Zscaler - Configuring IPS Control Policy

This support article is written for AntiPhish customers who need to configure Zscaler's Intrusion Prevention Policy (IPS).

Watch a video about how to configure an IPS control policy rule

Source of documentation

Zscaler's Intrusion Prevention System (IPS) uses signature-based detection to monitor and protect your network traffic from malicious activities. With IPS Control, you can configure rules that are matched against your traffic to enforce condition-based actions to allow or block the traffic in real time.

The Zscaler service provides a default rule that blocks all traffic and logs sessions using aggregate logging. You need to modify this rule or create a higher-order rule to allow traffic through the Zscaler service. The default rule always maintains the lowest precedence and it cannot be deleted.

After configuring the IPS rules, you need to enable IPS Control for location traffic and remote user traffic. To learn more, see About IPS Control.

The default IPS rule can be modified only with the super admin role.

Prerequisites:

Before adding or modifying rules for IPS Control policy, ensure that you have configured any resources that the policies reference:

  • Users, groups, departments, locations, and sub-locations to which the IPS Control policy rules apply.
  • Location Groups.
  • Time Intervals.
  • Network Services. You can modify network services to edit services, add custom services, and create groups.
  • Source and destination IP address groups.

 

Adding an IPS Control Rule

To configure an IPS Control policy rule:

  1. Go to Policy > IPS Control.
  2. Click Add IPS Control Rule.
  3. Enter the rule attributes:
    • Rule Order: The firewall automatically assigns the Rule Order number. Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order. You can change the value, but if you've enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Choose your Admin Rank. This option appears if you enabled Admin Ranking in the Advanced Settings page. Enter a value from 0-7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule's Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Rule Name: The firewall automatically creates a Rule Name, which you can change. The maximum length is 31 characters.
    • Rule Status: By default, the status is Enabled. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
    • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Label.
  4. On the Who, Where, & When tab:
    • Select the UsersGroupsDepartments, and Locations to which this rule applies. You can select Any to select all items or select specific items. You can search for items or click the Add icon to add an item.
      If you've enabled the policy for unauthenticated users under Advanced Settings, and want to apply this rule to unauthenticated traffic, you can do so by making selections accordingly in the Users and Departments fields. To learn more, see Configuring Policies for Unauthenticated Traffic.

      If you want to apply this rule only to remote users' traffic, select Road Warrior from the Locations field. Rules configured for locations other than Road Warrior also apply to remote user traffic from those locations.
      The rules configured for Road Warrior location apply to Z-Tunnel 1.0 and PAC only when the Enable Firewall for Z-Tunnel 1.0 and PAC Road Warriors option is enabled in Advanced Settings.
    • Location Groups: Select the location groups to which this rule applies. You can select Any to select all location groups, or select up to 32 location groups. You can search for location groups.
    • Time: Select the time interval during which the rule applies. Select Always to apply this rule to all time intervals, or select up to two time intervals. You can search for a time interval or click the Add icon to add a new time interval.
  5. On the Services & Threat Categories tab:
    • Network Service Groups: Select the predefined or custom network service groups to which the rule applies.
    • Network Services: Select Any to apply the rule to all network services or select specific network services. The Zscaler firewall has 50 predefined services and you can configure up to 1,024 additional custom services.
    • Advanced Threat Categories: Select Any to apply the rule to all threat categories, or select specific threat categories. Advanced Threat Categories group together common threats to your organization allowing you to block threats such as viruses or botnets. See the list of predefined advanced threat categories and their description.
  6. On the Applications tab:

    ZPA Application Segment: Select Any to apply the rule to all ZPA application segments, or select up to 255 ZPA application segments. You can also search for ZPA application segments.
    The list displays only those ZPA application segments that have the Source IP Anchor option enabled.
  7. On the Source IP tab:
    • Source IPv4 Groups: Select the source IPv4 groups that you want to control with this rule. You can also add a new Source IPv4 Group by clicking the Add icon.
    • IP Address: Enter IP addresses in any of the following formats:
      • An individual IP address, such as 192.0.2.1.
      • A subnet, such as 192.0.2.0/24.
      • An IP address range, such as 192.0.2.1 - 192.0.2.5

      For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window appears.
  8. On the Destination IP tab:
    • Destination IPv4 Groups: Select the destination IPv4 groups that you want to control with this rule. You can also add a new Destination IPv4 Group by clicking the Add icon.
    • IP Address or Wildcard FQDN (FQDN is available with Advanced Firewall): Enter IP addresses in any of the following formats:
      • An IP address range, such as 192.0.2.1 - 192.0.2.5
      • A subnet, such as 192.0.2.0/24.
      • An individual IP address, such as 192.0.2.1.

        If you have Advanced Firewall, you can also add FQDNs for applications with multiple IP addresses or with IP addresses that frequently change. Wildcard FQDNs are also supported with an asterisk (*) as the wildcard character.
        IPS control rules based on Wildcard FQDNs require DNS requests from clients to be forwarded to the Zscaler service to evaluate criteria match. To learn how DNS resolution is handled by the Zscaler service, see Handling DNS Resolution for Various Traffic Forwarding Methods.
        To add multiple entries, press Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window appears.
    • Countries: Select the countries you want to control with this rule. You can identify destinations based on the location of a server. Select Any to apply the rule to all countries or select the countries for which you want to control traffic.
    • Categories: Select the custom URL categories that you want to control with this rule. You can also use a custom URL category based on a specific database address (FQDN) which allows destinations to be placed on the allowlist or denylist as desired. Select Any to apply the rule to all categories or select the specific categories for which you want to control traffic.
  9. Choose the Action that the Zscaler service takes when packets match the rule.
    • Allow: Allow the packets to pass through the IPS.
    • Block/Drop: Silently block packets that match the rule.
    • Block/Reset: For TCP traffic, the Zscaler service drops all packets that match the rule and sends the client a TCP reset. (A TCP packet with the "reset" (RST) flag is set to 1 in the TCP header, indicating that the TCP connection must be instantly stopped.) For non-TCP traffic, same as Block/Drop.
    • Bypass IPS: Allow the packets without scanning. If you select this option, you cannot select any Advanced Threat Category for the rule.
  10. Choose the Logging option (applicable only if you have the firewall logs subscription):
    • Aggregate: The service groups together individual sessions based on { user, rule, and network service } and records them periodically.
    • Full: The service logs all sessions of the rule individually, except HTTP(S). Only Block rules support full logging. Full logging on all other rules requires the Full Logging license.
  11. Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
  12. Click Save and activate the change.
Your vote was sent, thanks!
Was this article helpful?

Want to talk to a human?

Feel free to contact us if you cannot find what you are looking for in our help center. We will be answering you shortly!

Feel free to contact us if you cannot find what you are looking for in our help center. We will be answering you shortly!

Contact us
Woman messaging on mobile phone