Zscaler Internet Access and Firewall

Hi :slight_smile:
We have Zscaler Internet Access deployed on all workstation, and I want to limit internet with filter on firewall.
So, I want to autorize from lan to internet only Zscaler IP. Workstations without Zscaler can’t access to internet.
So, I checked this page Config | Zscaler and put all range/ip that I found into my firewall.
Everything works great except some website like for example https://docs.gitlab.com/.
Some website does not display (timeout), and if I add into my firewall their IPs, they work. I noticed most of sites are on cloudflare.
I don’t understand why it does not work trhough ZIA :confused:
It works if I am on my personal wifi, withtout any restriction on router/firewall.

Any idea ?

Hello,

The firewall is first used to determine if traffic needs to be sent to our proxy. If it is web-based traffic the proxy will take action, if not the firewall will process the transaction. If web-based then Cloud App Control then URL Filtering in that order along with the other features the Proxy Module is responsible for. Traffic is then sent BACK to the firewall before it is sent on its way, hence the arrows pointing in both directions in the attached image. Hopefully this will help explain the order of events which should help you determine why your configuration is not working properly.

Thx for your answer, but when I speak about Firewall, it is not a Zscaler Firewall, we have a Stormshield on premise.
Maybe I don’t understand your answer, but we have only ZIA app on our clients, for me it is just a proxy, so all traffic from the client will be sent to the proxy before access to internet.
So, we only authorize Zscaler Range IP to access to Internet on our Firewall.
But some websites do not work, as if ZIA bypass himself on the client.

When accessing the websites that don’t work. Can you see any blocking on the Stormshield firewall.
What is the Forwarding method you are using on Client Connector (Tunnel? Tunnel with local Proxy?)

Has your LAN IPv6 enabled. Try to disable IPv6 and if this is the issue make IPv4 preferred above IPv6.
The site you try to access might be using QUIC protocol (UDP 443). Try to fully block UDP443 on your firewall, so the browser falls back to HTTPS.

Hi, thx for your answer.
We use only Tunnel V1.0

IPv6 is disabled, I tried to block udp443 but without success.

I don’t really understand, for example https://docs.gitlab.com :
If I autorise only Zscaler IPs on my firewall, site does not work, but ping works.
If i autorise IP of this website on the firewall it works, so why ZIA does not display this website ?
Firewall does not have block log, because everything is redirected trought zscaler, so nothing is block by firewall.
I see the request from the computer → Zscaler IP (165.x.x.x) and nothing else. And time out on the URL.

I will check with Wireshark.

On Wireshark, I have a lot of bad TCP when I request websites that do not work:

I add something strange: the workstation is connected to ZIA.
If I check the original IP of the docs.gitlab.com on Wireshark when I try to go to the website, it is displayed like if I didn’t use any Proxy, with BAD TCP:

But, if i check a website witch works, its IP does not appear on Wireshark.
It is as if Zscaler bypass himself on some IP, like docs.gitlab.com’s IP.