Required v Recommended config

Hello.

I opened a support case for this today but I thought it may be worth calling this out here, in case any Zscaler employees can help push this and even just for awareness.

We program our firewalls (Palo Alto) to permit traffic to Zscaler services via the API provided by config.zscaler.com. This way we don’t need to worry too much about things in the cloud changing. It looks after itself.

Yesterday we found that mobile.zscloud.net was no longer accessible. We use ZCC so access to mobile.zscloud.net is one of the ZCC config requirements. And the config page says the IPs that mobile.zscloud.net are hosted on are the Zscaler hub IPs and provides a link to the Firewall Config Requirements page.

But the IP addresses that mobile.zscloud.net resolves to for us (165.225.29.17 and 165.225.29.15) are not covered by the “required” hub IP addresses.

So we’re a little confused now. Either Zscaler haven’t updated the list of required IP addresses for hub or Zscaler need to now tell customers that the list of recommended hub IP addresses are actually required. It’s very unclear and confusing. Something is either required or it’s not.

Hey David,

I see exactly what you’re referring to. Let me check with the team to understand what happened because it is confusing to say recommended when it should be under required. Especially, since it impacts functionality.

Thanks!

Support have come back and said that this change in IPs for mobile.zscloud.net was caused by this: Trust (zscaler.com) and suggested that mobile.zscloud.net was pointed at different infrastructure.

That issue was resolved on 19th April and if the intention is to not point mobile.zscloud.net back to where it was before the incident (i.e. covered by the “Required” hub IP addresses), then I would expect the required hub IP addresses to be updated.

Or alternatively get rid of the required hub IP addresses and make sure customers are implementing firewall rules based on the recommended IP addresses and remove the ambiguity.