Difference in use of "App Profile PAC file" and "Forwarding Profile PAC file"

I have some difficulties in understanding the different “use-cases” of “App Profile PAC” and “Forwarding Profile PAC”

My customer likes to use ZAPP with filter driver and tunnel mode.

Due to customer requirements, we need to send traffic not only Zscaler but some traffic needs to be sent to “on-site proxies”, for example “PROXY <RFC 1918 IP address>:8080”; or “PROXY proxy.acme.com:8080”; ( we call this “proxy switching”)

I checked the availble documentation here
and here
https://help.zscaler.com/z-app/configuring-forwarding-profiles-zscaler-app (with the enforce Proxy settings) but I did not find clarification.

  • What exactly is the different use of the pac files in forwarding profile and app profile?

  • I understand that App Profile PAC is only used by ZAPP and used for selecting a specific ZEN; and for bypassing the ZTunnels

  • Forwarding Profile PAC will be applied as “System Proxy” beside ZAPP?

  • Nils from Zscaler told me, that “proxy switching” needs to be done in the “Forwarding Profile PAC file”

  • But how do I get traffic to Zscaler, if we are using a PAC in the forwarding profile. Do I have to use ${ZAPP_LOCAL_PROXY}"? My first assumption was that this variable can only be used if “tunnel with local proxy” is used.

  • Do I need the same “DIRECT” exceptions in both PAC files? If not, which exceptions to put where? Both ZAPP training slides contain “Optionally specify Z-Tunnel bypasses” “App Profile PAC file” and “Forwarding Profile PAC file”.

Thank you and best regards

Forwarding profile PAC applies only to Tunnel with Local Proxy and Enforce PAC modes. Tunnel mode does not use a forwarding profile PAC.

Forwarding PAC is what directs OS/Browser traffic toward Z-App, other proxy, or direct. App profile PAC directs traffic toward Zscaler Service Edge or Direct.

Tunnel with local proxy:
Browser ==> Forwarding PAC ==> Z-App ==> App profile PAC ==> Zscaler Service Edge

Tunnel mode:
Browser ==> Packet Filter/Z-App ==> App profile PAC ==> Zscaler Service Edge

You could use On Trusted Network to select TWLP forwarding mode and set a Forwarding PAC to handle these exceptions for other proxies. Off Trusted Network could use Tunnel mode. Both modes support the packet filter driver.

Forwarding PAC

// Conditions for local proxy selection....
RETURN "PROXY somelocalproxy:80;";

//Default forwarding to Z-App

thank you for your answer.

I will do further testing based on that.
Best regards