It has been a while I am administrating Zscaler at our company and i find it a pretty good technology from a zero trust perspective and internet filtering capabilities ( e.g: cloud browser isolation etc.), not to mention its DLP capabilities and many other features (privileged remote access etc…)
Has anyone worked with a tool that is similar to Zscaler or maybe better than it at doing what they do?
Just curious to see what this sub’s opinions are about it and their different experiences…
Cloudflare Warp is nice, it’s new though.
Zscaler itself is pretty good
I’ve used Zscaler and Prisma Access. While I never used Zscaler for full ZTNA level, we did use the browser, SSL inspection and DLP for 4 years. Overall we found it really lacking and it left us with troubles and limitations, particularly in the DLP space as well as the shared egress IP addresses.
Been using Prisma Access for about 3 years now (we are a Palo shop for firewalls) and it is really a seemless addition and it unifies the full SD-WAN, Always on VPN, and full stack security solution including Web/SSL/DLP.
The biggest selling point for us was dedicated egress IP addresses on Prisma Access vs Zscaler.
We are in the middle of an evaluation between Zscaler, Cato, and Netskope. Looked at Prisma, Cloudflare, and Cisco as well, but they fell off early in the process based on us looking at their tech and speaking with their salesman/Engineer.
We are looking for full SASE to replace awful Versa and Verizon supported SD-Wan. Those 3 are the top, but Cato has surprised us the most in terms of what they have to offer and how their product works. We still need to POC.
We went with netskope but looked at Zscaler and others. If your going to do ztna and replace a vpn due a lot off latency and bandwidth testing. We found some odd internet routing and the nature of sase caused noticeable smb performance difference. I’ve tried the Microsoft sase and its file transfer is much slower then my netskope.
We did a POC with several vendors (Zscaler included) and ended up using Palo. There have been some integration pains, but overall it is meeting our objectives.
ZScaler caused so many problems at our org (mainly ZIA) we got rid of them as a whole. Netskope is OK, Tailscale was also a very simple solution that was good for ZTNA.
You aren’t asking what the problem is that you need to solve. Zscaler is a product. Working backwards from a product is saying you have a hammer and are asking what nails you need to hit.
Three primary capabilities you want out of a SASE are as follows:
- CASB/HTTPS inspection proxy: allowing for web filtering, DLP, malware protection, and analytics.
- ZTNA, as in a network overlay with fine grained access control based on identity and services, as opposed to location or IP ranges.
- Authenticated Proxies, for allowing remote access via a browser without additional software.
The first one gets provided by any security focused inspection proxy. Zscaler does a good job. So does most firewall vendors.
The second one (in my opinion) is actually kinda terrible to try to solve with SASE. Most places I’ve seen attempt it just end up with a VPN but worse, usually due to the complications involved with using a web proxy to solve a layer 3 problem. Worst case, you end up with a half implemented ZPA and a VPN because you never got it good enough to actually make a switch.
Modern VPNs introduce ACLs and/or peer to peer scaling that make the SASE value add non-existent for ZTNA. Tailscale, Zerotier, etc. are very simple to implement and get the job done. Alternatively, SD-Access/SDLAN solutions integrated with a regular VPN will also do the job.
The third one is becoming a normal commodity, available with pretty much all identity providers. Entra ID, for example, offers an application proxy built into most M365 offerings.
Not a single person thus far has given good examples from a higher level perspective on why they switched. The only argument thus far has been you are in PA’s stack. The same argument is made from the Fortinet side.
Give examples of how you think PA Prisma is better than ZIA and ZPA and use case.
Isn’t Microsoft about to release one that will go will plug snd play with its existing DLP, CASB, Defender suite? If I was an Azure customer I would go for that.
The shared IP with Zscaler is annoying and is a huge limitation. And it’s kinda slow.
in the sase/zpa space everyone and their brother is getting into the space, including cloudflare and MS - both of those are interesting as they have global nodes and supposedly much faster around the globe than zscaler, but that only matters for certain orgs.
We just ditched Zscaler in favor of Palo Alto Prisma Access. Loving the change so far.
Alternatives: Netskope, SkyHigh, and Palo Alto Prisma. Those three plus Zscaler have the most similar offerings.
Depending on what you want to do and the size of your org, iBoss, island.io, and TwinGate may be worth looking at as well.
Have you utilised its full capabilities? Are you finding any issues? Moving is a nightmare for enterprise orgs.
Microsoft published global secure access as a competitor . Not as mature, relatively effective. Biggest threat on the block
Cloudflare, netskope, etc all have working and advanced solutions. Look up SASE providers on Google.
We looked at switching from Zscaler to Palo but there was no huge advantage for us (large multinational), and Palo’s extremely greedy licensing is a huge red flag. We also have a great relationship with Zscaler and they are reacting to feedback. It certainly has its shortcomings, but then again so seems every vendor. We also looked at the upcoming MS option but it’s so half-baked that it’s more dough than cookie. Worth keeping an eye on though.
Checked out cato in 2019 but they didn’t have an control plane API at the time… Wtf?
Implemented netskope at a previous employer and it was a disaster with latency and outages and generally did not have a great rollout. Not fond of the poor stability and lack of troubleshooting ability from netskope after their team promised the world.
Netskope beat Zscaler in our recent showdown between the two. If I recall we were able to get a much better price with Netskope as well.
Island good for me over zs but requires big change for the users
Have you tried the Cisco umbrella? I’m not super fan of it but works ok.
Prisma Access by PANW