Non-web application mechanism

How ZIA handle non-web application (non-port 80 & non-port 443) traffic?

Is it send to Zscaler Service Edge via TLS-Tunnel?
If I insert a physical firewall between Client Connector and Zscaler Service Edge, what application & port traffic will be shown?
What is the source IP and destination IP of the traffic packet?

Z-Tunnel 2.0 has a tunneling architecture that uses DTLS or TLS to send packets to the Zscaler service. Because of this, Z-Tunnel 2.0 is capable of sending all ports and protocols.

ZCC Tunnel 2.0 traffic is encrypted, so you won’t see the content on your security appliances.

If you take a capture in between, you should be seeing packets destined to Zscaler DC IP Address either on UDP port 443 (DTLS) or TCP port 443 (TLS)