Zscaler: How to replace SNMPv2c with SNMPv3
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Vendor | Zscaler |
|---|---|
| Operating system | Zscaler Cloud (ZIA / ZPA / ZDX) |
| Category | Hardening & Safe Protocols |
| Skill level | Intermediate to advanced |
| DIY-able? | Yes with CLI access; some scenarios need Zscaler Support + RMA. |
What this guide covers
How to replace SNMPv2c with SNMPv3 on Zscaler devices (Zscaler Cloud (ZIA / ZPA / ZDX)).
Recommendation
Define an SNMP v3 user with SHA auth + AES privacy. Remove the v2c community string entirely.
CLI / commands
# Entered from: Admin Portal
Add tunnel: Resource → ZIA → Locations → Add Location with tunnel credentials
# Save / commit
Activate (Admin Portal upper-right)
Verify
- Test from a non-admin workstation.
- Confirm fallback works if AAA or external service is down.
- Document the change in your CMDB / change-control.
Frequently asked questions
Will this work on my specific Zscaler Cloud (ZIA / ZPA / ZDX) version?
The procedure reflects current Zscaler Cloud (ZIA / ZPA / ZDX) behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.
Should I open a Zscaler Support case immediately?
Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.
Where can I find the Zscaler official documentation?
https://help.zscaler.com. search the product family + feature name.
Is this procedure safe in production?
Test in a lab or maintenance window first. Capture pre-change state so you can roll back.
Related guides
Related fixes
Related guides worth a look while you sort this one out:
- Zscaler: How to replace Telnet with SSH
- Zscaler: How to configure logging to a central SIEM
- Zscaler: How to disable unused services and protocols
- Zscaler: How to enable control-plane policing / rate-limiting
- Zscaler: How to enable HTTPS-only management
- Zscaler: How to enable management ACL to lock down access
References
- Zscaler support portal: https://help.zscaler.com
- Zscaler knowledge base: https://help.zscaler.com
- Zscaler security advisories: https://trust.zscaler.com
- Open a case: https://help.zscaler.com/submit-ticket
Reference material, not professional advice. Validate against your specific Zscaler Cloud (ZIA / ZPA / ZDX) version and test in a non-production environment before applying.
Common patterns we see
When this symptom shows up on a Zscaler: device, three patterns repeat:
1. Recent firmware update changed behavior, the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger: temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear, components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.
Knowing which pattern applies saves time on the wrong fix.
Safety + preconditions
Before any work on a Zscaler: device:
- Unplug from mains for any internal-access procedure.
- Discharge stored energy (capacitors in PSUs, residual battery charge) per manufacturer guidance.
- Use ESD-safe handling for boards and modules. no carpet, no wool sleeves.
- Avoid moisture; never apply liquids near vents or connectors.
- If you smell smoke, see scorch marks, or feel uneven heat, stop and escalate.
Quick verification
Before you walk away from a Zscaler: device fix, run through:
1. Reproduce the original trigger, does the issue reappear? 2. Check the device's status / health screen for any new alerts. 3. Confirm paired devices (app, hub, controller) reconnected. 4. Save / commit any configuration changes per the device's normal workflow. 5. Note the change in your maintenance log with date + firmware version.
When to call Zscaler: support instead
Escalate if:
- The same symptom returns within 24 hours of a clean fix.
- You see physical damage (burn marks, swollen battery, cracked PCB).
- The device is in warranty and a hardware replacement is the cheaper outcome.
- Repair requires specialised tools you don't own (alignment jigs, calibration software).
- Following the official path keeps the warranty intact, which matters more than the time spent.
More frequently asked questions
Does this affect other devices on my network?
Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.
What if the fix returns after a reboot?
Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).
How long does this fix usually take?
Most users complete the steps in 20-45 minutes the first time, and 5-10 minutes on subsequent runs once the menu paths are familiar.
Will this void my warranty?
Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.
Is it safe to apply during business hours?
If the device is in production use, apply during a scheduled maintenance window. Most procedures need 2-15 minutes of downtime. Capture pre-change state so you can roll back if needed.