Bypassing URLs from ZIA portal

Hello Community,

Is there any way to bypass Destination URLs other than PAC files, specifically from the ZIA admin portal?
Or are PAC files the only way to bypass traffic that I do not want to send through Zscaler services?

PAC files can be used to bypass Zscaler all-together. They are assigned via the forwarding policies, downloaded by the client from the Central Authority, and managed within the ZIA portal.

For Tunnel 2.0, things works a little differently:
### Best Practices for Adding Bypasses for Z-Tunnel 2.0

If your intention is to not SSL inspect or otherwise filter traffic, then you can still send it through Zscaler, but do nothing with it other than forward it along. In that case, I suggest building destination groups that you can use in policies:
https://help.zscaler.com/zia/configuring-destination-groups

Choose that destination group within an SSL inspection policy and choose not to inspect. Note that there is sub-option under Do not Inspect that allows you to bypass all other policies – this will bypass all firewall, url filtering, etc… It will still flow through Zscaler without any kind of enforcement and you’ll be able to do all this from ZIA.

I hope this helps.

1 Like

Thank you for the answer richardjroy.

So basically from the SSL policy I can bypass ALL Zscaler inspection like if traffic wasn’t passing through Zscaler at all, right, is that how that works? Also, If that is the case,

1- Will I be able to use that SSL Bypass other policies feature even if we are NOT doing SSL Decryption at all?

2- Also, the way I see it, this will not stir the traffic away from Zscaler like the PAC would do, right? It will just do nothing with it. So, that brings me to my question again: from the ZIA admin portal, there is no way to actually bypass completely lets say, traffic to chase.com, is that correct?

Sorry If I am making questions that do not make much sense, I am still getting familiar with this technology.

Thanks a lot!!

So basically from the SSL policy I can bypass ALL Zscaler inspection like if traffic wasn’t passing through Zscaler at all, right, is that how that works? Also, If that is the case,

1- Will I be able to use that SSL Bypass other policies feature even if we are NOT doing SSL Decryption at all?
If you don’t have SSL licensed, then you’ll see a couple of SSL inspection rules that bypass SSL Inspection and SSL Inspection and All other Policies. There will be a destination group associated with each of these. Adding an entry (e.g. Chase) to the bypass all policies destination group will do just that.

2- Also, the way I see it, this will not stir the traffic away from Zscaler like the PAC would do, right? It will just do nothing with it. So, that brings me to my question again: from the ZIA admin portal, there is no way to actually bypass completely lets say, traffic to chase.com, is that correct?
Correct. However, you can modify PAC files via the ZIA portal so you do have that control to steer traffic completely away from Zscaler.

Sorry If I am making questions that do not make much sense, I am still getting familiar with this technology.

Thanks a lot!!

1 Like

Thank you for the answers!