Zapp Bypass PAC file configuration

Hi,

Zscaler App can contain PAC file both in App Profile and Forwarding Profile.
Do the bypass setting of PAC in AP and the PAC in FP make difference?
Are both of them simply bypassing and nothing different at all?

Best Regards,
Yosh

Hi Yoshiki,

FP PAC would be pushed to the browser or other applications that support PAC. So the execution is done there.

While the App profile PAC is executed by the ZAPP.

if you are deploying ZAPP in full Tunnel mode and configuring both AP and FP PAC. Both the PACs will be effective. Because even the browser send the bypassed traffic directly, the ZAPP will still consider and process it.

In Tunnel with Local Proxy mode, the bypasses in FP PAC will take effect and ZAPP will not process the traffic.

Hope this answers.

-Rajesh

1 Like

Hi, RajeshKumar

Thank you for your kindness!
I can understand basic structure.

But in my guess, it seems ZAPP in full Tunnel mode with AP and FP makes two traffic,
That is to say, the ones sent by browser and the ones sent by ZAPP.
(If same PAC is applied to both AP and FP)

Does this setting make congestion?

Best Regards
Yosh

Hey Yoshiki,

You shouldn’t use the same PAC for both. For Tunnel mode:

Forwarding Profile PAC is for keeping traffic away from the app entirely
App Profile PAC is for controlling datacenter choice and helping the app decide what to do with the traffic

I strongly encourage you to read this - https://help.zscaler.com/z-app/best-practices-using-pac-files-zscaler-app

At the bottom it has an expandable section for ‘Tunnel’ which tells you exactly what each PAC should be used for.

Regards,

Joseph Stubberfield

1 Like

To expand on what RajeshKumar and Joseph have added here.

In Tunnel with Local Proxy:
A bypass (“DIRECT”) in forwarding profile will bypass Z App completely.

In Tunnel mode:
A bypass in the forwarding profile will still be ‘caught’ by tunnel mode, if its port 80 or 443. (and would still need to be bypassed by App Profile).

The key thing to remember with the pac files is that the forwarding profile PAC should send traffic towards or away from Z App, and the app profile PAC should send traffic towards or away from the cloud. e.g. Don’t send traffic to the cloud in the forwarding profile pac, do that in the app profile pac.

Cheers

David

3 Likes

Hello, Joseph and David

Thank you for detailed explanation! I really appreciate!

Excuse for my curiosity, I would like to know one more thing.
In TWLP mode, bypass in forwarding profile will Zapp completely.

How about the situation below?

Tunnel with Local Proxy mode
Forwarding Profile : no PAC file
App Profile : PAC bypass (Direct) setting

In this scenario, will the bypass(Direct) completely bypass Zapp?
Or something will be added because it is App Profile?

Kind Regards,
Yosh

Hi Yosh,

In TWLP bypasses placed in the App Profile will bypass Zscaler but will not bypass ZApp.

It’s recommended to but Zscaler bypasses in the Forwarding Profile when using TWLP.

Regards,

Joseph Stbberfield

Hello, Community

Thank you all answered my questions.
I recently remembered this thread while thinking about PAC file of ZCC(p.k.a. Z-App)

In TWLP bypasses placed in the App Profile will bypass Zscaler but will not bypass ZApp.

What is the problem when traffic cannot bypass ZApp?
Is it problem?

Best Regards,
Yosh