What is Global Public Service Edges and how to monitor them?

I am referring to this article: About Global Public Service Edges | Zscaler.

My questions are:

  1. what is the global public ip(185.46.212.88) used for? I understand that it’s used in “no default” network environments but the documentation says that the public ip doesn’t listen to traffic. So as the traffic gets routed into the zscaler environment, I assume the destination ip is 185.46.212.88. What happens to the packet as it goes towards the 185.x.x.x network within the zscaler environment?

  2. how do you monitor these ip addresses? I cannot ping them from my laptop nor can I traceroute to it. Is there a public status page that shows whether these ip addresses are routable?

  3. When the user is in his corporate network, why can’t he still navigate to the ZEN cloud enforcement ranges (165.x.x.x for example) and disregard the 185.x.x.x network altogether?

Hi David -

  1. You are correct that the global IP is used primarily for no default route environments. There’s a good diagram in this help document that describes what happens to the packet. Again, this relates only to the no-default route scenario where the user has a PAC file and traffic is traversing an IPSEC or GRE tunnel, not a direct connection to a globe IP.

  2. As these are “ghost addresses”, they wouldn’t need to be monitored as the actual public service edges are by the device you are tunneling from. You would monitor the public service edge(s) you are connected to, not the global IP. In some cases, the address is used in PBR on internal routers to direct specific traffic through the tunnel in lieu of a PBR on the edge device that hosts the tunnel, since there isn’t a default route to get packets to the edge device in a no-default route environment. Global IPs are included at the bottom of this page regardless of the cloud name specified: https://config.zscaler.com/zscaler.net/cenr

  3. If you have a default route or PBR directing that traffic to the tunnel, there is no need to use the global IP, nor to “navigate to the ZEN cloud enforcement ranges” because the tunnel is already connected to one or more public service edge and will forward the traffic directed to it. A PAC file designation can be made to direct to another destination in that case, but if the traffic goes to a tunnel, the tunnel takes precedence over anything specified in the PAC file. The one exception would be that you have a client with a PAC file that you wanted to go to some other ZEN/PSE than the one the user was connecting to through the tunnel, which brings us back to using the globe IP in a PAC file as a way to do that. Of course that sounds like a corner case or troubleshooting technique more than a production setup.