General — COSGrid Z3 SASE
Q1. What is COSGrid Z3 SASE and how does it work?
COSGrid Z3 SASE (Secure Access Service Edge) is a cloud-native security platform that brings together Zero Trust Network Access (ZTNA), Secure Web Access (SWA), Agentless ZTNA, Network Access Control (NAC), DNS Security, and WAAP into a unified solution.
It is designed for modern distributed workforces — enabling secure access to applications, resources, and the internet from any device, any location, without relying on traditional VPN or perimeter-based security models.
Q2. What products are included in the COSGrid Z3 SASE platform?
The Z3 SASE platform includes the following products:
• MicroZAccess (ZTNA) — agent-based Zero Trust Network Access for secure application and network connectivity
• SwiftZAccess — agentless ZTNA for browser-based access without installing an endpoint agent
• SWA (Secure Web Access) — web filtering and threat protection for internet-bound traffic
• ZT-NAC — Zero Trust Network Access Control for device authentication and network segmentation
• DNS Security — DNS-layer protection against malicious domains and data exfiltration
• QShield (WAAP) — Web Application and API Protection including WAF, bot detection, and DDoS mitigation
Q3. How do I get started with COSGrid Z3 SASE? (step-by-step setup guide)
Follow these steps to get started:
1. Account Onboarding — create your organisation account and set up admin credentials
2. Identity Setup — configure your Identity Provider (IdP), enable MFA, and set password policies
3. User Provisioning — invite users manually or use Just-In-Time (JIT) bulk provisioning via your IdP
4. Deploy Products — install the Z3 Endpoint Agent on managed devices for MicroZAccess, or configure agentless access via SwiftZAccess
5. Configure Policies — set up access policies, security groups, and web filter rules
6. Monitor — track activity through event logs, security logs, and the dashboard
Refer to the Quick Start guide on pocdocs.cosgrid.com for a step-by-step walkthrough.
Q4. Does COSGrid Z3 SASE support Multi-Factor Authentication (MFA)?
Yes. COSGrid Z3 SASE supports MFA for all user logins. MFA can be configured under Managing Z3 SASE → Identity Access Management → MFA in the admin portal.
Supported MFA methods include authenticator apps and SMS-based OTP. Administrators can enforce MFA organisation-wide or apply it to specific user groups through access control policies.
Q5. Which Identity Providers (Idp) does COSGrid Z3 SASE support?
COSGrid Z3 SASE integrates with major Identity Providers including Okta, Azure Active Directory, Google Workspace, and SAML 2.0-compatible providers.
IdP configuration is done under Managing Z3 SASE → Identity Access Management → Identity Providers (IdP). Once configured, users can log in with their existing corporate credentials via Single Sign-On (SSO).
Q6. What third-party integrations does COSGrid Z3 SASE support?
COSGrid Z3 SASE supports integrations across three categories:
• Ticketing Integrations — connect with ITSM tools for automated incident creation
• Log Server Integrations — forward security and event logs to SIEM platforms such as Splunk, Elastic, or syslog servers
• IdP Integrations — Okta, Azure AD, Google, SAML 2.0
See Managing Z3 SASE → 3rd Party Integrations for the full list of supported integrations.
Q7. Where can I view security logs and activity reports in COSGrid Z3 SASE?
All logs and reports are accessible from the Z3 SASE admin dashboard under Logs and Reporting:
• Event Logs — track user login activity, policy changes, and system events
• Security Logs — view threat detections, blocked requests, DNS queries, and web filter hits
Logs can be exported or forwarded in real time to a connected log server or SIEM.
Q8. How does Just-In-Time (JIT) user provisioning work in COSGrid Z3 SASE?
JIT provisioning automatically creates user accounts in COSGrid Z3 SASE the first time a user authenticates via your configured Identity Provider. There is no need to manually add users in advance.
This is configured under Managing Z3 SASE → Account Onboarding → Bulk User Creation using JIT Provisioning. JIT works with any SAML 2.0-compatible IdP.
MicroZAccess — Agent-Based ZTNA
Q1. What is MicroZAccess and how does agent-based ZTNA work?
