If we are using zapp, how the traffic is flowing. And if some urls are added in exception (to go thru firewall), how zapp is applying rule for users outside corporate network? Is the request coming to organisations firewall to pass it DIRECt
This is a pretty high level overview of a complex deployment question. It depends on the type of traffic you are referring to and how you are forwarding it in ZAPP (tunnel with local proxy, full tunnel, pac enforcement). Versions of ZAPP under 1.5 only handle 80/443 and certain other protocols like FTP (if licensed accordingly). For known and supported traffic on v1.5 and below, users off trusted network, like connecting from Starbucks will go straight to our datacenter. If they are connected to VPN in split tunnel, the web traffic will go to our datacenter and the internal traffic backhauls to your gateway and traverses depending on your configuration. If your user is outside your corporate network and you want traffic to go direct from the system and not into Zscaler, you must configure ZAPP to let it go direct. If you are on trusted network and you want that to go direct, you need to have it bypassed in your GRE or IPSec tunnel and in ZAPP.
If you feel it is necessary, you can find more at help.zscaler.com. We also offer training and professional services. If you have a sales contact they can tell you more.
So if suppose a new domain has to be added as exception in pac file will it need to also be added on firewall
If your users are in your corporate network and you add an exception in your PAC file to send the URL DIRECT, the request will be sent to your gateway/firewall and you will have to add an exception on your firewall too.
We recommend to carefully asses if a URL needs to be bypassed from Zscaler since sending the URL direct will create a blind-spot when it comes to security. There are no inspection or scanning for a URL which is exempted. Please review and make sure it is absolutely necessary for the URL to be bypassed.
If the users are outside the corporate network, the request will be send direct to the server when it is instructed to bypass in the PAC file.
I recommend looking at the Zscaler YouTube channel which as some great overview and step-by-step guides.