TTechclick All lessons
Zscaler · ZPA · TroubleshootingInteractive · L1 / L2 / L3

ZPA Troubleshooting — The Connector is Green, the App is Still Down

A healthy App Connector does NOT mean the app will open. Most ZPA tickets die at the policy, the app-segment mapping, or the identity attribute — not the connector. Pick a failure bucket below, watch the access decision animate, and learn the portal path + Diagnostics signal + fix for 14 real scenarios.

📅 2026-05-30 · ⏱ 12 min · 14 scenarios · 5 diagrams · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

ZPA private apps failing even when the App Connector is green? Walk 14 real ZPA service-level failures — access policy, app segment to server-group to connector-group mapping, SAML/SCIM identity, Browser Access certs, source-IP anchoring, ZPA-ZIA steering — each with portal path, Diagnostics signal, fix and verify, in 12 visual minutes.

🎯 By the end, you will be able to

⏳ Before you scroll — 3 questions (no score, just notice what you don't know yet)

Answer these in your head. As you hit the matching section below, you'll see if you were right.

  1. If the access policy default action is block, what happens when NO rule matches a user?
  2. A segment is not assigned to any segment group. Can a policy that targets that group ever allow it?
  3. SCIM groups went live 1 hour ago. Why might a group-based policy still deny everyone?
Read as:

Pick the failure bucket — jump straight to it

1

Policy & Identity

Access-policy order, SAML/SCIM attributes, IdP groups not populating.

 2

Segment Mapping

App segment ↔ server group ↔ connector group wired wrong. FQDN/port overlap.

 3

Browser Access & Certs

Cert chain, wildcard scope, double-encryption, pinned-cert apps.

 4

Steering & Diagnostics

ZPA↔ZIA domain claim, source-IP anchoring, and reading Diagnostics.

The lie every L1 believes about ZPA

Most engineers think a green App Connector means the app will work. Wrong. The connector going to a server is the last link in a five-link chain. Long before traffic ever reaches a connector, ZPA's brain — the Central Authority — has to find a matching app segment, evaluate access policy against your identity, and pick an eligible connector group. Break any of those and the connector stays green while the user stares at a spinner.

Here's the picture to hold in your head. ZPA is zero-trust, so the model is user → ZCC → Service Edge → policy → app segment → connector group → app. A failure at any step looks identical to the user: "it doesn't open." Your job is to know which step. That's the aha-moment of this whole lesson: "connector healthy" is data about ONE link, not the chain.

👉 So far: ZPA brokers access in 5+ links. A healthy connector only proves the last link. Next: the object map that ties those links together.
ZPA object-relationship map App Segment links to a Segment Group and a Server Group; the Server Group attaches to an App Connector Group which serves the application; the Access Policy references the Segment Group and is gated by SAML/SCIM identity. App Segment FQDN + port range Segment Group policy targets THIS Server Group which connectors Connector Group ≥1 must be Connected Application 10.50.x server Access Policy + SAML / SCIM gate Break any arrow = app "down"
The five-link chain. The dashed arrow (policy → app) is logical; everything else is config you must wire. A missing arrow = a silent failure.

The five ZPA objects, in 30 seconds each

🌐
App Segment
tap to flip

The FQDN(s) + port range that defines an app. If the user's hostname/port isn't here, ZPA never even tries. So what: wrong FQDN = instant no-match.

📦
Segment Group
tap to flip

A bundle of app segments. Access policy targets the group, not the segment. So what: a segment with no group is invisible to group-based rules.

🖥️
Server Group
tap to flip

Tells ZPA which connector groups can reach the app. Usually "dynamic discovery". So what: wrong/empty server group = "no connector serving this segment".

🔗
Connector Group
tap to flip

The actual App Connectors (by location). At least one must be Connected. So what: green connector in the WRONG group still can't serve the app.

① Policy & Identity — the app the policy quietly denies

This bucket is where ~half of "connector is fine but app won't open" tickets actually live. ZPA access policy is top-down, first-match-wins, default block. If no rule matches, the user is denied with no obvious error.

▶ Watch a ZPA access decision (and where it can die)

Sneha at Infosys tries to open jira.corp.local. Press Play — each step lights up; red = a common kill point.

