Bypass exceptions from Zscaler

hello,

I’am actually facing this situation:

  • When the user is on site: GRE tunnels + zapp (Tunnel packet filter based, Ztunnel V1.0)
    The user has certain exceptions that he wish to bypass them from zscaler (domains which filter on source IP )
    I tried to bypass them on the App Pac File only but it doesn’t work, then i tried to bypass them on the Forwarding pac file ONLY and it doesn’t works also, at last i bypassed then on the Forwarding pac + the App pac file and it works
    So we have:
    Bypass on the App pac file Only: KO
    Bypass on the FWD pac file only: KO
    Bypass on the FWD pac file + App pac file: OK
    But I don"t understand this behavior, why when we bypass those exceptions only on the App pac file or on the FWD they are not bypassed.
    Can someone explain please ?

PS: those exceptions are bypassed from GRE tunnel on the FW.

Thanks for help

Whe you are using tunnel with local proxy , add bypassed URLs on forwarding profile PAC file.

When you using tunnel mode only, add exceptions on the app profile PAC file.

You can add exceptions on the VPN bypass as well.

Hello,

Thanks Ramesh for your feedback.
Yes I’am using Tunnl mode and i added exception on the App pac file but it doesn’t work
I had to add them also in the FWD pac file so that it works
I didn’t understand why ?
Regards,

Yosr, Can you explain what you mean by Domains that Filter on Source IP?

Also can you share the PAC file?

Hi Todd,

I mean some sites that accept only requests coming from the Source IP of the customer’s company, so if the request will arrives at these sites with zscaler ip address it will be blocked.
I can’t share the all pac file of the customer, but here’s an example of what we found on it (this an example of the App pac file):
function FindProxyForURL(url, host)
{
// Exceptions that should get bypassed from zscaler

if (

            (shExpMatch(host, "lyncdiscover.geopostgroup.com")) ||
            
            (shExpMatch(host, "ics1.dpd.com")) ||
           
            (shExpMatch(host, "mbam.geopost.ad"))
            )
   return "DIRECT";

/* Default Traffic Forwarding. Goes into Z App - Forwarding to Zen on port 80, but you can use port 9400 also */
return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; DIRECT”;
}

The PAC that you have posted has curly quotes around the Proxy statement. This will void the PAC. If it is actually in the system that way and they weren’t transformed along the way with cutting and pasting. Build a new pac from the default pac and try again. You can test the pac file here… PAC file tester
return PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; DIRECT;
HTH,
-Todd Harcourt-

Hi Todd,
Thanks for your response, but they were transformed with cutting and posting.
This is the right one:
function FindProxyForURL(url, host)
{
// Exceptions that should get bypassed from zscaler

if (

        (shExpMatch(host, "lyncdiscover.geopostgroup.com")) ||
        
        (shExpMatch(host, "ics1.dpd.com")) ||
       
        (shExpMatch(host, "mbam.geopost.ad"))
        )

return “DIRECT”;

/* Default Traffic Forwarding. Goes into Z App - Forwarding to Zen on port 80, but you can use port 9400 also */
return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; DIRECT”;
}
Also this pac file was verified on zscaler portal.

Regards,