Overview
Zscaler Internet Access (ZIA) control rules apply uniformly to traffic regardless of how it is forwarded—whether through the Zscaler Client Connector (ZCC) or via GRE/IPsec tunnels from known locations.
Scope of Control Rules
Control rules are evaluated after traffic reaches ZIA. This means:
They do not influence the initial forwarding method (ZCC vs GRE/IPsec).
They apply equally to all traffic that matches the defined rule conditions.
They determine how traffic is handled and egressed from the ZIA cloud.
Traffic Flow Clarification
Traffic is forwarded to ZIA via:
ZCC (endpoint-based forwarding), or
GRE/IPsec tunnel (site-based forwarding)
Once inside ZIA:
Control rules are evaluated
Matching traffic is processed based on configured actions (e.g., GeoIP, Dedicated IP, or Direct)
GeoIP Example
If a control rule is configured with a GeoIP setting for a destination such as www.cnn.com:
Any request matching this rule—regardless of whether it originates from ZCC or GRE/IPsec—will:
Be routed through ZIA
Egress using the specified GeoIP location (country-specific IP address)
Key Takeaways
Control rules are agnostic to traffic forwarding method
They operate post-ingress within ZIA
Their primary function is to control egress behavior, not ingress path selection
Conclusion
Forwarding control rules in ZIA provide consistent policy enforcement across both user-based and location-based traffic. This ensures predictable and centralized control of outbound traffic behavior, regardless of how traffic enters the Zscaler cloud.
