This guide describes the benefits of using Firewall and the steps necessary for configuring Zscaler Internet Access (ZIA) to add Firewall to your security posture.

Firewall provides the capabilities of traditional firewalls by monitoring and controlling an organization’s outbound traffic. These features include traditional network service control, dynamic application identification with deep packet inspection (DPI), and identification of web traffic on non-default ports. To learn more, see Understanding Firewall Capabilities.

Value of Deploying Firewall

Using Firewall provides the following benefits:

• Full protection for work-from-anywhere users, on-premises or remote.
• Catch evasive attacks on non-standard ports.
• Secure local internet breakout for internet and SaaS applications.

Deployment Phase

The deployment phase initially sets up and integrates ZIA solutions into an existing network infrastructure. During the deployment phase, you configure Firewall in ZIA to meet the needs of your infrastructure. The following sections discuss steps to deploy Firewall.

Prerequisites

For Firewall deployment, verify and complete the following prerequisites:

1. Validate and review one of the needed subscriptions (i.e., Standard Firewall or Advanced Firewall). For information about subscriptions, see Understanding Firewall Capabilities.
2. Define a global rule set that identifies all needed criteria objects such as source/destination IPs, location groups, departments, etc.).
3. Validate that you have mapped the identified objects in the first two prerequisites to Nanolog Streaming Service (NSS) firewall criteria.
4. Validate that all parameters are within the ZIA product limits.

Deployment Steps

The following steps explain how to deploy Firewall:

1. Create the objects used as rule criteria (i.e., Locations, Network Services, Destination Groups, etc.).
2. Create the Firewall rules in a disabled state.
3. Using NSS, deploy Zscaler's Nanolog Streaming Service (NSS) firewall and configure the NSS firewall feeds.
4. Gradually enable firewall rules and firewall features on locations.
5. Perform a controlled test per location before enabling all rules on all locations.
6. Enable a firewall for Z-Tunnel 1.0 and PAC remote users via the advanced settings.
7. Ensure traffic is forwarded to the ZIA Firewall from Zscaler Client Connector using Z-Tunnel 2.0.

Considerations

Review the following considerations:

• Understand and respect the default firewall control policy recommendations.
• Build a rule set with specific rules first and less specific rules last. The order ensures that more specific policies are matched first in case of overlap.
• Be familiar with predefined firewall filtering rules.
• Understand the difference between Network Service and Network Application, and if possible, combine both on the same firewall rule to restrict DPI processes to the specific port.
• Be familiar with the log fields in Zscaler Insights.

Operations Phase

This section describes common practices used to operate ZIA solutions when integrated with your environment. You can monitor and tune Firewall during the operations phase to meet your infrastructure needs.

Prerequisites

For Firewall operation, complete the following prerequisites:

• Comment all firewall rules so the operations team can understand their purpose. Include other related objects (IP groups, URL categories, etc.) and Reference Change IDs/numbers (if you track these in internal tools).
• If not all locations use Firewall, document the reasoning for disabling firewalls for the specific locations.
• Validate that the team is familiar with all the essential concepts (i.e., Network Application vs. Network Service, NSS logs, etc.).

Common Troubleshooting Items

Transactions marked as Allow due to insufficient app data: If transactions are logged as Allow due to insufficient app data on Firewall Insights, it might relate to a match from our DPI mechanism and specific rule.

Deployment and Operations Checklist

Zscaler recommends downloading the Firewall Deployment and Operations Checklist to help plan and implement Firewall: Download PDF

Additional Information

For more SaaS Security information and troubleshooting instructions, see the Zscaler Support Portal and the Zscaler Zenith Community.