npx claudepluginhub zscaler/zscaler-mcp-server --plugin zscalerThis skill uses the workspace's default tool permissions.
- Don't narrate tool calls, JMESPath filters, search keys, or internal lookup logic. Just confirm what was created and which scoping was applied.
Audit ZIA SSL inspection rules to identify applications, URL categories, users, or groups subject to INSPECT, DO_NOT_INSPECT, or DO_NOT_DECRYPT actions.
Configure SSL/TLS inspection on firewalls and proxies to decrypt, inspect, re-encrypt HTTPS traffic, manage CA certificates, exemptions, and ensure privacy compliance for threat detection.
Configures SSL/TLS inspection on firewalls and proxies to decrypt, inspect, re-encrypt HTTPS traffic for threat detection. Manages certificates, exemptions, and privacy compliance during security audits.
Share bugs, ideas, or general feedback.
zia_list_* lookup returns no match for an exact-name search, treat the resource as "does not exist." Do not retry with split keywords or unfiltered listings.zia_create_* and zia_get_* are visible for a resource, the matching zia_list_* exists too.zia_activate_configuration() and tell the admin the change is now live.This skill creates one SSL Inspection rule per invocation. Anything outside that scope is a hard stop:
zia-create-firewall-filtering-rule for firewall, zia-create-url-filtering-rule for URL filtering).time_windows attribute on the API. If the admin needs time-of-day scoping, the policy decision belongs on a different rule type (see "When the admin asks for a schedule" below).Stop and report plainly when:
zia_list_* tool; if empty, say so and stop. Do not skip the field, do not invent IDs.BLOCK, DECRYPT, DO_NOT_DECRYPT. Anything else (INSPECT, DO_NOT_INSPECT, ALLOW, BYPASS, etc.) belongs to other rule types or is simply not a valid SSL Inspection action.time_windows. Stop and explain — see "When the admin asks for a schedule" below.Never improvise around a missing dependency — hand off or stop.
| Action | Effect on matched SSL/TLS traffic | Common reasons to choose this |
|---|---|---|
BLOCK | The SSL/TLS connection is blocked outright. | Block known-malicious destinations or traffic that should never be allowed regardless of payload. |
DECRYPT | The connection is decrypted and inspected. Downstream URL Filtering, DLP, Sandbox, ATP, etc. policies see the full HTTP payload. | Default for general web browsing where security policy needs full content visibility. |
DO_NOT_DECRYPT | The connection is not decrypted. It still flows, and SNI-based policies (URL category, IP, etc.) still apply, but the payload remains opaque. | Privacy-sensitive destinations (banking, healthcare), pinned or non-decryptable apps, regulatory carve-outs. |
The action payload is a dict with a type field plus optional sub-action settings:
# Simple forms
{"type": "BLOCK"}
{"type": "DECRYPT"}
# Richer DO_NOT_DECRYPT with sub-actions
{
"type": "DO_NOT_DECRYPT",
"do_not_decrypt_sub_actions": {
"bypass_other_policies": True,
"block_ssl_traffic_with_no_sni_enabled": True,
"min_tls_version": "SERVER_TLS_1_2"
}
}
SSL Inspection rules have no time-of-day attribute. There is no time_windows field on this API. If the admin says "decrypt SSL only during business hours" or "do not decrypt this app after hours", offer one of these alternatives instead of trying to attach a Time Interval:
DECRYPT rule scoped to corporate users and one DO_NOT_DECRYPT rule scoped to a specific group used during off-hours, with the gating done by group/department membership rather than time.If the admin insists on a time-of-day SSL Inspection rule, stop and explain the constraint. Do not silently drop the time field and create a 24/7 rule the admin didn't ask for.
Required:
BLOCK, DECRYPT, DO_NOT_DECRYPTAt least one matching criterion (otherwise the rule matches nothing useful):
["ONEDRIVE", "GITHUB"])Optional:
Shared rule targets — delegate to zia-look-up-rule-targets. For every user, group, department, location, location group, URL category, device, device group, workload group, or label the admin named, follow zia-look-up-rule-targets to get the IDs (or canonical UPPER_SNAKE strings, for url_categories — SSL Inspection takes the string form, not numeric IDs). Stop and report if any lookup is empty — never invent IDs, never substitute. (SSL Inspection does not support time_windows — see "When the admin asks for a schedule" below.)
