I opened a support case for this today but I thought it may be worth calling this out here, in case any Zscaler employees can help push this and even just for awareness.
We program our firewalls (Palo Alto) to permit traffic to Zscaler services via the API provided by config.zscaler.com. This way we don’t need to worry too much about things in the cloud changing. It looks after itself.
Yesterday we found that mobile.zscloud.net was no longer accessible. We use ZCC so access to mobile.zscloud.net is one of the ZCC config requirements. And the config page says the IPs that mobile.zscloud.net are hosted on are the Zscaler hub IPs and provides a link to the Firewall Config Requirements page.
But the IP addresses that mobile.zscloud.net resolves to for us (220.127.116.11 and 18.104.22.168) are not covered by the “required” hub IP addresses.
So we’re a little confused now. Either Zscaler haven’t updated the list of required IP addresses for hub or Zscaler need to now tell customers that the list of recommended hub IP addresses are actually required. It’s very unclear and confusing. Something is either required or it’s not.