APP profile PAC doesn't indentifies the Internal IP Exception

pac
(GANESH KRISHNAN) #1

I use Zapp in Tunnel Mode. We have exception for Internal IP in our App Profile PAC but it doesn’t sent the traffic DIRECT instead it send the traffic to ZEN. I could see logs for internal IP in WebInsight. I use same PAC file in my forwarding profile and i confirm my forwaridng profile PAC exception works well and it send the traffic direct, but partial traffic caught by APP Profile PAC and forward it to ZEN.

When i connect internal VPN, Forwarding profile exception works and traffic from browser uses VPN routes to reach internal server.

Whereas when i connect destination without VPN(in Office), Forwarding profile exception works, the traffic forwards to APP (by default: bcos of Tunnel Mode) and APP PAC doesn’t identifies Exception and forward the traffic to ZEN.
So its there any specific syntax that must to used in APP profile PAC to exempt internal IP

/* If the URL is an internal IP address, send DIRECT */
reip = /^\d+.\d+.\d+.\d+$/g;
if (reip.test(host))
{if (isInNet(host, “10.0.0.0”, “255.0.0.0”) ||

return “DIRECT”;
}

Regards
Ganesh Krishnan

(Scott Bullock) #2

Hi @Ganeshkrishnan,
App Profile PAC Parsing expects simple PAC conditions, while I’m not 100% sure, I think regex testing is limited. Can you adjust to the test to use only isinnet() and remove the outlying condition. If I’m reading this correctly, the regex test is mostly redundant anyway, so removing it from the condition should result in the same behaviour.

Cheers,
@skottieb

(GANESH KRISHNAN) #3

I removed the regex and kept it simple as below , still it didnt work. All my internal traffic routed to ZAPP

if (isInNet(host, “10.0.0.0”, “255.0.0.0”) {
return “DIRECT”;
}

Regards
Ganesh Krishnan

(Scott Bullock) #4

That Syntax looks good and should be getting applied in the App Profile PAC, effectively bypassing the tunnel for any traffic addressed to an IP 10.0.0.0/8. It probably best you open a ticket at this point, the support team can work with you on deeper diagnostics. I take it you also have exemptions for internal domains too?

(GANESH KRISHNAN) #5

I opened the TAC case. Parallely i created REGEX for the internal IP and used “isPlainHostName(host)” and “dnsResolve(host)” as work around.

var privateIP = /^(0|10|127|192.168|172.1[6789]|172.2[0-9]|172.3[01]|169.254|192.88.99).[0-9.]+$/;
var Internal1 = REGEX Value
var Internal2 = REGEX Value

/* Non-FQDN or internal IP goes direct */
if (isPlainHostName(host) ||
privateIP.test(host) ||
Internal1.test(host) ||
Internal2.test(host) ||
Internal3.test(host))
return “DIRECT”;

var resolved_ip = dnsResolve(host);
if (privateIP.test(resolved_ip) ||
Internal1.test(resolved_ip) ||
Internal2.test(resolved_ip) ||
Internal3.test(resolved_ip))
return “DIRECT”;}

Regards
Ganesh Krishnan

1 Like
(Alexander) #6

var privateIP = /^(0|10|127|192.168|172.1[6789]|172.2[0-9]|172.3[01]|169.254|192.88.99).[0-9.]+$/;
var resolved_ip = dnsResolve(host);

/* Non-FQDN or private IP goes direct */
if (isPlainHostName(host) || privateIP.test(resolved_ip)) return “DIRECT”;

This is logic from the example in the admin portal. If used from the help page, it has an error, instead of “resolved_ip” as parameter “host” is mentioned.

This should work.

1 Like