Zapp ends in Endpoint FW/AV error

user facing issue Zapp is logged in. It stays connected for 30sec and get error related to Endpoint FW/AV error. Restart service, Repair, Reboot, Logout ends in same error. We open port 9000 via GPO. Gpupdate is successful in user machine. Still issue persists only with one user. ZSATray logs says “FIREWALL BLOCK ERROR”.

#NORMAL #INFO : ZIA state changed, From: TUNNEL_FORWARDING To: FIREWALL_BLOCK_ERROR

Regards
Ganesh krishnan

1 Like

Hi Ganesh,

Z App attempts to communicate with itself locally on the machine to see if something is blocking us. This could be a firewall, antivirus, or even potentially a VPN grabbing this traffic.

But in all cases the error is caused because Z App sends out a communication to itself locally on the machine an that is never received.

Have you following the network requirements here: https://help.zscaler.com/z-app/zscaler-app-processes-whitelist

Regards

David

1 Like

You’re saying it’s with only one user? If there’s an issue with user A on machine A but not user B on machine B, what happens if user A moves to machine B and user B to machine A?
Did this ever work?

We are following this link. Pushed the changes via GPO. It works for almost everyone. This User A connected to Zapp (status:on) . But it changes its status after 30sec with firewall block as message. If Zscaler service is blocked due to insufficient config, it should not change the status as ON.

I agree something in this desktop blocks the connected session. What is the best way to identify that ?

Regards
Ganesh Krishnan

The User A is works from home and he couldn’t test it in any other machine. So i am unable to test it in another machine :frowning:

Regards
Ganesh Krishnan

I noticed same error in 2nd machine recently. This time Issue occurs only in office LAN not in Home network. Zscaler app end with Endpoint/Firewall Error. Not sure which security feature cause this issue and why?

The FW AV Error is trigger when Z App attempts to check if traffic to itself is blocked. Typically a firewall will be blocking inbound connectivity to Z App, so this error is thrown.

You could compare the operating system firewall profiles for on the corporate LAN vs at home and see if one is more restrictive perhaps?

Regards

David

We are getting the same when off site and the network is set to public. Set to private and it works fine.
Mick

@MickD You need to add the firewall rule to the correct firewall profile in windows.

This can be caused by the zscaler app not being allowed to make outbound connections on the client machine as well. Its almost certainly in the firewall configuration.

We identified the issue. Windows Secuirty -> Firewall & Network Protection -> Incoming Connections -> Uncheck. Not sure how the machine get the setting. Might be pushed by GPO by some means. However issue is Fixed.

image