I decided to share with the community that the Guide Best Practices for Zscaler Client Connector and VPN Client Interoperability | Zscaler is a little old on tunnel 2.0 seems to work good with a VPN agent as it detects it and the ip addresses/fqdn of the VPN gateways can also be excluded from the tunnel.
What is interesting is that when I used an example pac file for a forwarding profile for “Tunnel with local proxy” mode ip.zscaler did not work and it was because in the PAC file there was *.zscaler.com to be send directly so be carefull as I took the example file from here:
Just play arround and see which is the best way to use Zscaler and a VPN agent together. Also better as Zscaler to confirm which version of the Zscaler connector was tested with which version of the VPN agent for example Palo Alto Globalprotect etc.
If you are having Windows and Mac devices then test to see which option is best for Windows or MAC as some options may not work on MAC.