SSL-specific fields — resolve here. The fields below are unique to SSL Inspection and not covered by zia-look-up-rule-targets. For each one the admin named, run one lookup using the knob below.
| Admin named | Resolution tool | Lookup knob | Returns |
|---|---|---|---|
| Cloud app friendly name (e.g. "OneDrive") | zia-look-up-cloud-app-name (skill) | (skill) | canonical names like ONEDRIVE |
| Source/Dest IP group name | zia_list_ip_source_groups / zia_list_ip_destination_groups | search="<exact>" | IP group ID |
| ZPA application segment | (resolve via the ZPA tools — zpa_list_application_segments(search=...)) | search="<exact>" | segment ID |
For cloud applications, the agent has a choice: pass canonical enum tokens (ONEDRIVE, SHAREPOINT_ONLINE) directly, or pass friendly names ("OneDrive", "share point online") and let the SSL inspection tool auto-resolve via the policy-engine catalog (resolve_cloud_apps=True is the default). Prefer canonical enums when the admin already knows them; otherwise let the auto-resolver do the work and surface the resolution audit back to the admin.
Confirm the admin's action choice (BLOCK / DECRYPT / DO_NOT_DECRYPT) and any sub-action settings (TLS minimum version, SNI handling, bypass behaviour) before issuing the create. The action payload is an explicit dict, not a string:
action = {"type": "DO_NOT_DECRYPT",
"do_not_decrypt_sub_actions": {
"bypass_other_policies": True,
"block_ssl_traffic_with_no_sni_enabled": True,
"min_tls_version": "SERVER_TLS_1_2",
}}
Call:
zia_create_ssl_inspection_rule(
name=<name>,
action=<action dict>,
description=<optional>,
enabled=True,
rank=<1-7, optional>,
order=<optional, defaults to bottom>,
cloud_applications=[...], # canonical enums or friendly names
url_categories=[...],
groups=[...],
users=[...],
locations=[...],
location_groups=[...],
source_ip_groups=[...],
dest_ip_groups=[...],
device_trust_levels=[...],
platforms=[...],
user_agent_types=[...],
labels=[...],
zpa_app_segments=[...], # only for Source IP Anchoring
)
Note: the SSL Inspection tool does not accept a time_windows parameter — it is not part of this rule type.
Capture the returned id.
ZIA changes are staged until activation. After every successful create, run:
zia_activate_configuration()
Tell the admin: "Rule created (ID <id>) and activated." If activation fails, surface the error — the rule exists but is not live.
Confirm in plain language:
BLOCK / DECRYPT / DO_NOT_DECRYPT)DO_NOT_DECRYPT (TLS min version, SNI handling)Don't restate operand IDs or internal field names that the admin doesn't need to see.
Tools used:
zia_list_ssl_inspection_rules(search=...) — only on explicit admin request for ordering / duplicate checkszia_create_ssl_inspection_rule(name, action, ...)zia_activate_configuration()Related ID-resolution tools (one call per resource, exact name):
zia_list_url_categories, zia_list_user_groups, zia_list_user_departments, zia_list_users, zia_list_locations, zia_list_ip_source_groups, zia_list_ip_destination_groups, zia_list_rule_labelszia-audit-ssl-inspection-bypass — read-only audit of existing SSL Inspection rules. Use when the admin asks "show me what's bypassing SSL inspection" rather than "create a new SSL Inspection rule".zia-look-up-cloud-app-name — used silently when friendly cloud-app names are passed in. Pre-resolves "OneDrive" → ONEDRIVE.Different ZIA rule types — do not chain through this skill:
zia-create-firewall-filtering-rule — Cloud Firewall is a separate resource type. If the admin wants schedule-based filtering, this is a likely destination for the schedule.zia-create-url-filtering-rule — URL Filtering is a separate resource type. Supports time_windows natively, so it's the right place when the admin wants time-of-day URL category enforcement.No schedule support on this rule type. SSL Inspection has no time_windows attribute. If the admin asks for time-of-day enforcement, redirect the schedule to Cloud Firewall Filtering or URL Filtering rather than attempting to attach a Time Interval here.
Don't pre-list rules before creating. Skip zia_list_ssl_inspection_rules unless the admin explicitly asks about ordering or wants to inspect existing rules — direct create + activate is the default flow.