I have customers who provides VPN clients which are mainly full tunnel. I closely looked at it and I could see default route set to VPN interface. Is there a way to set ZScaler profile in a way that it ignores full tunnel VPN? For Split tunnel, its easy to bypass VPN hostname/IP but for full tunnel how to go for it? I guess forwarding profile set to Route based and Tunnel with local proxy? If we have this, it will bypass all full tunnel? If you one have done this, if you can provide guidance?
If you’re using Zscaler Client wherever the VPN client is installed, then add the FQDN and IP for the termination point to the VPN Bypass section of the App Profile.
Are you trying to bypass the traffic from Zscaler and send it over the VPN, or trying to bypass from VPN so the traffic goes over Zscaler?
That’s for split tunnel and not full tunnel I guess
Trying to bypass VPN traffic from ZScaler.
Have you gone through the interop documentation? It goes through all the different scenarios with VPN and ZS coexisting.
Customer has full tunnel and route based. And this what ZScaler saying in that doc:
If your VPN runs in full-tunnel mode, Zscaler strongly recommends against selecting Tunnel (Route-Based) for the forwarding profile action.
Yeah I wouldn’t recommend route based and full tunnel… that’s going to be messy.
It’s a Mac or Linux box I’m assuming, so it can’t use packet filter?