Secure Internet and SaaS Access (ZIA)
About Firewall
The Zscaler service provides integrated cloud-based next-generation firewall capabilities that allow granular control over your organization’s outbound TCP, UDP, and ICMP traffic.
You can configure the following firewall policies:
- Firewall Filtering Policy: Add rules to allow or block specified types of traffic from your network to the internet. You can also specify how the sessions are logged.
- NAT Control Policy: Add rules to perform destination NAT. You can redirect traffic to specific IP addresses or ports.
- DNS Control Policy: Add rules to allow or block DNS requests, redirect requests to a different DNS server, or redirect DNS responses by substituting the IP address in a DNS response with a preconfigured IP address.
- IPS Control Policy: Add rules to control and protect your traffic from intrusion over all ports and protocols using signature-based detection.
Configuring Firewall Policies requires configuring the four policies above as applicable and enabling the firewall for your locations. You might also need to create source and destination IP groups, modify network services, create network application groups, and configure custom ports.
Configuring a firewall policy also requires the following:
- An organization must forward its IP traffic from a known location.
- If your organization wants to apply firewall policies at the user level, user authentication and surrogate IP must be enabled. Otherwise, the Zscaler firewall service applies organization and location policies.
Standard and Advanced Cloud Firewall
The following table lists the features and functionalities offered by Standard and Advanced Cloud Firewall subscriptions:
| Features and Functionalities | Standard Firewall | Advanced Cloud Firewall | |
|---|---|---|---|
|
Firewall policies based on the following criteria:
|
Supported with limitations:
|
Supported | |
| Destination NAT: Create rules to redirect your traffic to specific IP addresses and ports within a network using destination NAT. | Supported | Supported | |
| FTP Traffic Control: Use configuration settings to manage native FTP traffic and FTP over HTTP traffic. Configure policies to allow access to specific FTP sites. | Supported | Supported | |
| DNS Security and Control: Define granular DNS filtering policies to control DNS attributes, requests, and responses. Optimize DNS resolution using Zscaler Trusted DNS Resolver hosted in Zscaler data centers. | Supported (only 64 rules are allowed) | Supported | |
| DNS Tunneling: Secure your DNS traffic from DNS tunneling, malicious domains, malware, and phishing attacks. | N/A | Supported | |
| IPS Control: Use Signature-based IPS to monitor your traffic in real time and protect your network against identified threats over all ports and protocols. | N/A | Supported | |
| Traffic Forwarding for Non-Standard Ports: Identify outbound HTTP, HTTPS, FTP, DNS, RTSP, and PPTP traffic that is destined for non-standard ports and redirect the traffic to the web proxy (secure web gateway) for full web visibility and security. | N/A | Supported | |
| Firewall & IPS Dashboards, Insights, and Logs: Analyze your traffic information using customizable dashboards, interactive charts, and real-time logs generated with Full Logging for traffic that is allowed or blocked. | Supported with limitations–Full Logging is not supported; session logs are available only for blocked sessions. | Supported | |
| DNS Dashboards, Insights, and Logs: Analyze your traffic information using customizable dashboards, interactive charts, and real-time logs generated with Full Logging for traffic that is allowed or blocked. | Supported | Supported | |