How do I add rules for the NAT Control policy?

You can create rules that enable the Zscaler firewall to perform destination NAT and redirect traffic to specific IP addresses and optionally, ports.

This type of policy does not support network applications as a criteria.

Before Adding Rules to the NAT Control Policy

Ensure that you have configured as necessary the resources that the policies will reference:

Adding Rules to the NAT Control Policy

To create a NAT Control rule:

  1. Go to Policy > Firewall > Firewall Control.
  2. In the NAT Control Policy tab, click Add.
  1. Enter the rule attributes:
    • The firewall automatically assigns the Rule Order number. Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Choose your Admin Rank. This option appears if you enabled Admin Ranking in the Advanced Settings page.
      Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • The firewall automatically creates a Rule Name, which you can change. The maximum length is 31 characters.
    • By default, Rule Status shows that the rule is enabled. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.

 

  1. Define the criteria:
    • In the Who, Where, & When tab, you can choose the Users, Groups, Departments and Locations to which this rule applies. You can select Any to select all items, or select specific items. You can search for items or click the Add icon to add an item.
      From the Time menu, choose the time interval during which the rule applies. Select Always to apply this rule to all time intervals, or select up to two time intervals. You can search for a time interval or click the Add icon to add a new time interval.
  1. In the Services tab, you can choose the following:
    • Network Service Groups: Select any number of predefined or custom network service groups to which the rule applies.
    • Network Services: Select Always to apply the rule to all network services or select specific network services. The Zscaler firewall has 50 predefined services and you can configure up to 1024 additional custom services.   
  1. In the Source IPs tab, you can do the following:
    • Select any number of Source IP Groups that you want to control with this rule.
    • To specify IP addresses, enter any of the following:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192.0.2.5
  1. In the Destination IPs tab, you can do the following:
  • Destination IP Groups: Select any number of Destination IP Groups that you want to control with this rule.
  • IP Address or FQDN (FQDN available with advanced firewall subscription)
    • Enter IP addresses in any of the following formats:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192.0.2.5
    • If you have the advanced firewall subscription, you can also add FQDNs for applications with multiple IP addresses or with IP addresses that frequently change.

      To add multiple entries, hit Enter after each entry. Then click Add Items.

  • Countries: You can identify destinations based on the location of a server. Select Any to apply the rule to all countries or select the countries for which you want to control traffic.
  • Categories: You can identify destinations based on the URL category of the domain. Select Any to apply the rule to all categories or select the specific categories for which you want to control traffic.Select any number of Destination IP Groups. that you want to control with this rule.
  1. In the Action section of the dialog box, enter a DNAT IP Address or FQDN (FQDN available with advanced firewall subscription). Traffic that matches the criteria will be redirected to the specified destination.
  • DNAT IP Address: You can enter an IP address in one of the following formats. You can optionally add a port number.
    • An individual IP address, such as 192.0.2.1.
    • A subnet, such as 192.0.2.0/24.
    • An IP address range, such as 192.0.2.1 - 192.0.2.5
  • FQDN (available with advanced firewall subscription): You can use this option for domains with multiple IP addresses or with IP addresses that frequently change.
  1. Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
  2. Click Save and activate the change.

Next Steps

After adding rules to the NAT control policy, you may also need to do the following before enabling firewall for your locations: