icon-unified.svg
Experience Center

About NAT Control

You can create rules that enable the Zscaler Firewall to perform destination NAT and redirect traffic to specific IP addresses and ports. You cannot select network applications with your NAT Control rules.

Zscaler provides a predefined NAT rule, Zscaler Trusted DNS Resolver which is enabled by default. This rule directs your standard DNS traffic (dest:53) to the Zscaler Trusted DNS resolver but drops the iterative DNS queries as they are not supported. However, you can configure a separate NAT rule with a higher rank that redirects the iterative queries to an external DNS resolver.

You can also disable the predefined rule if you want to resolve all your standard DNS traffic using an external DNS provider that supports both iterative and recursive DNS queries (e.g., 8.8.8.8:53).

NAT Control policy provides the following benefits and enables you to:

  • Define granular NAT Control rules to redirect network traffic based on customizable conditions to configurable internet destinations by performing destination NAT.
  • Enhance your DNS performance by redirecting your users' DNS traffic to the Zscaler Trusted DNS Resolver to perform DNS resolution.

NAT policy-related activities are recorded and displayed in Firewall Insights Logs for all types of traffic, except for DNS traffic. NAT logs for DNS traffic are displayed in DNS Insights Logs. To learn more, see About Insights Logs.

The Zscaler service does not monitor the health or the availability status of an endpoint to which NAT rules forward traffic. This means that NAT rules forward traffic to the specified destination irrespective of whether the destination endpoint is reachable or not. So, ensure that the NAT destination endpoint is always available to prevent connection failures.

About the NAT Control Page

On the NAT Control page (Policies > Access Control > Internet & SaaS > Firewall > Firewall Filtering Policy > NAT Control Policy), you can do the following:

  1. Configure a NAT Control rule.
  2. View a list of all configured and predefined NAT Control policies. Here you can view the following:
    • Rule Order: The policy rule's order number. NAT Control policy rules are evaluated in ascending numerical order. You can sort this column.
    • Admin Rank: The assigned admin rank for the rule. This is visible only if admin ranking is enabled in the Advanced Settings. You can sort this column.
    • Rule Name: The name of the rule. You can sort this column.
    • Criteria: Which criteria triggers the rule. You can sort this column.
    • Action: Traffic that matches the criteria is redirected to the specified destination or port.
    • Label and Description: The label and description of the policy rule, if available.
  3. Edit or duplicate a NAT Control policy rule.
  4. Modify the table and its columns.
  5. Search for a NAT Control policy rule.
  6. Select one of the following View by option to see the NAT Control rules accordingly:

    • Rule Order: Displays the rules based on the rule order. By default, the rules are listed in the ascending rule order.

    • Rule Label: Displays the rules based on the rule labels. The rules are grouped under the associated rule labels.

      You can expand or collapse all the rule labels using the Expand All or Collapse All buttons.

  7. Click Recommended Policy to view the policy Zscaler recommends.
  8. Click the Firewall Filtering Policy tab to configure the Firewall Filtering policies. To learn more, see About Firewall Control.

Screenshot of NAT Control Policy page showing buttons used to control this policy

Related Articles
About NAT ControlConfiguring the NAT Control Policy