Bypassing traffic in Forwarding Profile PAC vs App Profile PAC

Per the guidance here we have configured and tested using both a PAC in the ZCC Forwarding Profile and a PAC in the ZCC App Profile. I understand that the Forwarding PAC routes traffic to the ZCC and the App Profile PAC routes traffic to the Zscaler cloud. My question is, if we want to completely bypass a destination from Zscaler, does it matter which PAC we enter the bypass information into? If I understand correctly, adding the bypass to the Forwarding PAC would be the most “complete” bypass since it would bypass the ZCC and cloud both. Would there be any reason to allow the traffic to be routed to the ZCC but then bypassed from Zscaler cloud?

Also, we are using Tunnel 2.0 if that factors into the question.

Hello Joe,
For Tunnel 2.0 traffic bypassing, please take a look at:
Best Practices for Adding Bypasses for Z-Tunnel 2.0 | Zscaler.

Joe - the only example I can think of that would apply to your use case of forwarding to ZCC, but not forwarding to the Zscaler Cloud would be when you are using both ZIA and ZPA and the request is to a private application with a Client Forwarding Policy of “Bypass ZPA”. This generally happens when wildcard domains are specified and a subdomain of the wildcard needs to be sent directly.

what I have done in my Tunnel 2.0 configuration:

Pacfile used in App Profile:

  • return “DIRECT” for URLs that bypass Zscaler

  • return “DIRECT” for URLs that should use “my personal explicit Proxy”

  • return “PROXY ${GATEWAY_FX}:443; PROXY ${SECONDARY_GATEWAY_FX}:443;” for everything else

Pacfile used in Forwarding Profile:

  • return “PROXY ${ZAPP_TUNNEL2_BYPASS}”; for URLs that bypass Zscaler

  • return “PROXY w.x.y.z:3128”; // IP address of my personal explicit proxy

  • return “DIRECT”; for “all” traffic that uses Zscaler

Destination Exclusions in App Profile:

  • IP address of my “personal explicit proxy”