Zapp fetches internal domains to ZIA

Hello, community.

Sometimes Z-app catches internal domains and brings them to ZIA gateway and tries to resolve them without fruits.
PAC file is based on recommended one, seems to cover private up ranges.
Does someone have similar issue?
Zapp abduction is too inconvenient.

Best Regards,
Muhammad

Hi @Muhammad, welcome to communities.

It looks like you may need to put domain based bypasses into your PAC, the ip range bypasses are there only when someone enters an actual IP into the Browser.

Cheers,
@skottieb

You may try below script,

var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
var resolved_ip = dnsResolve(host);

if (privateIP.test(resolved_ip) || privateIP.test(host)) return "DIRECT";

This will return direct if the hostname or host resolved IP is private IP.

Also you can try,
if (dnsDomainIs(host,“localhost”)) return “DIRECT”;
if (dnsDomainIs(host,“internal.hostname”)) return “DIRECT”; // replace internal.hostname with your internal domain

Note that using dnsResolve(); can slow down pac processing as each request will go through a DNS resolution, potentially impacting user experiences. Use of dnsResolve() call should be gated by robust if conditions

1 Like

Hello there

Our client has almost the same issue.
Z-App somehow sends internal traffic (Printer’s IP address) to ZIA.
And they cannot use their printer if Z-App is turned on.

We will suggest our client to add Printer’s IP in VPN Gateway Bypass field,
however what we would like to know is why they cannot use internal application if traffic goes through ZIA service.

It would be fantastic if you knew.

Regards,

Tokio

Yes, depends on the forwarding method you are chosen.
refer : Zapp Bypass PAC file configuration

thanks for your response.

Our customer adopts Route Based in Tunnel mode.

Do you know some major reason/cause of such?
I mean, you know how to fix the issue, but I would like to know the reaosn why Z-App forwards traffic to ZIA, “RATHER THAN JUST HOW TO FIX IT”.

If we can reveal the root cause why Z-App sends traffic to ZIA, we do not have to straggle with such an issue from now on.

Regards,

Tokio

Thank you everyone there

As discussed, it may be solved by adding internal IPs or fqdn into VPN bypass or PAC file.
However if I continue to execute this solution, PAC file and VPN bypass will be flooded with individual private IPs.
I think it is not recommended.
PAC file and VPN bypass should be simpler.
By the way, mine is also Route Based.

Any idea? I will accept everyone’s opinion.

Sincerely
Muhammad

Hi, whichever is go direct to be added either in VPN bypass or in pac file. No other way.

Best practice is to use PAC based bypassed, based on domain/host matching (not dnsresolve)

VPN Gateway Bypasses are really meant for what the field is called, bypassing 3rd party VPN Gateways and these should be used only for this function unless otherwise directed by Zscaler support.


Note that this is not opinion, these are best practices :slight_smile: