Z-Tunnel 2.0 PAC File to use specific CEN

currently we switched to Z-Tunnel 2.0 in a small test environment.
We now came to an point where we need to bypass and create some other exceptions in our PAC Files.
I know with Z-Tunnel 2.0 and Tunnel mode if you want to bypass traffic from Zscaler you need that
return “PROXY ${ZAPP_TUNNEL2_BYPASS}”; statement in the FWD PAC file to bypass Tunnel 2.0 and the same entry in the APP PAC File with “DIRECT” statement to fully complete the Zscaler bypass.

Thats working fine. In addition we need to configure exact CEN or PZEN to use due to some websites which are only accessible via a public IP from the same Country.

Before switching to Z-Tunnel 2.0 we did this in our APP PAC File.
For example:
if ((shExpMatch(url, “someURL”)))
return “PROXY fra4.sme.zscalertwo.net:80”;

Now with this FWD Profile when using Z-Tunnel 2.0 as written in the KB articles you should use the FWD PAC File to configure a bypass to a specific Proxy.

So my question is, how do we configure exceptions to use a specific official Zscaler CEN? Still in the APP PAC File, if yes do we need to bypass tunnel2.0 in the FWD PAC File? Or just create this exception in the FWD PAC File?


Hi, pls see this document : Best Practices for Adding Bypasses for Z-Tunnel 2.0 | Zscaler

Use the forwarding profile and APP profile PAC files.

Forwarding profile :

function FindProxyForURL(url, host) {

if (dnsDomainIs(host, “”))

/* Default Traffic Forwarding. Return DIRECT to tunnel using Tunnel2 */
// return “DIRECT”;

APP profile:

function FindProxyForURL(url, host) {

/* Updates are directly accessible */
if (dnsDomainIs(host, “”))
return “proxyIP:port”;

/* Default Traffic Forwarding */
return “PROXY ${GATEWAY}:443”;

5 posts were split to a new topic: Z-Tunnel 2.0 PAC File - Traffic forwarding to node based on origin country