Skip to main content

Search

Cloudi-Fi Knowledge Base

Understanding the "Other" virtual location in Zscaler with Cloudi-Fi

Tamir
  • Updated

Overview

When using Cloudi-Fi integrated with Zscaler ZIA, you may notice a virtual location named "Other" listed in the Cloudi-Fi admin console. This article explains what it means, where it comes from, and under what circumstances it appears.

In short: Zscaler automatically creates an "Other" sub-location to catch unmatched traffic. With properly configured Cloudi-Fi DHCP or virtual locations, this "Other" location usually exists but doesn’t handle any traffic and remains unused.

cloudi-fi admin console other virtual location.png

How Cloudi-Fi integrates with Zscaler: The basics

When Cloudi-Fi is deployed alongside Zscaler Internet Access (ZIA), a synchronization process aligns locations between both platforms. Depending on your setup — either using a Zscaler tenant provided by Cloudi-Fi or your own existing Zscaler tenant — virtual locations in Cloudi-Fi appear as sub-locations within a main Zscaler location and vice versa.

What is the "Other" location in Zscaler?

Zscaler automatically creates a default sub-location called "Other" the moment the first custom sub-location is configured under a main location.

  • It acts as a catch-all for any traffic coming from IP addresses not explicitly assigned to a defined sub-location.
  • This ensures all traffic is subject to ZIA policies, even if misconfigured or unassigned.

If no custom sub-locations exist, all traffic is handled by the main location, and the "Other" sub-location doesn't appear.

Note: This is a built-in behavior of Zscaler, not specific to Cloudi-Fi.

You may find more information about this behavior from Zscaler's documentation.

Cloudi-Fi DHCP pools and sub-location mapping

In Cloudi-Fi, a DHCP pool is used to assign IP addresses to specific groups of devices. Each pool maps to a sub-location in Zscaler, which corresponds to a virtual location in Cloudi-Fi.

This means:

  • Each security profile you configure in Cloudi-Fi becomes a separate DHCP pool with its own IP range.
  • These pools are automatically synced with Zscaler, creating matching sub-locations tied to those IPs.

cloudi-fi admin console dhcp pools.png

When does the "Other" virtual location appear?

As explained earlier, the "Other" virtual location may appear on Cloudi-Fi following its automatic creation by Zscaler, after a sub-location is created under a main Zscaler location. In Cloudi-Fi, there are two options where such sub-location can be created, which mean the "other" location will be created as well:

1. When utilizing Cloudi-Fi's Cloud-DHCP service:

In a correctly configured Cloudi-Fi Cloud-DHCP setup:

  • All IP ranges are assigned to defined DHCP pools.
  • All pools are synced to Zscaler as sub-locations.
  • Therefore, no IPs should fall outside of declared sub-locations.

However, if a device has an IP outside the defined DHCP pools, then Zscaler will route that traffic through the "Other" sub-location.

  • The "Other" virtual location appears when traffic doesn't match any defined sub-location in Zscaler.
  • It is created automatically by Zscaler once a custom sub-location exists.
  • In Cloudi-Fi DHCP configurations, where all IP ranges are explicitly defined by the admins, the "Other" sub-location remains unused.

2. When utilizing Cloudi-Fi's virtual location feature:

In Cloudi-Fi, virtual locations are created to address specific situations. A virtual location on Cloudi-Fi is a sub-location within a main Zscaler location (known as a “parent location” on Cloudi-Fi). For instance, an organization may require a device to bypass the captive portal and authenticate automatically (For further information on virtual location scenarios, please refer to the provided link).

In such cases, a virtual location is created on Cloudi-Fi to bypass this traffic. This triggers a sync between Cloudi-Fi and Zscaler, which creates the virtual location as a sub-location in Zscaler. This is followed by the automatic creation of an “other” virtual location on Zscaler, which is being pulled to Cloudi-Fi as part of the integration between the systems. 

admin zscaler other sub location.png

Summary

When using Cloudi-Fi integrated with Zscaler, the main Zscaler location represents the full site subnet, while sub-locations—created either through DHCP pools or virtual location features—enable more granular policy enforcement. Zscaler automatically generates an "Other" sub-location as a fallback to handle any traffic from IP addresses not explicitly assigned to a defined sub-location.

In DHCP deployments, Cloudi-Fi centrally manages all IP assignments through well-defined pools, so the "Other" location typically remains unused. In virtual location scenarios—such as bypassing captive portal authentication—a sub-location is created intentionally, which also triggers Zscaler to generate the "Other" sub-location automatically.

In both cases, the appearance of the "Other" location is expected behavior from Zscaler, but with correct Cloudi-Fi configuration, it usually does not process any traffic.