Exclude specific IP\IP Range from Zscaler


To do some tests, I would need to exclude one (or few) computers from our network from Zscaler. I would like to have few computers, from which traffic would go direct to Internet.

On our environment we have Zapp deployed, and GRE tunnels from our routers to Zscaler Nodes.

Would be such setup possible? If so, how to achive that?


Hey Karol,

If your network default route carries traffic to the Zscaler cloud via GRE then you need to exempt the machines from that route by source IP. Many (but not all) enterprise grade routers will support some level of PBR (Policy Based Routing).

PBR allows you to get the router to use a different set of routes based on criteria (usually source IP).

If the machines also have ZApp installed and enabled you would need to disable ZApp on those machines either by clicking ‘Turn Off’ or by exiting the App.


Joseph Stubberfield

Unofrtunatelly, I do not have access to our routers, as it is in network team’s hands.

So there is no possibility to specify for example in PAC file, that from specific IP, traffic will go direct?

Hi @Karol,
You can state in PAC file which traffic will go direct, however, the network infrastructure will also need to permit that traffic to flow. This will very dependant on how your routing and tunnels are setup and policed, likely you will need to consult with your network team in that regard, it’s likely their solution will be similar to what @jstubberfield described.