When reviewing IPS attack logs, Web Attack entries show the Remote Host IP address as 127.0.0.1 with a remote port of 9000.
The most likely reason for this is that Zscaler is installed and filtering internet traffic. By default Zscaler listens on port 9000.
Release : 14.3
Zscaler examines traffic and acts as an intermediary between the client and the internet. As such, when IPS detects malicious activity from a website, it's going to detect the localhost address on port 9000 as the remote source of the attack. The Intrusion URL should remain unchanged and will still serve as an accurate source for the attack.
Verify that Zscaler is installed and listening on port 9000 before accepting this as the cause.