Mobile and Firewall Policy Areas in Zscaler
We can discuss Zscaler firewall and mobile policy – The Firewall policy area allows the configuration of Access Control policies for the Zscaler Basic and Advanced Cloud
Firewall capability.
There are two types of Subscription available in Zscaler below-
Basic Cloud Firewall subscription, – you can only create Firewall rules using the 5 well-known tuples:
source and destination IP addresses; source and destination ports; and protocol
Advanced Cloud Firewall – make use of the Zscaler default Network Services, and Network
Application definitions, or create your own custom services
If want to enable cloud firewall into exiting location use below steps-
enable the Cloud Firewall for an existing location. From the Administration menu, click Locations
Edit icon for the location where you want to enable the Cloud Firewall —
enfore firewall under location save configuration-
And active rule-
If want to manage policy and create go into Cloud Application Control and URL Filtering
policies. but But before we do that, let’s look at the various ways Zscaler classifies traffic for the firewall; Network Services, and Network applications. From the Administration menu
above list of default port provided by Zscaler and here you can to create a custom service as well.
Add same service types under network service group, click the Add Network
Service Group link.
We can use Network Application that identified by Zscaler cloud , this is not working on port or protocol-
Below list of Network application by default-
There are some default application group for Microsoft Office365 applications
Now Configure firewall —
Go into firewall Control
Bydefault there are two rule see- we can change this default rule allow to block for recommended by Zscaler also before block all traffic , you must allow some services like HTTP, https, DNS,SSL above.
when we create new rule we can see below options , please note rule order must define proper because here rule work like top to bottom.
labelled WHO, WHERE, & WHEN, defines to whom the rule will apply. As with Cloud Application and URL
Filtering rules, the User, Group, and Department fields all use a logical OR function; while the Where and Time fields use a logical AND. This rule will apply to the entire organization, so we don’t need to change any criteria here
We use service , source IP and destination , based on requirement.
When we click on Action there are 4 options shows like allow, block/drop, icmp block, use these options based on your requirements.
Enable FTP control –
By default, the Zscaler service does not allow users from a location to upload or download files from FTP sites. You have the option here to enable FTP over HTTP
You also have options for managing the specific sites available to your end users with the native FTP protocol
Alternatively, you can permit native FTP to any URL Category