Zapp with strict enforcement disabling health check

We are looking for the reason why ZCC with StrictEnforcement enabled does not work properly in the logged off state. It works fine in the logged on state.

I found out that the cause of ZCC not working properly in the logged off state is the blocking of 100.64.0.0/16 by FW.

So why does it work correctly in the logged on state?

The ZCC log says the following.

“ZFHM: Skip firewall check as last packet is read within 5 seconds.”

It seems that the health check is skipped when user traffic is passing between the local machine and the ZscalerNIC.

So, I think ZCC is working fine because ZFHM is skipped.

Is our understanding correct?