Question concerning PAC-files

Hello folks,

because of a discussion I had today one quick question:
If no pac-file URL is entered in app-profile or fwd-profile: does ZCC pull and use default pac-files? If so, which one?

I did not found any info about that in, but maybe I just did not search carefully enough…

EDIT: ZCC, packet filter, tunnel mode, tunnel 2.

Keeping in mind:

  • If I explicitly use a pac-file ONLY in app-profile most settings would be without effect
  • If I want to have app-profile pac working, I would need also a fwd-profile pac containing nearly the same configuration

If I use no pac file either in app or fwd profile, will Zscaler do the work for me and do the magic and configure a pac-file for app and a matching pac-file for fwd-profile?

Thanks and BR

Hi Manuel,

If no PAC is specified in the App Profile then ZCC downloads the proxy.pac file for your cloud. This will choose the closest 2 x DCs.

If you don’t specify a PAC file in the Forwarding Profile then (at least for ZTunnel 2.0) no Pac will be set. All traffic should flow to ZCC apart from the IP’s excluded in the App Profile exclusion list.

The reason to put a PAC file in the FP is to exclude specific domains from ZTunnel 2.0.


Hello Jamie,

many thanks for your reply. Considering your answers I am wondering how the default proxy.pac-file settings are applied. For example the help article mentioned above states one should not use any ip-based bypasses in profile app proxy.pac.

The default proxy.pac contains one domain bypass and ip-based bypasses for private-ips and ZPA.

So, if I now use a custom proxy.pac which does NOT contain e.g. ZPA excemptions, that could be source of various problems. Right?

Or put it another way: assumed we do not have a tunnel-2-bypass rule in fwd-pac, I do net get the difference between “return “DIRECT”;” and “return PROXY…” in app-pac here. Maybe I am wrong, but will not everything go into the tunnel-2 if not explicitely stated in fwd-pac?

I forgot private IPs are excluded by default in “Destination Exclusions”. But the ZPA-CGNAT IPs are missing there.