Continuing the "order of operations" discussion

Continuing the discussion from Order of Operations:

Community doesn’t allow me to reply to the OP anymore, so I guess this will start a new topic(?)

1: Yes, all traffic passing through ZPA is subject to the Access Policy, and it will match the original AppSegments even if the client is unaware of the AppSegment. See the example below

2: Correct, since all policy enforcement is done in the cloud, anything that bypasses the cloud will be allowed. Note that traffic bypassed from ZPA is likely to be send to ZIA instead, so those policies would still apply

3: Well, the default CFP action is “forward to ZPA”, so if it matches an AppSegment it will also automatically match a CFP policy rule (and then of course be subject to Access Policy processing)

Example: you have two App-segments:
AS_intranet matches “” on tcp/443
AS_wildcard_web matches “*” on tcp/80 and tcp/443

You build a policy that blocks Bob to access AS_intranet but allows him to access AS_wildcard_web.
-If you create a CFP to always bypass AS_intranet for Bob then he will bypass ZPA and traffic is send to ZIA. If ZIA allows it, and is public or made available through SIPA, then Bob will be able to access it.

-If you create a CFP to only forward allowed applications (for AS_intranet or for all AppSegments) then Bob will be unaware of AS_intranet, but because also matches the AS_wildcard_web it will still be picked up and forwarded to ZPA. Within ZPA it will still be recognized as AS_intranet and Bob will be denied access as per the access-policy