How does ZCC knows whether to redirect traffic to go through ZIA or ZPA?


Hi. New to Zscaler. I’m using ZCC with both ZIA and ZPA enabled, with Tunnel 2.0 and Packet Filter enabled for both. The Forwarding Profile Actions for both ZIA and ZPA is “Tunnel” for Off Trusted Network. My question is how does ZCC decides where to redirect (i.e. via LWF) traffic to go through either ZIA or ZPA? What is the process flow for this?

I read through tons of documentation but couldn’t figure this out. Is there any tool that we can use to check the behavior?

Thanks in advance.

When you have ZPA and ZIA and they are enabled and working on the client connector just the ZPA is with higher priority so if you have application in ZPA that has FQDN/IP (optionally port) the client connector will select the ZPA cloud as it will first check if the destination that the client tries to open is published in ZPA and only then it will check the ZIA and the PAC File for destinations that are not in ZPA. Also the PAC file does not matter for ZPA as it is checked after the ZPA.

You make so if you want the ZPA traffic to go to ZIA cloud first for extra checks like DLP , malware and then the traffic will be send to the ZPA cloud but this is more advanced feature: