PAC logic for Wildcard Bypass for ZCC

If you want a wildcard to bypass traffic from ZCC using a wildcard there are a few interesting situations.

Using the following guide to help create App profile PAC and Forwarding profile PAC: Best Practices for Adding Bypasses for Z-Tunnel 2.0 | Zscaler

If you use “(dnsDomainIs(host, “”))”. To create a wildcard you have to use the “.” not “*”.

Ie “ (dnsDomainIs(host, “”) will capture all subdomains. But if you did “*” if it wouldn’t work.


If you use “(shExpMatch(host,"")”, then you have to use “*” and NOT “.”.

Ie “(shExpMatch(host,"*")” will capture all subdomains, and “” would not!

Hope this helps.