exit tour

Secure modern work –
wherever you work
– with Zscaler Firewall.

Experience a transformative, cloud-delivered approach to protecting internet traffic for all users, applications, and locations without sacrificing performance.

Welcome to the Zscaler Firewall tour!

Zscaler Firewall transforms hybrid and branch connections using an intuitive and centralized policy management console.

Let’s start configuring your cloud native firewall.

back

The proxy-based, firewall-as-a-service solution is a fully integrated part of Zscaler Internet Access (ZIA).

Click “Firewall Overview” to continue.

back

Zscaler Firewall safeguards traffic across ports and protocols for all users, applications and locations by delivering advanced Layer 7 protection including advanced threat protection, intrusion prevention systems (IPS), and DNS Control.

Let’s take a closer look at the control you’ll have.

back

Click on Policy to continue

back

Firewall Control

First, let’s create a new Firewall Rule.

Click “Firewall Control” to continue.

back

Ensure secure and optimized user experience.

Let’s create our first firewall rule to allow acceptable, regular internet usage that applies to DNS, HTTP, and HTTPS network services.

Internet traffic continues to be forwarded to and inspected by the Zscaler Zero Trust Exchange, blocking malicious internet traffic without slowing connections.

Click on "Add Firewall Filtering Rule" to continue.

back

First, you’ll want to name your new rule, “Allow Regular Internet Usage”.

back
Since this rule applies across your organization, you will not need to define criteria for users, locations, or devices under the “Who, where…” tab.
Web and non-web traffic is forwarded to the Zscaler Zero Trust Exchange™ for inline, latency-free inspection and protection. With Zscaler, malicious connections are blocked or terminated without impacting user experience.

Under Action, we want this rule to Allow the network traffic through and create an Aggregate Log for each session.

back

Now click the “Services” tab to continue.

back

Under Services, choose “DNS”.

back

Click “Done” to continue.

back

Then click “Save” to continue.

back

Congrats, you’ve made your first firewall rule!

This rule will apply to all users, regardless of their location.

back

Block protocols that cannot be inspected.

QUIC is an encrypted transport layer network protocol that cannot be inspected by Zscaler. When QUIC is blocked, the protocol defaults back to TCP, which can be decrypted and inspected by Zscaler.

Click on “Add Firewall Filtering Rule” to create your next rule.

back

Like our first rule, we’ll want to start off by naming our rule – “Block QUIC”.

back

For this rule, we will select Block/ICMP and Full logging for each session.

back
The options for the Network Traffic setting are:
  • Allow
  • Block/Drop → This will block silently.
  • Block/ICMP → This will block and communicate to the protocol that an action has occurred.
  • Block/Reset → This will reset and alert the endpoint that this request was blocked.

Now click the “Services” tab to continue.

back
Under Services, choose “QUIC”.

back

Click “Done” to continue.

back

You’ve now created your second rule.

This rule will also apply to all users, regardless of their location.

back

DNS Control

Let’s move on to DNS Control and create a new couple of rules.

Click “DNS Control” to continue.

back

Block bandwidth-heavy online game sites for users on corporate devices.

Restricting or blocking gaming for users on corporate devices can help to prioritize and ensure quality of service for business applications like Zoom or Microsoft Teams. While Zscaler does not throttle performance, this rule can also improve productivity.

Click “Add DNS Filtering Rule” to continue the tour.

back

Let’s name this rule “Block Online Gaming”.

back

Under Action, remember to select “Block”.

back

Now click the “DNS Application” tab to continue.

back

Under DNS Application you’ll be able to choose specific types of Requested Categories to block

Click the dropdown selection to continue.

back

Click “Gambling” and all the items under it to continue.

back

Click “Games” and all the items under it to continue.

back

Click “Done” to continue.

back

Now let’s block the resolved categories in the same manner.

Under Resolved Categories, click the dropdown selection to continue.

back

Click “Gambling” and all the items under it to continue.

back

Click “Games” and all the items under it to continue.

back

Click “Done” to continue.

back

Then click “Save” to continue.

back

Congrats, you’ve made your first DNS rule!

This DNS rule applies to all users, regardless of their location.

back

Block malicious DNS tunnels to prevent data exfiltration and botnet callbacks

Threat actors are abusing DNS to obfuscate illegitimate or malicious resolutions as legitimate DNS requests. These blindspots can result in data being exfiltrated or botnet callbacks. Zscaler Firewall secures DNS requests and responses regardless of type and resolver and recognizes botnet callback patterns.

Click on “Add DNS Filtering Rule” to continue.

back

Let’s name this rule “Block Bad DNS Tunnels”.

back

For this rule, we want the action to Block the network traffic.

back

Now click the “DNS Application” tab to continue.

back

Under DNS Application, it’s time to set the criteria for your rule. Here is how Zscaler defines DNS tunnels:

back

Since Zscaler continuously identifies and categorizes DNS tunnels, you can choose “Commonly Blocked DNS Tunnels” and you’re set.

back
Zscaler continuously identifies and categorizes DNS tunnels.
  • Commonly Blocked DNS Tunnels – Bad/malicious tunnels
  • Commonly Allowed DNS Tunnels – Legitimate tunnels but may also have undesirable tunnels
  • Unknown DNS Tunnels – Unknown, could be malicious or spy/grayware

Press “Done” to continue.

back

You’ve now created your second DNS rule.

back

IPS Control

Let’s move on to IPS Control.

Click “IPS Control” to continue.

back

Powerful inline threat protection across all ports and protocols

By default, Zscaler Firewall blocks all cloud IPS threat signatures from any category. We recommend leaving this policy as-is to ensure known threats are continuously blocked from your organization.

back
Adversaries are using encryption and non-standard ports to evade detection and deliver stealthy attacks. Zscaler can inspect all web and non-web traffic, including SSL/TLS to stop attacks.

Hope you enjoyed the Zscaler Firewall tour!

Let’s recap what you learned:

  1. Firewall Control
    1. Block traffic that cannot be inspected by Zscaler
    2. Ensure acceptable, regular internet usage for all users, devices, and locations
  2. DNS Control
    1. Stop bandwidth-heavy traffic while ensuring quality of service and prioritization of business activities
    2. Prevent data exfiltration or botnet call backs
  3. IPS Control
    1. Prevent known threats by default

Get an in-depth demo of ZIA

Secure modern work –
wherever you work
– with Zscaler Firewall.

Experience a transformative, cloud-delivered approach to protecting internet traffic for all users, applications, and locations without sacrificing performance.

Continue

Hope you enjoyed the Zscaler Firewall tour!

Let’s recap what you learned:

  1. Firewall Control
    1. Block traffic that cannot be inspected by Zscaler
    2. Ensure acceptable, regular internet usage for all users, devices, and locations
  2. DNS Control
    1. Stop bandwidth-heavy traffic while ensuring quality of service and prioritization of business activities
    2. Prevent data exfiltration or botnet call backs
  3. IPS Control
    1. Prevent known threats by default

Get an in-depth demo of ZIA