Endpoint Protection IPS detections on 127.0.0.1:9000

book

Article ID: 224126

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When reviewing IPS attack logs, Web Attack entries show the Remote Host IP address as 127.0.0.1 with a remote port of 9000.

Cause

The most likely reason for this is that Zscaler is installed and filtering internet traffic.  By default Zscaler listens on port 9000.

Environment

Release : 14.3

Component :

Resolution

Zscaler examines traffic and acts as an intermediary between the client and the internet.  As such, when IPS detects malicious activity from a website, it's going to detect the localhost address on port 9000 as the remote source of the attack.  The Intrusion URL should remain unchanged and will still serve as an accurate source for the attack.

 

Verify that Zscaler is installed and listening on port 9000 before accepting this as the cause.