Split Tunnel Scenarios


I’ve been doing a lot of reading on the community and zscaler article but i’m still getting confuse about app profile, forwarding profile and split tunnel. So I want to see if anyone can help.

(1) when should I use app profile pac vs forwarding profile pac? this is my current understanding of app profile & forwarding profile:
user request —> app profile (to decide if traffic should forward or bypass zapp all together) --> forwarding profile (decide what to do with that traffic for zia/zpa)

(2) my client wants to implement split tunnel because some of their internal application are server to client so it would not work with zpa. specifically we are looking at following scenarios:
a. when user is on-premise:
i. zpa —> disable
ii. zia —> enable; all traffic will go through gre tunnel
b. when user is off-premise:
i. zpa —> enable; private app traffic will go through zpa, and some exception apps will go through anyconnect vpn if they are not compatible
ii. zia ----> enable; all traffic will go to zia
They had zia for years and is now looking to implement zpa along with zapp. Any guidance on the best way to configure these scenario would be helpful.


Hi Steven,

First thing to note is that the App and Forwarding PAC files do not control ZPA traffic only ZIA.

Regarding PAC files this article covers how PAC files are to be used with the different Forwarding Modes, their recommended use case differs with forwarding mode - https://help.zscaler.com/z-app/best-practices-using-pac-files-zscaler-app

Initially we will want to define trusted network criteria (ZPA and ZIA use the same criteria) if not already set. Refer to this document for how to do that (https://help.zscaler.com/z-app/configuring-forwarding-profiles-zscaler-app).

Next step is to set ZIA and ZPA for your preference:

ZPA - Set to ‘None’ for Trusted network and ‘Tunnel’ for Off Trusted
ZIA - Set as per preference for On and Off Trusted. This will depend on your preferences and if already using ZCC (ZApp) for ZIA chances are this is already setup

Bypassing certain traffic from ZPA entirely is actually done in the ZPA portal (separate from ZCC). Refer to this document on how to bypass applications (https://help.zscaler.com/zpa/configuring-bypass-settings) you’re looking for the ‘To bypass ZPA for certain applications’ setting.


Joseph Stubberfield

Hi Joseph,

Thanks for the explanation on the pac file with respect to forwarding and app profile. It makes more sense to me now.

Should I not used vpn gateway bypass setting for what the scenarios i’m trying to achieve? Maybe I failed to understand when you should use vpn gateway bypass.