I am trying to limit inbound UDP traffic to the range of proxy IP’s used by zscaler. However the traffic is still blocked.
I have checked to ensure that zscaler is forwarding my traffic using this site https://ip.zscaler.com/ . I also notice that on some IP detection sites like https://www.whatismyip.com/ , it shows my actual IP as provided by the ISP instead of the zscaler proxy IP.
Can anyone advise on what I may possibly be doing wrong?
For HTTP Traffic, Zscaler adds an X-Forwarded-For header. This is what’s displayed in ip.zscaler.com - the XFF header and the source IP for the traffic being the Zscaler node.
whatsmyip.com will display your IP based on the XFF header - they’re interpreting the data differently.
Azure ACLs (or any ACL) should be applied based on the Zscaler node IP ranges. However - if you are accessing an application which uses non-HTTP protocols, you will need to ensure you are forwarding all traffic to Zscaler through an appropriate tunnel - GRE/IPSEC or Ztunnel2.0 if using Zscaler Client Connector. You should see the traffic in your firewall logs in Zscaler Internet Access traversing the Zscaler service before egressing towards Azure. This will provide you the source IP necessary for you ACL.
hi mryan, thanks for the reply.
may I know how I can confirm the Zscaler node IP ranges that I should be using?
Also is this (circled in screenshot), the version of the Ztunnel that is in use by my Zscaler client?