I recently set up ZPA for a customer where I began with a single App Segment using wildcard application discovery (E.g. *.mydomain,com for all TCP/UPD ports except 53) and then created App Segments from the discovered apps based on the FQDN and ports used.
One of the problems I foresaw was that I may not yet have all the required ports added for each application, yet still wanted to provide access should they be discovered later. I could then go back after reviewing discovered apps and add them.
The access policy looked like this:
1, Allow printer01,mycompany,com over TCP ports 135 and 49787
7. Allow *.mycompany,com over all TCP/UPD ports except 53
I found access to the printer failed despite Diagnostics showing successful traffic logs to ports 135 and 49787. There were also no errors concerning this application.
As a test I opened all TCP and UDP ports for printer01.mycompany.com and the connection worked. I then found traffic over TCP 443.
Where did I go wrong with the configuration, or can the wildcard app segment not be used as an allow all at end of policy?
I’ve read over this article but doesn’t seem to address the question - Defining a Dynamically Discovered Application | Zscaler