About Firewall Policies

The Zscaler service provides integrated cloud-based next-generation firewall capabilities that allow granular control over your organization’s outbound TCP, UDP and ICMP traffic. This includes Firewall and DNS dashboards, giving your organization visibility into applications running in your networks.

By default, the Zscaler firewall allows all non-HTTP/HTTPS traffic from your network to the Internet. You can configure policies that define which types of traffic are allowed from specific sources and to specific destinations and at scheduled times.

You can configure the following firewall policies:

  • Firewall Filtering Policy: Add rules to allow or block specified types of traffic from your network to the Internet. You can also specify how the sessions are logged.
  • NAT Control Policy: Add rules to perform destination NAT. You can redirect traffic to specific IP addresses and optionally, ports.
  • DNS Control Policy: Add rules to allow or block DNS requests, redirect requests to a different DNS server, or redirect DNS responses by substituting the IP address in a DNS response with a preconfigured IP address.

Configuring Firewall Policies requires configuring the three policies above as applicable and enabling the firewall for your locations. You may also need to create source and destination IP groups, modify network services, create network application groups, and configure custom ports.


Following are the requirements:

  • An organization must forward its IP traffic from a known location.
  • If you organization wants to apply firewall policies at the user level, user authentication and surrogate IP must be enabled. Otherwise, the Zscaler firewall service applies organization and location policies.

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?