MicroZAccess is COSGrid's agent-based Zero Trust Network Access (ZTNA) product. It replaces traditional VPN with application-level access control based on user identity, device posture, and policy — without exposing the network.
Users install the Z3 Endpoint Agent on their device. Access to applications and resources is granted only after authentication and policy validation.
Q2. What operating systems does the COSGrid Z3 Endpoint Agent support?
The Z3 Endpoint Agent is available for:
• Windows (installer-based)
• macOS
• Linux
Installation guides for each platform are available under MicroZAccess → COSGrid Z3 Endpoint Agent in the documentation.
Q3. What is the Z3 Connector and when do I need to deploy it?
The Z3 Connector is a lightweight service deployed on your on-premises or cloud infrastructure. It acts as a secure bridge between the COSGrid Z3 SASE cloud and your internal applications or servers.
You need the Z3 Connector when your resources are not directly accessible from the internet — such as internal VMs, private databases, or on-prem application servers.
The Z3 Connector can be deployed on Linux, Windows Server, or Docker.
Q4. What is the difference between Classic ZTNA and Dev App Profile in MicroZAccess?
Classic ZTNA Profile — used for network-level access. Suitable for accessing servers, VMs, databases, and internal services via protocols such as SSH, RDP, or HTTP.
Dev App Profile — used for application-level access with more granular controls. Suitable for developer access to specific internal applications with per-app policy enforcement.
Both profiles are configured under MicroZAccess → Managing MicroZAccess → ZTNA Profiles.
Q5. What is Device Posture Check (DPC) and why should is it important for Zero Trust?
Device Posture Check (DPC) validates the security state of an endpoint before allowing access. It checks conditions such as whether the device has antivirus enabled, OS patches are up to date, disk encryption is active, or whether the device is domain-joined.
DPC ensures that even authenticated users cannot access resources from compromised or non-compliant devices. It is configured under MicroZAccess → Managing MicroZAccess → Device Posture Check.
Q6. How do I configure Zero Trust access policies in MicroZAccess?
Access policies define which users or groups can access which resources under what conditions. To create an access policy:
1. Go to MicroZAccess → Managing MicroZAccess → Access Policy
2. Select the user or security group
3. Choose the target resource or application
4. Define conditions such as time of day, device posture, or location
5. Save and apply the policy
Policies are enforced in real time for all connected users.
Q7. What is the Overlay Server in MicroZAccess and what does it do?
The Overlay Server manages the virtual network overlay used by MicroZAccess to route traffic between endpoint agents and Z3 Connectors securely. It is responsible for maintaining the encrypted tunnels that carry application traffic.
Overlay server configuration is available under MicroZAccess → Managing MicroZAccess → Overlay Server.
Q8. How do I onboard an application using the Dev App Profile in MicroZAccess?
How do I onboard an application using the Dev App Profile in MicroZAccess?
To onboard an application under the Dev App Profile:
1. Navigate to MicroZAccess → Managing MicroZAccess → App Onboarding for Dev App Profile
2. Enter the application name, internal URL or IP, and port
3. Assign the application to the appropriate Dev App Profile
4. Set access policies for which users or groups can reach the application
5. Save and publish the configuration
SwiftZAccess — Agentless ZTNA
Q1. What is SwiftZAccess and how does agentless ZTNA work?
SwiftZAccess is COSGrid's agentless Zero Trust Network Access solution. It provides secure browser-based access to internal applications without requiring any endpoint agent installation.
SwiftZAccess is ideal for BYOD scenarios, contractors, or any situation where installing an agent on the device is not feasible.
Q2. How does browser-based agentless access work in SwiftZAccess?
SwiftZAccess uses a reverse proxy approach. When a user accesses a published application URL, the request passes through the SwiftZAccess cloud gateway, which authenticates the user, validates the access policy, and proxies the connection to the internal application — all via the browser with no agent required.
Q3. What access control policies does SwiftZAccess support?
SwiftZAccess supports several access control dimensions:
• OS-based access — restrict access based on the operating system of the user's device
• Timestamp-based access — allow access only during specific time windows
• Android / iOS based access — enable or restrict mobile device access
• WFH-based access — apply different policies for users working from home vs corporate network
Q4. Can I manage multiple internal domains in SwiftZAccess?