① ZCC Sneha's laptop requests jira.corp.local:443
ZCC is enrolled + Z-Tunnel up. If not, traffic never enters ZPA.
② SEGMENT MATCH Does any App Segment contain FQDN jira.corp.local + port 443?
⚠ Kill point: FQDN/port not in any segment, or a wildcard shadows it.
③ IDENTITY SAML assertion + SCIM groups loaded → criteria like group = Engineering evaluated
⚠ Kill point: SCIM not synced / SAML attribute missing → criteria never match.
④ ACCESS POLICY Rules evaluated top-down, first match wins. No match → default BLOCK.
⚠ Kill point: a broad DENY rule sits ABOVE the ALLOW rule.
⑤ CONNECTOR GROUP Server group → eligible connector groups → pick one that's Connected + close
⚠ Kill point: empty Connector field + Close status = eligibility rejected all.
⑥ APP Connector opens TCP to 10.50.5.20:443. Page loads. ✅
Press Play to walk the decision. Each red note is a real reason the app stays "down" with a green connector.
Scenario 1 · Policy order

"Access Denied" although a matching ALLOW rule exists

Symptom Sneha at Infosys can't open Jira; the access log names a different rule than the one you wrote.

Cause A broader rule (e.g. "Contractors → Deny") sits above your ALLOW rule. First-match-wins fired the wrong one.

Diagnose Policies → Access Control → Access Policy; then Analytics → Diagnostics User Activity — read the Policy field (the blocking rule name).

Fix Drag the specific ALLOW above the broad DENY. Order = priority.

Verify Re-run, confirm the Policy field now shows your ALLOW rule.

Diagnostics → User Activity (LSS) — read the Policy field 
Username       : sneha.r@infosys.com
Host           : jira.corp.local
ConnectionStatus: Close
Policy         : "Block-Contractors-All"   <- WRONG rule won
ServerIP       : (empty)
Expected output after fix 
ConnectionStatus: Open
Policy          : "Allow-Engineering-Jira"
ServerIP        : 10.50.5.20
ConnectionSetupTime: 41 ms
Pause & Predict

The Policy field in the User Activity log is empty (blank) and status is Close. Which rule blocked the user?

No named rule — the default block did. An empty Policy field with Close means nothing matched, so ZPA's implicit default-deny fired. That points you at a missing ALLOW (or a segment/identity miss), not a wrong rule.
Scenario 2 · SCIM sync

Group-based policy denies everyone right after SCIM go-live

Symptom Rahul at TCS enabled a group = Finance rule an hour ago; the whole Finance team is denied.

Cause SCIM group membership hasn't propagated. The IdP pushes on its own schedule; criteria can't match a group ZPA doesn't have yet.

Diagnose Administration → Identity Management → SCIM Attributes / Groups — is "Finance" populated with members?

Fix Wait for propagation — Zscaler recommends ≥48 hours (sometimes a week) before relying on SCIM-group policies. As a bridge, use a SAML attribute or temporary rule.

Verify Group shows members; a test user in Finance now matches the rule.

Scenario 3 · SAML attribute

Policy criterion never matches — SAML attribute missing

Symptom A rule keyed on department = Networking matches nobody, even users who clearly are.

Cause The IdP isn't sending the department SAML attribute, or the name/case differs from what ZPA expects.

Diagnose Analytics → Diagnostics → User Status / Authentication — inspect the attributes ZPA actually received in the assertion.

Fix Add the attribute mapping in the IdP SAML app; match the exact attribute name configured under Administration → IdP Configuration.

Verify User Status diagnostics shows department=Networking; rule matches.

Quick check · Q1 of 10 · Remember

In ZPA, when no access-policy rule matches a user's request, what happens?

Correct: a. ZPA evaluates top-down, first match wins, and the default action is block. No match = silent deny, often with an empty Policy field in the log. That's why a missing ALLOW looks identical to a wrong DENY.
👉 So far: in Policy & Identity, the killers are rule order, un-synced SCIM groups, and missing SAML attributes. Next bucket: the app-segment plumbing.

② Segment Mapping — the plumbing nobody double-checks

Even with perfect policy, traffic dies if the app segment → segment group → server group → connector group chain has a broken link. Think of it like a Swiggy order: the restaurant (app) can be open, but if the order isn't mapped to a delivery zone (server group) with an available rider (connector group), the food never arrives.

Scenario 4 · No healthy connector

"No healthy App Connector serving this segment"

Symptom App times out; log shows empty Connector field and ConnectionStatus = Close.

Cause The server group attached to the segment points at a connector group where eligibility rejected all candidates (wrong location, disabled group, or no Connected connector).

