PAC logic for Wildcard Bypass for ZCC

If you want a wildcard to bypass traffic from ZCC using a wildcard there are a few interesting situations.

Using the following guide to help create App profile PAC and Forwarding profile PAC: Best Practices for Adding Bypasses for Z-Tunnel 2.0 | Zscaler

If you use “(dnsDomainIs(host, “”))”. To create a wildcard you have to use the “.” not “*”.

Ie “ (dnsDomainIs(host, “.zscaler.com”) will capture all subdomains. But if you did “*.zscaler.com” if it wouldn’t work.

HOWEVER!

If you use “(shExpMatch(host,"")”, then you have to use “*” and NOT “.”.

Ie “(shExpMatch(host,"*.zscaler.com")” will capture all subdomains, and “.zscaler.com” would not!

Hope this helps.

2 Likes