Access Policy Evaluation

Hello,

I am reading the Access Policy documentation and I can see it states the following:

“As soon as it finds a policy that matches the criteria that was specified in a rule, it enforces that policy rule and disregards all other rules that follow, including any potentially conflicting rules”

There is another part of the documentation however that states this:

“If application segments are part of the criteria, then ZPA chooses the rule corresponding to the most specific application segment for a given domain name or IP address”

These two statements are in the policy evaluation help page shown here: About Policies | Zscaler

But they seem to contradict one another, It sounds like it is a top down evaluation for app segments that do not conflict, but when a rule set exists where there are conflicts (for example a specific FQDN at bottom of the list with a wildcard on top of the list), then it reverts to a most-specific-match, and top wildcard would be ignored?

Is this correct, is that also the case when using segment groups vs application segments on the access policy?

The documentation is correct. Don’t confuse app segments and policies. Policies are processed top down. All app segments are processed and the host / protocol will only be considered a member of the most specific assignment.

A host / protocol combo can only be a member of one app segment. So if AppSegment1 includes *.acme.com for tcp/80 and AppSegment2 includes server1.acme.com for tcp/80, http traffic to server1.acme.com will not be considered part of AppSegment1 for the purpose of any policy.

If you experience unexpected results, Diags in the ZPA portal will show you which policy and app segment the traffic is landing in.

Okay this makes sense, thank you.

So to validate my understanding then…If AppSegment1 (with the wildcard) was in an Access Policy rule, but there was no Access Policy rule that contained AppSegment2 (with server1), then that traffic would NOT match an Access Policy? Is that correct?