How do I add rules for the Firewall Filtering policy?

You can add rules to the Firewall Filtering policy to allow or block specific types of traffic from your network to the Internet. The Firewall Filtering policy has a default rule, which allows all TCP, UDP and ICMP traffic.

Before Adding Rules or Modifying Rules for the Firewall Filtering Policy

Ensure that you have configured as necessary the resources that the policies will reference:

Modifying the Default Firewall Filtering Rule

The Firewall Filtering policy has one default rule, which allows all TCP, UDP and ICMP traffic. The default rule always maintains the lowest precedence and cannot be deleted. Only admins with the super admin role can modify the default rule. See also the recommended policy for the firewall.

To modify the default rule:

  1. Go to Policy > Firewall > Firewall Control.
  2. Point to the default rule and click the Edit icon.
  1. In the Edit Firewall Filtering Rule dialog, do the following:
  • From the Network Traffic list, choose the default action.
    • Allow: Allows packets that match the rule to pass through the firewall.
    • Block/Drop: Silently drops all packets that match the rule.
    • Block/ICMP: Drops all packets that match the rule and sends the client an ICMP error message of Type 3 (Destination unreachable) and code 9 or 10 (network/host administratively prohibited).
    • Block/Reset: For TCP traffic, the Zscaler service drops all packets that match the rule and sends the client a TCP reset. (A TCPpacket with the "reset" (RST) flag is set to 1 in the TCPheader, indicating that the TCP connection must be instantly stopped.) For non-TCP traffic, same as Block/Drop.
  • Choose the Logging option:
    • Hourly Stats: The service groups together Individual sessions based on { user, rule, network service, network application } and recorded periodically.
    • Full: The service logs all logs all sessions of the rule individually, except HTTP(S). Only Block rules support full logging. Full logging on all other rules requires the Full Logging license.
  1. Click Save and activate the change.

Adding Rules to the Firewall Filtering Policy

To create a new firewall filtering rule:

  1. Go to Policy > Firewall > Firewall Control.
  2. In the Firewall Filtering Policy tab, click Add.
  1. Enter the rule attributes:
  • The firewall automatically assigns the Rule Order number. Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
  • Choose your Admin Rank. This option appears if you enabled Admin Ranking in the Advanced Settings page.
    Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
  • The firewall automatically creates a Rule Name, which you can change. The maximum length is 31 characters.
  • By default, Rule Status shows that the rule is enabled. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  1. In the Who, Where, & When tab, you can choose the Users, Groups, Departments and Locations to which this rule applies. You can select Any to select all items, or select specific items. You can search for items or click the Add icon to add an item.
    From the Time menu, choose the time interval during which the rule applies. Select Always to apply this rule to all time intervals, or select up to two time intervals. You can search for a time interval or click the Add icon to add a new time interval.
    • If you've enabled policy for unauthenticated users under Advanced Settings, and want to apply this rule to any unauthenticated traffic, you can do so by making selections accordingly in the Users and Departments fields. See How do I configure policy for unauthenticated traffic?
  1. In the Services & Applications tab, you can choose the following:
  • Network Service Groups: Select any number of predefined or custom network service groups to which the rule applies.
  • Network Services: Select Any to apply the rule to all network services or select specific network services. The Zscaler firewall has 50 predefined services and you can configure up to 1,024 additional custom services.
  • Network Application Groups: Select any number of application groups that you want to control with this rule. The service provides predefined applications that you can group, but not modify,
  • Network Applications: Select Any to apply the rule to all applications or select the applications you want to control with this rule. The service provides predefined applications, which you can group, but not modify.
  1. In the Source IPs tab, you can do the following:
  • Source IP Groups: Select any number of Source IP Groups that you want to control with this rule.
  • IP Address: To specify IP addresses, enter any of the following:
    • An individual IP address, such as 192.0.2.1.
    • A subnet, such as 192.0.2.0/24.
    • An IP address range, such as 192.0.2.1 - 192.0.2.5
  1. In the Destination IPs tab, you can do the following:
  • Destination IP Groups: Select any number of Destination IP Groups that you want to control with this rule.
  • IP Address or FQDN (FQDN available with advanced firewall subscription)
    • Enter IP addresses in any of the following formats:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192.0.2.5
    • If you have the advanced firewall subscription, you can also add FQDNs for applications with multiple IP addresses or with IP addresses that frequently change.

       To add multiple entries, hit Enter after each entry. Then click Add Items.

  • Countries: You can identify destinations based on the location of a server. Select Any to apply the rule to all countries or select the countries for which you want to control traffic.
  • Categories: You can identify destinations based on the URL category of the domain. Select Any to apply the rule to all categories or select the specific categories for which you want to control traffic.
  1. Choose the Action that the Zscaler service takes when packets match the rule.
    • Allow: Allow the packets to pass through the firewall.
    • Block/Drop: Silently block packets that match the rule.
    • Block/ICMP: Drops all packets that match the rule and sends the client an ICMP error message of Type 3 (Destination unreachable) and code 9 or 10 (network/host administratively prohibited).
    • Block/Reset: For TCP traffic, the Zscaler service drops all packets that match the rule and sends the client a TCP reset. (A TCP packet with the "reset" (RST) flag is set to 1 in the TCPheader, indicating that the TCP connection must be instantly stopped.) For non-TCP traffic, same as Block/Drop.
  2. Choose the Logging option (applicable only if you have the firewall logs subscription):
    • Hourly Stats: The service groups together Individual sessions based on { user, rule, network service, network application } and recorded periodically.
    • Full: The service logs all logs all sessions of the rule individually, except HTTP(S). Only Block rules support full logging. Full logging on all other rules requires the Full Logging license.
  1. Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
  2. Click Save and activate the change.

Next Steps

After adding rules to the firewall policy, you may also need to do the following before enabling firewall for your locations: