icon-unified.svg
Experience Center

About Forwarding Control

Forwarding Control is used to forward selective Zscaler traffic to specific destinations based on your needs. For example, if you want to forward specific web traffic to a third-party proxy service or if you want to forward source IP anchored application traffic to a specific Zscaler Private Applications App Connector or internal application traffic through Internet & SaaS threat and data protection engines, use Forwarding Control by configuring appropriate rules.

  • Forwarding Control policies are applicable only to traffic originating from a known location or a user using Zscaler Client Connector with Zscaler Tunnel (Z-Tunnel) 2.0
  • Any Forwarding Control policy (including Source IP Anchoring) based on user conditions such as users, groups, and departments requires a subscription to the Advanced Firewall.

Forwarding Control provides the following benefits and enables you to:

  • Forward traffic directly to the destination server using the Zscaler service IP address.
  • Define criteria for traffic that needs to be forwarded to a third-party proxy service of your choice.
  • Redirect Source IP Anchored traffic to Private Applications App Connectors via the Private Applications cloud.
  • Forward selected traffic to Private Applications for scanning of internal applications.

The Forwarding Control policy provides you with the following predefined rules that help to forward traffic to Private Applications:

  • Fallback mode of ZPA Forwarding: Forwards all source IP anchored traffic that matches the fallback Private Applications IP pools to Private Applications. This rule is disabled by default and cannot be deleted. It is only enabled during Internet & SaaS control plane maintenance.
  • ZIA Inspected ZPA Apps: Forwards all Private Applications application segment traffic for Internet & SaaS inspection that has the Inspect Traffic with ZIA field enabled in the Admin Portal.
  • ZPA Pool For Stray Traffic: Drops all Private Applications traffic that does not match any IP address range from the Private Applications IP pool.

The rules are enabled by default and cannot be deleted. You can only modify the Rule Label for these rules and cannot edit other attributes.

About the Forwarding Control Page

On the Forwarding Control page (Infrastructure > Internet & SaaS > Network Policies > Forwarding Control Policy), you can do the following:

  1. Add a forwarding rule.
  2. View a list of all forwarding rules. For each forwarding rule, you can view the following information:
    • Rule Order: The order of the rule.
    • Admin Rank: The admin rank of the rule.
    • Rule Name: The name of the rule.
    • Criteria: The criteria defined for the rule.
    • Forwarding Method: The forwarding method used in the rule. It can be Direct, Proxy Chaining, or Private Applications.
    • Gateway: The gateway that is used to forward the traffic that hits the rule.
    • Status: The status of the rule, which indicates if the rule is enabled or disabled.
    • Label and Description: The label and description of the policy rule, if available.
  3. Edit a forwarding rule.
  4. Duplicate a forwarding rule.
  5. Modify the table and its columns.
  6. Search for a forwarding rule.
  7. Select one of the following View by option to see the forwarding rules:

    • Rule Order: Displays the rules based on the rule order. By default, the rules are listed in the ascending rule order.

    • Rule Label: Displays the rules based on the rule labels. The rules are grouped under the associated rule labels.

      You can expand or collapse all the rule labels using the Expand All or Collapse All buttons.

Screenshot of Forwarding Control page showing buttons and list used to manage Zscaler Forwarding Policies
Related Articles
About Forwarding ControlConfiguring Forwarding Policy