ZIA users "access denied" by Web Application Firewall at common sites

Is anyone else experiencing a problem where large US commercial sites (big-box retailers, home improvement/hardware, groceries) who use a certain Web Application Firewall are blocking client requests that come from the Zscaler IP range?

For example, we have seen problems with users browsing to www.hmedept.com (URL obscured) receiving an error like: “Access Denied. You don’t have permission to access http://www.hmedept.com/” on this server. Reference #18.097d098a098f.something."

In the cases we have seen the WAF that is performing the block is Akamai. This has happened at multiple big-box sites.

We can work around this issue by bypassing the site in our Forwarding Profile PAC. We don’t like doing this because it is hard to manage, and removes the security protections and logging we’d normally get from ZIA.

It seems to me, subjectively, that this is happening more frequently. Has anyone else seen this? Zscaler internal types - is it possible that Akamai is seeing Zscaler IP’s as blacklisted, or perhaps something similar?

1 Like

Hi @Mark_Beadles and thanks for letting us know. I’ll check with our support and operations teams.

I’m not aware of any issues we’ve had with Akamai protected sites.

Have multiple users getting the same type of error. I’ve opened a support ticket on this as well.

https://akamai.com/us/en/clientrep-lookup/

My zscaler IP received a bad risk score. Associated with Web Scraper.

I spoke too soon. I had one of these as well yesterday. Not sure which Service Edge it was using but will check.

Zscaler support has indicated this is related to Trust issue Trust “We are investigating an issue with our Chicago datacenter. We are investigating few of the websites being blocked going through our datacenter. We will post additional information on this incident as it is available”

1 Like

Hi,
yes, we see this often, that websites do not liked being accessed via Zscaler.
Sometimes it helps to do SSL bypass (cloudflare dns protection);
For websites in Turkey, Russia, China, sometimes US or Germany we do usually pac file exceptions.

I always open a ticket at Zscaler to highlight such issues. In general I think that this needs to be discussed between top-level-management of Zscaler and other Security providers to make sure, that Zscaler IP addresses are whitelisted in other security products.

It must be clear that:
Zscaler customers lose business, when websites cannot be accessed!
Also customers of security products that block access via Zscaler will lose business, since Zscaler-customers cannot access their websites!
Best regards
Andreas