We migrated to Tunnel 2.0 a few weeks ago. For the most part, it’s worked out really well for us.
Today, I had a user say that his SSH connections (using Putty on Windows) were being routed through ZIA and due to IP restrictions on the remote end, he asked me to bypass it. Honestly, I didn’t think that we were tunneling SSH traffic through ZIA, but my own testing showed that we were.
Ultimately, I found that I could exclude that traffic by adding the IP to the “Destination Exclusion” list in the App Profile. I don’t like this approach, because I have quite a few app profiles, and it makes management a pain to have to add it to all profiles.
Furthermore, I couldn’t find any logs in ZIA or ZPA indicating this traffic was being processed by Zscaler at all!
So I have these questions:
- Is there a more global way to exclude certain traffic from being tunneled?
- What’s the point in tunneling the traffic if there aren’t any logs of the traffic? Am I missing something here?