search cancel

Endpoint Protection IPS detections on


Article ID: 224126


Updated On:


Endpoint Protection


When reviewing IPS attack logs, Web Attack entries show the Remote Host IP address as with a remote port of 9000.


The most likely reason for this is that Zscaler is installed and filtering internet traffic.  By default Zscaler listens on port 9000.


Release : 14.3

Component :


Zscaler examines traffic and acts as an intermediary between the client and the internet.  As such, when IPS detects malicious activity from a website, it's going to detect the localhost address on port 9000 as the remote source of the attack.  The Intrusion URL should remain unchanged and will still serve as an accurate source for the attack.


Verify that Zscaler is installed and listening on port 9000 before accepting this as the cause.