Skip to main content
Glama
zscaler

zscaler-mcp-server

Official
by zscaler

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
ZSCALER_CLOUDNoCloud override (e.g., beta, zscalertwo); omit for production
ZSCALER_CLIENT_IDYesOneAPI client ID from the ZIdentity console
ZSCALER_CUSTOMER_IDNoZscaler customer/tenant ID (required for ZPA tools)
ZSCALER_PRIVATE_KEYNoPEM-encoded private key for JWT-based OneAPI auth, used in place of ZSCALER_CLIENT_SECRET
ZSCALER_CLIENT_SECRETNoOneAPI client secret
ZSCALER_VANITY_DOMAINYesYour organization's vanity domain (e.g., acme)

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
zscaler_check_connectivityB

Check connectivity to the Zscaler API.

zscaler_get_available_servicesA

Service-level overview of what is loaded in this session: which Zscaler services are callable, which are present but have zero callable tools because the OneAPI credentials are not entitled to them, and which were excluded by configuration. For tool-level discovery, prefer zscaler_list_toolsets. Treat the result as authoritative.

zscaler_list_toolsetsA

PRIMARY tool-discovery entry point. Call this FIRST for any user request that needs to find a Zscaler tool. Returns the toolsets this server organises tools into (one per resource family per service, e.g. 'zia_url_filtering', 'zpa_segment_groups'). Each row tells you whether the group is currently loaded, how many tools it contains, and whether it can be enabled in this session. Supports name / description / service substring filters so you can scope the result. Treat 'can_enable: false' as authoritative — the OneAPI credentials cannot access that product, do not retry.

zscaler_get_toolset_toolsA

Drill into a specific toolset to see its tools and whether each one can be called right now. Use after zscaler_list_toolsets has identified the relevant toolset. Each result row has 'available' and (when false) 'unavailable_reason'. Treat 'available: false' as authoritative and report the situation to the user instead of attempting to call the tool. Supports name / description substring filters to narrow the result.

zscaler_enable_toolsetA

Activate a toolset that was registered but not loaded at startup, so its tools become callable for the rest of the session. Refuses with status 'not_entitled' if the toolset belongs to a product the configured OneAPI credentials cannot access — in that case, report the result to the user and do not retry.

zpa_list_application_segmentsA

List ZPA application segments with optional filtering (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_application_segmentA

Get a specific ZPA application segment by ID (read-only)

zpa_list_application_segments_baA

List ZPA Browser Access (BA) application segments — the BA-specific counterpart of zpa_list_application_segments. Use only when the admin asks about Browser Access. Supports JMESPath client-side filtering via the query parameter (read-only).

zpa_get_application_segment_baA

Get a specific ZPA Browser Access (BA) application segment by ID, including its common_apps_dto.apps_config block (read-only). Use only when the admin asks about Browser Access.

zpa_list_application_segments_praA

List ZPA Privileged Remote Access (PRA) application segments — the PRA-specific counterpart of zpa_list_application_segments for RDP/SSH targets brokered through the PRA portal. Use only when the admin asks about Privileged Remote Access (RDP/SSH). Supports JMESPath client-side filtering via the query parameter (read-only).

zpa_get_application_segment_praA

Get a specific ZPA Privileged Remote Access (PRA) application segment by ID, including its common_apps_dto.apps_config block of RDP/SSH targets (read-only). Use only when the admin asks about Privileged Remote Access.

zpa_list_app_connector_groupsA

List ZPA App Connector Groups (read-only). Returns every connector group in the tenant — id, name, location, country, enrollment cert, server-group memberships. Use this to discover existing connector groups before creating server groups (which require an app_connector_group_id) or before onboarding an application. Supports name search and JMESPath client-side filtering via the query parameter.

zpa_get_app_connector_groupA

Get a specific ZPA App Connector Group by ID (read-only). Returns the full record including the enrollmentCertId, server-group memberships, and connector membership.

zpa_list_app_connectorsA

List ZPA app connectors with status, version, and health information (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_app_connectorA

Get a specific ZPA app connector by ID with runtime status and control connection state (read-only)

zpa_list_server_groupsA

List ZPA server groups (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_server_groupA

Get a specific ZPA server group by ID (read-only)

zpa_list_segment_groupsA

List ZPA segment groups (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_segment_groupA

Get a specific ZPA segment group by ID (read-only)

zpa_list_application_serversB

List ZPA application servers (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_application_serverA

