This document provides step-by-step instructions to set up and run the standalone script that fetches Zscaler ZIA and ZPA configurations. The script exports configuration data from the Zscaler cloud (ZIA and ZPA) using REST APIs.
Script Name: fetch_zscaler_zia_zpa_config.py
The script fetches configuration data such as firewall rules, network objects, URL categories, and policies from Zscaler ZIA and ZPA, and stores them locally in the same directory where the script resides. It creates a new config folder, within which zpa and zia subfolders are created, and the files are stored inside these subfolders.
System Requirements:
- Python 3.10 or higher
- Network connectivity to reach Zscaler cloud
- Valid Zscaler ZIA and ZPA administrator credentials
Linux / macOS:
python3 -m venv venv
source venv/bin/activateWindows:
python -m venv venv
venv\Scripts\activatepip install -r requirements.txtpython --version
pip list | grep requests- Cloud URL (e.g., https://admin.zscaler.net)
- Zscaler Admin Username
- Zscaler Admin Password
- Zscaler API Key
- Cloud URL (e.g., https://config.private.zscaler.com)
- Customer ID
- Client ID
- Client Secret
Important: Please ensure that the cloud URLs used are correct, otherwise even if the login credentials are correct, the login will not work.
Command Syntax:
python3 fetch_zscaler_zia_zpa_config.py [--ca-bundle <path>] [--no-verify-ssl]Optional flags:
| Flag | Purpose |
|---|---|
--ca-bundle <path> |
Path to a PEM CA bundle. Use this if your corporate proxy performs TLS inspection and re-signs traffic to Zscaler. May also be set via the REQUESTS_CA_BUNDLE environment variable. |
--no-verify-ssl |
Insecure. Disables TLS certificate validation entirely. Use only as a last resort for debugging when --ca-bundle is not possible. |
By default, the script validates TLS certificates when connecting to Zscaler APIs. If you see SSLCertVerificationError, you are most likely behind a TLS-inspecting proxy — export your proxy's root CA to a PEM file and pass it with --ca-bundle.
Note:
- ZIA API to export the policy config has a rate limit of 1 API call per hour. So, if the script execution is successful and you try to execute it again within an hour then in the next iteration, the API will not return the ZIA policy configs and hence the new zip will not include the ZIA policy config files.
- There is no rate limit on ZPA policy and other objects fetch APIs.
All configuration files will be generated based on API response and saved in the zia and zpa directories.
- Do not hardcode credentials
- Use admin credentials carefully
- Keep backup of downloaded configurations