Configuring firewall policies
Configure firewall policies for both the overlay and underlay traffic as indicated below.
In this example, the overlay traffic does not require scanning, and the underlay traffic requires scanning. The firewall policies are configured accordingly.
To configure a firewall policy for the overlay traffic:
- Go to Policy & Objects > IPv4 Policy, and click Create New. The New Policy screen displays.
- Configure the fields as follows:
- Enter a name in the Name field, like Out Overlay Traffic in this case.
- Select the appropriate interface from the Incoming Interface field. In this case, it is
port3
. - Make sure the Outgoing Interface field is set to the Zscaler-SF and Zscaler-DC interfaces.
- Since the overlay traffic does not require scanning, all the Security Profiles will remain turned off.
- Click OK.
To configure a firewall policy for the underlay traffic:
- Go to Policy & Objects > IPv4 Policy, and click Create New. The New Policy screen displays.
- Configure the fields as follows:
- Enter a name in the Name field, like Out Underlay Traffic in this case.
- Select the appropriate interface from the Incoming Interface field. In this case, it is
port3
. - Make sure the Outgoing Interface field is set to the Internet_A and Internet_B interfaces.
- Since the underlay traffic requires to be scanned, set the Security Profiles of AntiVirus, DNS Filter, Application Control, IPS, and SSL Inspection as turned on to scan the traffic.
- Click OK.
Once created, verify the firewall policies by navigating to Policy & Objects > IPv4 Policy. The Security Profiles column indicates that the Out Overlay Traffic IPv4 policy is set up to not scan any traffic, while the Out Underlay Traffic IPv4 policy is set to scan all traffic as SSL Inspection, IPS, Application Control, DNS Filter, and AntiVirus profiles are all active.