Bypass GRE tunnels


For our customer i’am facing this situation:

  • When the user is on site: GRE tunnels + zapp (Tunnel packet filter based, Ztunnel V1.0)
  • When the user is on remote: Zapp (Tunnel packet filter based, Ztunnel V1.0)
    Now the user has certain exceptions that he wish to bypass them from zscaler (domains which filter on source IP and URLs which must go through internal proxies)
  1. When the user is on site, is it enough to create bypass on the pac file ONLY for these exceptions or do you also have to bypass them from the GRE tunnel (bypass pac file + bypass on the FW side from GRE tunnel to zscaler) ?

Thanks for your help.

If the default route or all 80 ,443 towards GRE , then you need to create bypass on PAC and network.

If you are sending only proxied traffic and only zscaler destinations towards GRE, then only PAC bypass is enough.

Thanks Ramesh for your feedback.
I have these two additionnal questions:

  1. If we will do bypass on the network (fw side) so why it still necessary to bypass traffic from pac file too ? since the traffic when he arrives at the FW he will be bypassed from gre tunnel
  2. So the bypass on the FW side will be done only for urls that should pass direct (throught the internal infrastructure of the client) ? For the urls that should pass through internal proxies, a redirection to those proxies on the pac file is sufficient right ?


  1. When you put PAC file or proxy IP on the browser , the traffic will be proxied and the traffic destined towards the proxy. So you need add bypass to go the specific destion to direct , so the destination will be seen as bypassed URL at few end.

  2. Better to add bypass on the zscaler proxy PAC itself. Otherwise the traffic will go to your internal proxy and then direct will add latency for bypassed URLs.

Ramesh M