ZCC PAC File Fail Over to Secondary Data Center

I had a bit of difficulty finding a good way to fail over our users to their secondary gateways during cloud incidents so I decided to write up what we have in our PAC in hopes it will help some of you recover from cloud incidents / issue’s quicker until the functionality is built in to ZCC. Support provided me with the syntax, I just added all US data centers so that I didn’t need to write it out on the fly while having an issue.

Until ZCC has this functionality built in we are forced to use the PAC file to fail over, or rather exclude specific data centers, from our clients. Keep in mind that this only works if the primary data center is the only one affected / having an issue. If both the primary and secondary data center are having issues for the client you would need to use this same logic but return a specific data center rather than using the variables I have below or find another means to move them to a different one outside of the impacted regions.

Use at your own risk, this is general information that works in our environment but may not work in yours depending on how you are setup. This is only for US data centers, add or remove based on your needs.

The below PAC file is specific for Zscalertwo.net, modify it as necessary for whatever cloud instance you’re on.

Variable Explanation:

Variable “TEMP” gets the current primary gateway. Make sure you use whatever variable you’re currently using in your default return statement for finding the primary gateway here, we use COUNTRY_GATEWAY_FX so that is what is used in this example.

Variable “GATEWAY” uses the temp variable and removes the “:80” from the end of it so that we just have the IP address set for the GATEWAY variable

For the RETURN statement in each data center section make sure you use whatever you’re using for your secondary gateway in your default RETURN statement. We are using COUNTRY_SECONDARY_GATEWAY_FX so that is what is used in this example.

I have both of these variables set in the beginning of the PAC file with my other variables, I put them right above the IF statements here though to keep it simple.

During a cloud incident you remove the “//” from the lines for the data center you wish to exclude. If the clients primary gateway is found to be within the ranges of the isInNet the return statement will apply and only return their secondary gateway. When the issue is resolved you comment out the sections and they will begin using that DC again if it is their primary DC.

Note that it can take up to 15 minutes before the change is applied to the client after activating the change.

Add the below lines above your default return statement and below any DIRECT statements in your PAC file.

//*-------------------------Beginning Of Zscaler Data Center Bypass Section-------------------------------------------------

The Below Sections Are For Bypassing Specified Data Centers During Cloud Incidents

------------------------------------------------------------------------------------------------------------*//
var temp = “${COUNTRY_GATEWAY_FX}”;
var gateway = temp.replace(“:80”,“”);

/* Bypass Atlanta */

// if (
// (isInNet(gateway,“136.226.2.0”,“255.255.252.0”))||
// (isInNet(gateway,“104.129.204.0”,“255.255.254.0”))||
// (isInNet(gateway,“104.129.204.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Boston */

// if (
// (isInNet(gateway,“136.226.72.0”,“255.255.252.0”))||
// (isInNet(gateway,“136.226.74.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.70.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Chicago */

// if (
// (isInNet(gateway,“165.225.56.0”,“255.255.252.0”))||
// (isInNet(gateway,“104.129.196.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.60.0”,“255.255.252.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Dallas */

// if (
// (isInNet(gateway,“165.225.34.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.216.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.36.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Denver */

// if (
// (isInNet(gateway,“165.225.10.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Los Angeles */

// if (
// (isInNet(gateway,“104.129.198.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.66.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Miami */

// if (
// (isInNet(gateway,“136.226.58.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.222.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass New York */

// if (
// (isInNet(gateway,“165.225.38.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.220.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.80.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass San Francisco */

// if (
// (isInNet(gateway,“104.129.192.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.242.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Seattle */

// if (
// (isInNet(gateway,“136.226.54.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.56.0”,“255.255.254.0”))||
// (isInNet(gateway,“165.225.50.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

/* Bypass Washington */

// if (
// (isInNet(gateway,“165.225.8.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.50.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.48.0”,“255.255.254.0”))||
// (isInNet(gateway,“136.226.52.0”,“255.255.254.0”))||
// (isInNet(gateway,“104.129.194.0”,“255.255.254.0”))
// )
// return “PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT”;

//-------------------------End Of Zscaler Data Center Bypass Section-------------------------------------------------//