Get a specific ZPA application server by ID (read-only)

zpa_list_service_edge_groupsA

List ZPA service edge groups (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_service_edge_groupB

Get a specific ZPA service edge group by ID (read-only)

zpa_list_service_edgesA

List individual ZPA Service Edges (the cloud-hosted broker instances themselves, distinct from their parent service edge groups). Returns runtime status, version, location, enrollment cert, and serviceEdgeGroupId. Use to inventory edges before bulk operations or to verify enrollment after a provisioning key was used. Supports JMESPath client-side filtering via the query parameter (read-only).

zpa_get_service_edgeA

Get a specific ZPA Service Edge by ID — full record including control-channel state, runtime status, version, location, enrollment certificate, and parent service edge group membership (read-only).

zpa_list_ba_certificatesA

List ZPA browser access certificates (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_ba_certificateA

Get a specific ZPA browser access certificate by ID (read-only)

zpa_list_access_policy_rulesA

List ZPA access policy rules (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_access_policy_ruleA

Get a specific ZPA access policy rule by ID (read-only)

zpa_list_forwarding_policy_rulesA

List ZPA forwarding policy rules (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_forwarding_policy_ruleA

Get a specific ZPA forwarding policy rule by ID (read-only)

zpa_list_timeout_policy_rulesA

List ZPA timeout policy rules (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_timeout_policy_ruleB

Get a specific ZPA timeout policy rule by ID (read-only)

zpa_list_isolation_policy_rulesA

List ZPA isolation policy rules (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_isolation_policy_ruleA

Get a specific ZPA isolation policy rule by ID (read-only)

zpa_list_app_protection_rulesA

List ZPA app protection rules (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_app_protection_ruleA

Get a specific ZPA app protection rule by ID (read-only)

zpa_list_provisioning_keysA

List ZPA provisioning keys (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_provisioning_keyA

Get a specific ZPA provisioning key by ID (read-only)

zpa_list_pra_portalsA

List ZPA PRA portals (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_pra_portalA

Get a specific ZPA PRA portal by ID (read-only)

zpa_list_pra_credentialsA

List ZPA PRA credentials (read-only) Supports JMESPath client-side filtering via the query parameter.

zpa_get_pra_credentialA

Get a specific ZPA PRA credential by ID (read-only)

get_zpa_app_protection_profileC

Manage ZPA App Protection Profiles (Inspection Profiles) (read-only)

get_zpa_enrollment_certificateC

Manage ZPA Enrollment Certificates (read-only)

get_zpa_isolation_profileB

Manage ZPA Cloud Browser Isolation (CBI) profiles (read-only)

get_zpa_posture_profileC

Manage ZPA Posture Profiles (read-only)

get_zpa_saml_attributeC

Manage ZPA SAML Attributes (read-only)

get_zpa_scim_attributeC

Manage ZPA SCIM Attributes (read-only)

get_zpa_scim_groupC

Manage ZPA SCIM Groups (read-only)

get_zpa_app_segments_by_typeB

Manage ZPA application segments by type (read-only)

get_zpa_trusted_networkB

Manage ZPA Trusted Networks (read-only)

zpa_list_lss_configsA

List ZPA Log Streaming Service (LSS) configurations — each record routes a log feed (User Activity, User Status, Audit, App Connector Status/Metrics, Browser Access, Web Inspection, etc.) from ZPA to a customer-side LSS Connector / SIEM. Read-only configuration; does not return log content. Supports JMESPath client-side filtering via the query parameter.

zpa_get_lss_configA

Get a specific ZPA LSS configuration by ID, including source log type, log format template, destination host/port, TLS setting, associated App Connector Groups, policy-rule scope, and filter status codes (read-only).

zpa_list_lss_log_typesA

List the human-readable LSS source log types supported by ZPA (e.g. user_activity, user_status, audit_logs, app_connector_status, app_connector_metrics, browser_access, web_inspection, private_svc_edge_status). Use these values when authoring an LSS config or when verifying baseline log-feed coverage (read-only).

zpa_get_lss_log_formatA

Get the pre-configured LSS log format templates (csv / json / tsv) for a given source log type. Useful for confirming exactly which fields ZPA serializes into the SIEM stream (read-only).

zpa_list_lss_status_codesA

List ZPA LSS session status codes used in LSS config filters. Returns code → metadata (including which log types each code applies to). Use when authoring a status-code filter or when interpreting a streamed event (read-only).

zpa_list_lss_client_typesA

List ZPA LSS client types for the current customer (e.g. web_browser, client_connector, machine_tunnel, zpa_lss). Returns the human-readable name → internal identifier mapping used in LSS policy-rule conditions (read-only).

zdx_list_devicesB

List ZDX devices with optional filtering (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_deviceB

Get a specific ZDX device by ID (read-only)

zdx_list_departmentsA

List ZDX departments (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_list_locationsA

List ZDX locations (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_application_metricB

Get ZDX metrics for a specified application (read-only)

zdx_get_applicationB

Get ZDX application details (read-only)

zdx_get_application_score_trendB

Get ZDX application score trend (read-only)

zdx_list_application_usersB

List users for a ZDX application (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_application_userA

Get a specific ZDX application user (read-only)

zdx_list_alertsA

List ZDX alerts (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_alertA

Get a specific ZDX alert by ID (read-only)

zdx_list_alert_affected_devicesA

List devices affected by a ZDX alert (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_list_applicationsA

List ZDX applications (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_list_device_deep_tracesA

List ZDX deep traces for a device (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_device_deep_traceA

Get a specific ZDX deep trace by ID (read-only)

zdx_list_deeptrace_top_processesA

Get top processes from a ZDX deep trace session (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_deeptrace_webprobe_metricsB

Get web probe metrics from a ZDX deep trace session (read-only)

zdx_get_deeptrace_cloudpath_metricsA

Get cloud path metrics from a ZDX deep trace session (read-only)

zdx_get_deeptrace_cloudpathA

Get cloud path topology from a ZDX deep trace session (read-only)

zdx_get_deeptrace_health_metricsA

Get health metrics from a ZDX deep trace session (read-only)

zdx_get_deeptrace_eventsB

Get events from a ZDX deep trace session (read-only)

zdx_get_analysisA

Get status of a ZDX score analysis (read-only)

zdx_get_web_probesA

Get web probes for an app on a device - returns web_probe_id needed for zdx_start_deeptrace (read-only)

zdx_list_cloudpath_probesA

List cloud path probes for an app on a device - returns cloudpath_probe_id needed for zdx_start_deeptrace (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_list_historical_alertsB

List ZDX historical alerts (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_list_softwareA

List ZDX software inventory (read-only) Supports JMESPath client-side filtering via the query parameter.

zdx_get_software_detailsB

Get details for specific ZDX software (read-only)

zins_get_web_traffic_by_locationB

Provides web traffic analytics grouped by location, including traffic volume, bandwidth usage, and office traffic comparisons.

zins_get_web_traffic_no_groupingA

Provides total web traffic volume metrics without grouping, including aggregate bandwidth and overall web usage statistics.

zins_get_web_protocolsA

Provides web protocol distribution analytics (HTTP, HTTPS, SSL), including protocol usage and HTTPS adoption metrics.

zins_get_threat_super_categoriesC

Provides threat super-category analytics including malware, phishing, spyware, and other threat types detected across the tenant.

zins_get_threat_classA

Provides detailed threat classification analytics including virus, trojan, ransomware, and other malware type breakdowns.

zins_get_cyber_incidentsC

Provides cybersecurity incidents grouped by category, including security events, cyber attacks, and incident breakdowns.

zins_get_cyber_incidents_by_locationA

Provides cybersecurity incidents grouped by location, showing incident distribution across offices and sites.

zins_get_cyber_incidents_dailyB

Provides daily cybersecurity incident trends, showing incident patterns and security statistics over time.

zins_get_cyber_incidents_by_threat_and_appB

Provides cybersecurity incidents correlated by threat type and application, showing which apps are targeted and threat-application relationships.

zins_get_firewall_by_actionB

Provides Zero Trust Firewall traffic analytics by action (allow/block), including blocked traffic volume and firewall policy effectiveness.

zins_get_firewall_by_locationA

Provides Zero Trust Firewall traffic analytics grouped by location, including firewall activity by office and branch.

zins_get_firewall_network_servicesB

Provides firewall network service usage analytics, including port usage, protocol activity, and service breakdowns.

zins_get_casb_app_reportA

Provides CASB SaaS application usage analytics, including cloud app usage and cloud service adoption metrics.

zins_get_shadow_it_appsB

Provides discovered shadow IT applications with risk scores, including unsanctioned and unauthorized application detection.

zins_get_shadow_it_summaryA

Provides shadow IT summary statistics, including total shadow apps, app categories, and risk distribution overview.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zscaler/zscaler-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server