for managing non-standard applications:
- Adding a custom cloud application entry.
- Creating a Cloud App Control rule for that application.
Why Use a Custom Cloud Application?
Not every application used in a modern organization is recognized by default. Internal tools, newly launched startups, or apps hosted on specific custom URLs often fall outside predefined categories. Adding them as custom cloud applications allows you to:
- Identify and manage apps not categorized by Zscaler.
- Apply targeted access control rules specific to your organization's needs.
- Track usage metrics including users, uploads, and download volumes.
- Enforce quota-based access policies (time or bandwidth).
Note: Risk attributes are not automatically captured for custom applications, and SSL inspection must be enabled for the lookup to function correctly.
Prerequisites and Considerations
Before you begin, keep these points in mind:
- Support Activation: Custom Applications must be enabled by Zscaler Support for your tenant.
- Precedence: If Zscaler later introduces a predefined application with the same URL, the predefined entry takes precedence over your custom entry.
- Visibility: You may receive notifications if categorization changes affect your custom app rules.
Step 1: Add a Custom Cloud Application
To create the application entry in the Zscaler administration portal:
- Navigate to Policies > Access Control > Internet & SaaS > SaaS Applications.
- Click Add Custom Cloud Application.
- Fill in the application details in the configuration window.
Configuration Fields
| Field | Description |
|---|---|
| Cloud Application Name | A unique, descriptive name for the app (used in policy selection). |
| Application Category | Automatically set to Custom Applications (read-only). |
| Application Status | Choose between Sanctioned or Unsanctioned. |
| Risk Index | Assign a rating from 1 (lowest) to 5 (highest). |
| URLs | Enter the URLs or IP addresses associated with the app. |
| Tags & Description | Use these for internal organization and context. |
- Click Save and Activate the changes.
Step 2: Create a Cloud App Control Rule
Once the application is defined, you need a policy to manage how users interact with it.
- Go to Policies > Access Control > Internet & SaaS > Policies.
- Select Custom Applications from the left-hand menu.
- Click Add Rule.
Step 3: Configure the Rule Details
Before defining specific criteria, fill in the basic rule information:
- Rule Name: Enter a clear, meaningful name for the policy.
- Admin Rank: Set the rank based on your administrative permissions (lower numbers indicate higher priority).
- Rule Status: Enable the rule to enforce it immediately, or disable it to save the configuration without applying it.
- Description: Add optional context for other administrators or future reference.
- Rule Order: Rules are evaluated in ascending order; place this rule correctly in the sequence.
- Rule Label: Optionally assign a label to categorize and organize your policy rules.
Step 4: Define Rule Criteria
The rule editor allows you to define exactly when the security policy should trigger. You can scope the rule based on:
- Cloud Applications: Select your newly created custom app.
- Identity: Scope by Users, Groups, or Departments.
- Context: Filter by Location, Time, Device Type, or Device Trust Level.
- Risk Profile: Match based on the User Risk Profile or Application Risk Index.
Important: If the rule applies to unauthenticated traffic, ensure 'Any' is selected for both Groups and Departments.
Step 5: Set Rule Expiration (Optional)
For temporary access requirements, such as vendor audits or short-term projects:
- Enable Rule Expiration.
- Define the Start and End dates/times.
- Set the appropriate Time Zone.
Step 6: Choose the Enforcement Action
Zscaler provides several actions to control the traffic:
- Allow: Grants access. You can optionally set Daily Bandwidth or Time Quotas.
- Caution: Displays a warning notification before allowing the user to proceed.
- Block: Denies access entirely.
- Isolate: Redirects the session through Cloud Browser Isolation (CBI) for maximum security.
- Conditional: Requires step-up authentication before access is granted.
Step 7: Configure Notifications
If using Caution or Block actions, select a Browser Notification Template. This ensures users understand why their access is being managed and provides a path for remediation or support.
Best Practices for Zscaler Custom Apps
- Consistency: Use a standardized naming convention for all custom applications.
- Tagging: Use tags to simplify policy audits and reporting.
- Testing: Start with a narrow scope (specific test users or locations) before a global rollout.
- Rule Order: Remember that Zscaler evaluates rules in ascending order; ensure your most specific rules are at the top.
- SSL Inspection: Verify that the URLs for your custom app are being SSL-inspected, or Zscaler won't be able to identify the application traffic.
Final Thoughts
Defining custom cloud applications is a powerful way to bring "Shadow IT" or internal-only tools under the umbrella of your corporate security policy. By following this workflow, you ensure that every application used in your environment—whether recognized by Zscaler or not—is subject to the same rigorous access controls and visibility.