Network 25411: TLS inspection is enabled and correctly configured for outbound traffic - Spec Update#1083
Network 25411: TLS inspection is enabled and correctly configured for outbound traffic - Spec Update#1083ashwinikarke wants to merge 3 commits intodevfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates assessment/reporting for TLS inspection linked profiles so disabled links/profiles remain visible in tables, while pass/fail logic only counts enabled links/profiles.
Changes:
- Collect baseline/security profile links regardless of profile/link state for table rendering.
- Update report tables to display
✅ Enabled/❌ Disabledstates for profile and policy link. - Tighten pass/fail filtering to require enabled policy link state (and enabled profile state), derived post-collection.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ashwinikarke
changed the title
ashwinikarke
changed the title
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@ashwinikarke Please, address my feedback.
| Write-ZtProgress -Activity $activity -Status 'Querying filtering profiles and policies' | ||
| $filteringProfiles = Invoke-ZtGraphRequest -RelativeUri 'networkAccess/filteringProfiles' -QueryParameters @{ | ||
| '$select' = 'id,name,description,state,version,priority' | ||
| '$expand' = 'policies($select=id,state;$expand=policy($select=id,name,version)),conditionalAccessPolicies($select=id,displayName)' |
There was a problem hiding this comment.
Unused $expand=conditionalAccessPolicies in filteringProfiles query**
The filteringProfiles request includes:
'$expand' = 'policies(...),conditionalAccessPolicies($select=id,displayName)'
However, Find-ZtProfilesLinkedToPolicy never reads the conditionalAccessPolicies data from the expand. CA policy matching is done entirely by querying $allCAPolicies and filtering by sessionControls.globalSecureAccessFilteringProfile.profileId. This fetches data that is silently discarded. The expand should be removed to reduce payload size and avoid confusion.
| # Step 2: List all policies in the Baseline Profile and in each Security Profile | ||
| Write-ZtProgress -Activity $activity -Status 'Querying filtering profiles and policies' | ||
| $filteringProfiles = Invoke-ZtGraphRequest -RelativeUri 'networkAccess/filteringProfiles' -QueryParameters @{ | ||
| '$select' = 'id,name,description,state,version,priority' |
There was a problem hiding this comment.
version property in filteringProfiles $select is unused**
The $select includes version for filteringProfiles:
'$select' = 'id,name,description,state,version,priority'version is not referenced anywhere in the code and is not required by the spec's query definition. It should be removed.
PR Contains below changes:
❌ Disabledstate so users can see misconfigured entriesTLSPolicyLinkState -eq 'enabled'check to Baseline Profile pass/fail logic (previously a disabled policy link would incorrectly count as a pass)TLSPolicyLinkState -eq 'enabled'check to Security Profile pass/fail logic for consistency$enabledBaseLineProfilescollection variable to$baselineProfileResultsto reflect it now holds all linked baseline profiles, not only passing onesWhere-Objecton$baselineProfileResultsand$securityProfileResults