Yes. SwiftZAccess supports onboarding multiple internal domains. Each domain can have its own access policy, user group assignment, and policy management rules.
Domain management is done under SwiftZAccess → Configuration → Agentless Domain and Policy Management
SWA — Secure Web Access
Q1. What is SWA (Secure Web Access) and what does it protect against?
SWA is COSGrid's Secure Web Gateway product. It inspects and filters internet-bound web traffic from user devices, enforcing organisation-defined policies to block malicious sites, restrict category-based content, and protect against web-borne threats.
Q2. How do I create and configure a Web Filter policy in COSGrid SWA?
Web Filter policies define which URLs, domains, or web categories are allowed, blocked, or bypassed for users and groups. Policies are evaluated in priority order.
To create a Web Filter policy, go to SWA → Configuration → Web Filter Policy Creation. You can define rules based on:
• URL or domain (whitelist / blacklist / custom list)
• Web category (social media, gambling, streaming, etc.)
• User or group
• Time of day
Q3. How do I whitelist or blacklist a URL in COSGrid SWA?
Whitelist (Allow): Add the URL or domain under SWA → Usecases → Whitelisting. The domain will be permitted regardless of its category classification.
Blacklist (Block): Add the URL or domain under SWA → Usecases → Blacklisting. All requests to the domain will be blocked and the user will see a block page.
Custom URL lists can be maintained under SWA → Configuration → WF for Custom URLs
Q4. What are SWA Bypass Rules and when should I use them?
Bypass Rules exclude specific traffic from web filter inspection. This is useful for trusted enterprise applications, software update services, or traffic that must not be decrypted for legal or compliance reasons.
Bypass rules are configured under SWA → Usecases → Bypass Rules. Use bypass rules carefully — bypassed traffic is not inspected for threats.
ZT-NAC — Zero Trust Network Access Control
Q1. What is ZT-NAC (Zero Trust Network Access Control)?
ZT-NAC (Zero Trust Network Access Control) controls which devices are allowed to join your network and what they can access after joining. It enforces policy at the network layer — authenticating and validating devices before granting network access, regardless of whether the device is managed or unmanaged.
Q2. What is Pre-Registration NAC and how does it work in ZT-NAC?
Pre-Registration NAC validates a device before it is allowed to connect to the network. Devices must meet defined compliance criteria — such as having the required certificates or posture checks passed — before network access is granted.
This is configured under ZT-NAC → Usecases → Pre Registration NAC.
Q3. What is Post-Logout NAC and why it matter for device security?
Post-Logout NAC applies policy enforcement when a user logs out or disconnects. It ensures that after a session ends, the device is quarantined or removed from its access group until the next authenticated session.
This prevents residual access from shared or unattended devices after a user session ends.
Q4. How do I add a bypass URL in COSGrid ZT-NAC?
To add a bypass URL in ZT-NAC:
1. Navigate to ZT-NAC → Usecases → How to add a bypass URL in NAC
2. Enter the URL or domain to be excluded from NAC inspection
3. Define the scope — whether the bypass applies to all devices or a specific group
4. Save the configuration
Bypass URLs are typically used for captive portals or essential services that must be reachable before authentication completes.
DNS Security
Q1. What is COSGrid DNS Security and what threats does it block?
COSGrid DNS Security provides protection at the DNS layer — the first step in any internet request. It blocks access to malicious, phishing, and command-and-control domains before a connection is ever established, protecting users regardless of their location or device.
Q2. What is the difference between DNS Security and SWA (Web Filtering)?
DNS Security operates at the DNS resolution layer — it blocks domains before the browser even attempts to load a page. SWA operates at the HTTP/HTTPS layer and inspects actual web traffic content.
DNS Security is lighter and faster but less granular. SWA provides deeper inspection including URL-level filtering and malware scanning. Both are complementary and can be used together for defence-in-depth.
Q3. Can I create custom allow and block lists in COSGrid DNS security?
Can I create custom allow and block lists in COSGrid DNS Security?
Yes. COSGrid DNS Security supports:
• Whitelisting — always allow DNS resolution for specific trusted domains
• Blacklisting — always block DNS resolution for specific domains
• Custom URL lists — maintain organisation-specific domain lists for fine-grained control
These are configured under DNS Security → Configuration → DNS Policy Creation and Management.
