Bypass ssl inpsection for zscaler domains on the FW


We have a customer who is using the zscaler clinet connector to forward traffic to Zscaler, also the ZCC is configured with the Ztunnel2.0.
When the customer is on remote he configures a full VPN.
Also the customer choices to desactivate the ssl inspection on Zscaler and to activate it on his internal FW.
So when he activates his full VPN he remarks that the ztunnel on ZCC change from version 2.0 to version 1.0. After investigation we found that the ssl inspection on his internal FW causses this issue. we tried to bypass ssl inepction for zscaler domains definied on but the probelm persists.
Have someone already faced this kind of problem ? or do you know which other problems we should bypass ?
PS: The cloud name used is zscalerthree.

Your firewall is just trying to SSL inspect the ZCC ztunnel and not the encrypted data inside the ztunnel. I don’t think this is the outcome you are trying to achieve.

What’s the problem your are trying to fix that made you disable the Zscaler SSL inspection?

Is your ztunnel 2.0 using DTLS or TLS?


Ztunnel 2.0 is using DTLS

ZSclaer ssl inspection is already disabled, and it’s activated only on the FW side.