How do I configure the Firewall Filtering policy?


How do I configure the Firewall Filtering policy?

Click to watch a video about Firewall Control, including how to configure the Firewall Filtering policy.

You can add rules to the Firewall Filtering policy to allow or block specific types of traffic from your network to the Internet. The Firewall Filtering policy has a default rule, which allows all TCP, UDP and ICMP traffic. See How do I modify the default Firewall Filtering rule?

Prerequisites 

Before adding rules or modifying rules for the Firewall Filtering Policy, ensure that you have configured as necessary the resources that the policies will reference: 

Adding a New Firewall Filtering Rule

To create a new firewall filtering rule, follow the instructions below.

  1. Go to Policy > Firewall > Firewall Control.
  2. In the Firewall Filtering Policy tab, click Add Firewall Filtering Rule.
  3. Enter the rule attributes:
    • Rule Order: The firewall automatically assigns the Rule Order number. Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Choose your Admin Rank. This option appears if you enabled Admin Ranking in the Advanced Settings page.
    • Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Rule Name: The firewall automatically creates a Rule Name, which you can change. The maximum length is 31 characters.
    • Rule Status: By default, Rule Status shows that the rule is enabled. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
      See image.
  4. In the Who, Where, & When tab, you can choose the UsersGroupsDepartments and Locations to which this rule applies. You can select Any to select all items, or select specific items. You can search for items or click the Add icon to add an item.
    From the Time menu, choose the time interval during which the rule applies. Select Always to apply this rule to all time intervals, or select up to two time intervals. You can search for a time interval or click the Add icon to add a new time interval.
  5. In the Services & Applications tab, you can choose the following:
    • Network Service Groups: Select any number of predefined or custom network service groups to which the rule applies.
    • Network Services: Select Any to apply the rule to all network services or select specific network services. The Zscaler firewall has 50 predefined services and you can configure up to 1,024 additional custom services.
    • Network Application Groups: Select any number of application groups that you want to control with this rule. The service provides predefined applications that you can group, but not modify,
    • Network Applications: Select Any to apply the rule to all applications or select the applications you want to control with this rule. The service provides predefined applications, which you can group, but not modify.
      See image.
  6. In the Source IPs tab, you can do the following:
    • Source IP Groups: Select any number of Source IP Groups that you want to control with this rule.
    • IP Address: To specify IP addresses, enter any of the following:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192.0.2.5
        See image.
  7. In the Destination IPs tab, you can do the following:
    • Destination IP Groups: Select any number of Destination IP Groups that you want to control with this rule.
    • IP Address or FQDN (FQDN available with advanced firewall subscription):
      • Enter IP addresses in any of the following formats:
        • An individual IP address, such as 192.0.2.1.
        • A subnet, such as 192.0.2.0/24.
        • An IP address range, such as 192.0.2.1 - 192.0.2.5
      • If you have the advanced firewall subscription, you can also add FQDNs for applications with multiple IP addresses or with IP addresses that frequently change.
        To add multiple entries, hit Enter after each entry. Then click Add Items.
    • Countries: You can identify destinations based on the location of a server. Select Any to apply the rule to all countries or select the countries for which you want to control traffic.
    • Categories: You can identify destinations based on the URL category of the domain. Select Any to apply the rule to all categories or select the specific categories for which you want to control traffic.
      See image.
  8. Choose the Action that the Zscaler service takes when packets match the rule.
    • Allow: Allow the packets to pass through the firewall.
    • Block/Drop: Silently block packets that match the rule.
    • Block/ICMP: Drops all packets that match the rule and sends the client an ICMP error message of Type 3 (Destination unreachable) and code 9 or 10 (network/host administratively prohibited).
    • Block/Reset: For TCP traffic, the Zscaler service drops all packets that match the rule and sends the client a TCP reset. (A TCP packet with the "reset" (RST) flag is set to 1 in the TCPheader, indicating that the TCP connection must be instantly stopped.) For non-TCP traffic, same as Block/Drop.
  9. Choose the Logging option (applicable only if you have the firewall logs subscription):
    • Hourly Stats: The service groups together Individual sessions based on { user, rule, network service, network application } and recorded periodically.
    • Full: The service logs all logs all sessions of the rule individually, except HTTP(S). Only Block rules support full logging. Full logging on all other rules requires the Full Logging license.
      See image.
  10. Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
  11. Click Save and activate the change.

After adding rules to the firewall policy, you may also need to do the following before enabling firewall for your locations:

Screenshot of Add Firewall Filtering Rule page with the fields Rule Order, Admin Rank, Rule Name, and Rule Status

Screenshot of Who, Where, & When page with the fields Users, Groups, Departments, Locations, and Time

Screenshot of Services & Applications page with the fields Network Service Groups, Network Services, Network Application Groups, and Network Applications

Screenshot of Source IPs page with the fields Source IP Groups, IP Addresses, Network Traffic, and Logging

Screenshot of Destination IPs section with fields used to create a new firewall filtering rule. FQDN is available with advanced firewall subscription.

Screenshot of the Action section within the Destination IPs page used to create a new firewall filtering rule