Limitations for Zero Trust Access

Only web applications (HTTPS) are supported. Scenarios requiring decryption exemption are not supported.

Supports only SAML IdPs.

IPv6 is not supported. NAT66, NAT64, and NAT46 scenarios are not supported.

The feature is available on threat defense only if Snort 3 is enabled.

All hyperlinks in protected web applications must have a relative path and are not supported on individual mode clusters.

Protected web applications running on a virtual host or behind internal load balancers must use the same external and internal URL.

Not supported on individual mode clusters.

Not supported on applications with strict HTTP Host Header validation enabled.

If the application server hosts multiple applications and serves content based on the Server Name Indication (SNI) header in the TLS Client Hello, the external URL of the zero trust application configuration must match the SNI of that specific application.