ZCC and Traffic Tunneling

Ok, maybe I’m having a brain fart, but when using Z-Tunnel 2.0 for forwarding ZIA traffic using the ZCC, doesn’t that encapsulate all traffic, not just 80/443? In the past I saw that all traffic was encapsulated in the Z-Tunnel, but since upgrading to the 3.9.0.183 ZCC I’m seeing what I have dubbed “leaking traffic”, or traffic that I expect to be encapsulated in the Z-Tunnel appearing outside the tunnel on my WAN routers. Some of this traffic is HTTPS which I do not have excluded from ZCC, such as mobileadmin.zscalertwo.net, so not sure why all of a sudden this is appearing outside of the tunnel.
Just wanting to make sure I am not having a huge brain fart and remembering something wrong.

Hey Jody!

There’s no change that should impacting what is and isn’t tunneled, but keep in mind that there are things that are sent direct by default. Generally, anything you see here: Config | Zscaler will be sent direct and not through the tunnel.

Outside of that, anything defined in the Ztunnel 2.0 Excludes will be sent direct, which by default is the RFC1918 ranges, so that would be expected as well.

Good to know the intended behavior hasn’t changed and I my expectations and understanding still tracks with what you’ve said.
I don’t see where mobileadmin.zscalertwo.net is defined, or even *.zscalertwo.net, so was curious if something changed or I just missed something, or if this is my current issue with “leaking traffic” overall.
What I mean by that last statement is I can see in the logs where traffic going to the same destination sometimes will go through the Z-Tunnel, and sometimes, even seconds later, does not go through the Z-Tunnel, and I’m trying to track things down on this. The mobileadmin.zscalertwo.net was just a quick pull out of the logs that didn’t match with what I expected to not be bypassed.