Zscaler 2.0 pac files with ZPA use case

I’m building up a pac file for Zscaler 2.0, of course if the tunnel falls back to 1.0 I’m testing the same arguments. shExpMatch(), LocalhostOrDomainIs(), dnsDomainIs().

I have a use case where we divert an external website (example.com) over ZPA for whichever reasons.
If that websites gets placed in a forwarding pac file bypass, then ZPA cant capture the traffic and we get occasional errors.

when I use dnsDomainIs() for both app and forwarding pac files, Ztunnel 2.0 works. When I remove the website from forwarding pac (example.com) to get around the layer 3/4 bypass the app profile argument does not bypass traffic.(what is the right one?)

I have tried shExpMatch(), LocalhostorDomainis(), seperating them into seperate lines (no grouped arguments).

The documentation is mixed when it comes to moving to Ztunnel 2.0 as well.



What arguments does Ztunnel 2.0 process? What ones does 1.0 process?

Is there anyway I can keep my example.com external site out of the forward pac file, if someone turns off ZPA, let the app profile make the traffic go DIRECT?

I’m coming from point of view that whatever I do with Ztunnel 2.0 to get this working, 1.0 should work as well, and I want ZPA to be able to capture any traffic not in forwarding pac file, but if ZPA is turned Off then the app profile pac should go DIRECT;