ZIA Traffic Forwarding through IPSec Tunnels all port or not?

I read the document on Choosing Traffic Forwarding Methods | Zscaler

The one of Benefits of IPSec Tunnels is “Supports all ports and protocols for traffic forwarding.”
but one of Limitations of IPSec Tunnels is “Not all applications support PAC files, therefore not all traffic is be secured by Zscaler.”

I feel some confusing on it, what is the exact traffic protection and forwarding? will IPSec Tunnel protect all traffic such as FTP, SSH, Telnet, DNS, non-http traffic?

The answer to your questions is - yes. All ports and protocols will be forwarded through the IPSec tunnel to Zscaler.

Hi. Just to clarify, all ports and protocols if you have Z-tunnel 2.0 enabled, which also requires ZIA Advanced Cloud Firewall (otherwise the Zscaler logs will not include transactions to various ports/protocols which makes troubleshooting issues real difficult).

Most customers have Z-tunnel 1.0 enabled, which means only port 80 & 443 traffic (and I believe DNS and FTP traffic too) will be forwarded to Zscaler.

This is only if the devices have the Client Connector installed - if the traffic forwarding is solely reliant on the IPSec Tunnel, then all ports and protocols will be forwarded to Zscaler.

Correct, but this will result in limited visibility of who/what/where is sending the traffic since a ton of the traffic will not be associated with any user/location (i.e., a lot of noauth user traffic from location Other). Which means limited ability to ensure proper rules/policies are being applied to your traffic.

Best practice is to use the ZCC to ensure full visibility into who/what/where is sending the traffic and ensure your ZIA rules/policies are enforced correctly.