We are looking for the reason why ZCC with StrictEnforcement enabled does not work properly in the logged off state. It works fine in the logged on state.
I found out that the cause of ZCC not working properly in the logged off state is the blocking of 100.64.0.0/16 by FW.
So why does it work correctly in the logged on state?
The ZCC log says the following.
“ZFHM: Skip firewall check as last packet is read within 5 seconds.”
It seems that the health check is skipped when user traffic is passing between the local machine and the ZscalerNIC.
So, I think ZCC is working fine because ZFHM is skipped.
Is our understanding correct?