Unusual IP connections from zscalertunnel process

Hi,

From looking at my EDR tool logs I have noticed the zscalertunnel process (on macOS) is connecting to some unusual IPs in other countries. Could anyone explain why this might be happening?

My expectation is that the zscalertunnel process should make connections to Zscaler IP ranges (e.g. those at https://ips.zscaler.net) and nothing else. Are there conditions when this is not true?

Thanks,

I typically see these connections at the same time as a user connects to a website, for example:

A connection from Firefox to 1.2.3.4:443 at the same time as a connection from zscalertunnel to 1.2.3.4:58176

The port is always high numbered. Any ideas what these connections are?

Hi Will,

This might relate to how the traffic is tunneled. We don’t operate like a normal VPN tunnel to send packets, but instead do some modification to the packets so we can grab and route them on to the cloud.

Is the destination IP Address always directly related to a request from the browser, as far as you’ve seen?

Regards

David

As far as I can tell yes (there are limitations in the EDR tool on this). I see a request from e.g. a browser to 443 and then requests from zscalertunnel to the same IP but on a high numbered port (e.g. 50000 upwards)