QShield — WAAP (Web Application and API Protection)
Q1. What is QShield and how does WAAP protect web applications?
QShield is COSGrid's Web Application and API Protection (WAAP) product. It protects internet-facing web applications and APIs from threats including SQL injection, cross-site scripting (XSS), bot attacks, DDoS, API abuse, and zero-day vulnerabilities.
Q2. What is a WAF policy in QShield and how do I create one?
A WAF (Web Application Firewall) policy defines the rules used to inspect and filter HTTP/HTTPS traffic to your application. Policies can block, allow, or log traffic based on request patterns, signatures, and threat intelligence.
To create a WAF policy: navigate to QShield → Configuration → WAF Policy Creation and follow the domain onboarding steps to attach the policy to your application.
Q3. What is Shadow API detection and how does QShield find undocumented APIs?
Shadow APIs are undocumented or forgotten API endpoints in your application that are not intentionally exposed but remain accessible. These are a common attack surface.
QShield's Shadow API detection automatically discovers API endpoints that are being called but are not in your official API inventory, flagging them for review under QShield → Threat Intel → API Security → Shadow API.
Q4. What is API Drift Detectionin QShield WAAP?
API Drift Detection monitors your API traffic and compares it against the known baseline behaviour of each endpoint. When an endpoint starts receiving unexpected parameters, methods, or payload structures, QShield flags it as a drift event.
This helps detect API misuse, unauthorised access attempts, and integration errors early. Drift events are visible under QShield → Threat Intel → API Security → Drift Detection.
Q5. How does QShield handle DDoS attacks and rate limiting?
QShield includes built-in DDoS mitigation and rate limiting. Rate limiting policies can be configured per endpoint, per IP, or per user session. When thresholds are exceeded, QShield can block, throttle, or challenge the traffic with a CAPTCHA.
DDoS and rate limiting configuration is available under QShield → Threat Intel → DDOS and Rate Limiting Protection.
Platform, Users, and Troubleshooting
Q1. How do I manage users and groups in COSGrid Z3 SASE?
User and group management is centralised under Other Resources → Users Management and Other Resources → Group Management in the admin portal.
You can create users manually, import via IdP, or use JIT provisioning. Groups are used to apply access policies, web filter rules, and NAC policies to sets of users at once.
Q2. What is User Activity Monitoring in COSGrid Z3 SASE?
User Activity Monitoring gives administrators visibility into what users are doing on the network — which applications they accessed, what websites they visited, and when they were active.
It is available under Other Resources → User Activity Monitoring and can be used for compliance auditing and security investigation.
Q3. What is the Remote Diagnostics Agent Control Module in COSGrid Z3 SASE?
The Remote Diagnostics Agent Control Module allows administrators to remotely check the health and status of the Z3 Endpoint Agent on a user's device — without requiring the user to do anything.
It is useful for troubleshooting connectivity issues and is available under Other Resources → Remote Diagnostics Agent Control Module.
Q4. How do I check COSGrid Z3 Endpoint Agent resources usage?
Agent resource usage (CPU, memory, network) statistics are available under Resource Usage Stats → Endpoint Agent Resource Usage in the admin portal.
This helps identify devices where the agent is consuming abnormal resources, which can indicate a misconfiguration or connectivity issue.
Q5. What should I do if a user can't connect after a policy change?
Policy changes are applied in real time. If a user loses connectivity after a policy change:
1. Ask the user to disconnect and reconnect the Z3 Endpoint Agent
2. Verify the user's group membership and assigned access policy have not changed unintentionally
3. Check Event Logs for any policy denial events for that user
4. If using the Z3 Connector, verify the connector service is running and reachable
5. Use the Remote Diagnostics Agent Control Module to check the agent state on the user's device
Q6. How do I report an issue or contact COSGrid support?
How do I report an issue or contact COSGrid support?
To report an issue:
1. Navigate to User Guide → How to Report an Issue in the documentation
2. Collect the relevant event logs and agent diagnostics
3. Submit a support ticket through the COSGrid support portal
Include the following in your report: affected user(s), product name, time of issue, steps to reproduce, and any error messages observed.