Diagnose Infrastructure → App Connectors (status) + Resource Management → Server Groups (which connector group?). Empty Connector + Close = eligibility filtered everything, NOT a connector-to-app fault.

Fix Attach the correct connector group to the server group, or enable a connector in the right location.

Verify Log now shows a connector name + Open.

Scenario 5 · Orphan segment

App segment created but invisible to policy

Symptom Priya at Wipro added a new app segment; her group-based ALLOW never fires for it.

Cause The segment isn't assigned to a segment group — and policy targets groups. Console shows an incomplete-configuration icon.

Diagnose Resource Management → Application Management → Application Segments — check the Segment Group column; confirm segment_group_id is non-empty via API.

Fix Assign the segment to the segment group the rule references.

Verify Incomplete icon clears; rule matches the segment.

Scenario 6 · Wildcard shadow

One app breaks after a specific FQDN segment is added

Symptom app1.corp.local worked under *.corp.local; after adding a specific app1.corp.local segment for port 443, its 8443 admin port dies.

Cause A specific-FQDN segment carves out that host from the wildcard for ALL ports. The specific segment only lists 443, so 8443 has no home.

Diagnose Compare segments: exact hostname > wildcard in specificity. Port narrowness doesn't change specificity.

Fix Add all needed ports (443 + 8443) to the specific segment, OR enable Multimatch.

Verify Both ports resolve through ZPA again.

ZPA "app won't open" decision tree A branching diagnostic: start at symptom, check ZCC tunnel, then app segment match, then policy, then identity, then connector eligibility, ending at root causes. "App won't open" ZCC enrolled + Z-Tunnel up? No → re-enroll ZCC FQDN + port in an App Segment? No → add / fix segment, check wildcard shadow Policy field names a rule? Yes → fix rule order; empty → missing ALLOW SAML attr + SCIM group present? No → fix IdP map / wait 48h SCIM sync Connector field empty + Close? Yes → server group / connector-group mapping App opens ✅
Run top-to-bottom. The first "No" (or the first red branch you hit) is your root cause — you almost never need to reach the connector.
Practice in the lab: 🔗 App Connector Simulator 🛠 ZPA Troubleshooting Sim
Quick check · Q2 of 10 · Analyze

User Activity log shows an empty Connector field with ConnectionStatus = Close. What does this most precisely indicate?

Correct: b. An empty Connector + Close means ZPA never selected a connector — eligibility (group/location/health) rejected all candidates. Look at the server group → connector group mapping, not at connector-to-app reachability (which would show a named connector with high ConnectionSetupTime).
Scenario 7 · Reachable internally, not via ZPA

App pings fine from the connector host, fails through ZPA

Symptom You SSH to the connector, curl 10.50.5.20:443 works — but users via ZPA time out.

Cause The connector can reach it, but the segment/server-group binding doesn't route that app through this connector group, or the app's port isn't in the segment.

Diagnose Confirm the FQDN+port are in the segment; confirm the server group dynamic-discovery includes this connector group. Check LSS ConnectionSetupTime.

Fix Bind the right connector group to the server group; add the missing port.

Verify LSS shows that connector serving the app with low setup time.

Pause & Predict

A user's app worked yesterday. Today you added a *.corp.local wildcard segment for a different team. Now their app1.corp.local:8443 app is broken — but app1.corp.local:443 still works. What changed?

Nothing about the wildcard — look for an older SPECIFIC segment. If app1.corp.local already had a specific segment listing only 443, that specific segment carves app1 out of the new wildcard for ALL ports. So 8443 has no home. Add 8443 to the specific segment, or enable Multimatch. The wildcard is a red herring.

③ Browser Access & Certificates — the clientless path that trips on TLS

Browser Access lets a user reach a private web app with no agent, just HTTPS. The cost: you now own a TLS certificate chain, and certs are where this bucket bleeds.

Scenario 8 · BA cert chain

Browser Access throws a cert / "not trusted" error

Symptom Contractor opens the BA URL, browser warns "certificate not trusted" or the upload failed.

Cause Incomplete chain, or you tried to upload a cert without first generating the CSR in the ZPA portal (so there's no matching private key).

Diagnose Administration → Certificate Management → Browser Access Certificates — check chain + key. The "no CSR" error means the portal has no matching key.

Fix Generate the CSR in ZPA, get it signed by a public CA, upload signed cert; OR upload the full cert + private key in one PEM. Include the full intermediate chain.

Verify BA URL loads with a green padlock; chain validates.

Scenario 9 · Wildcard scope

Wildcard cert works for one level, not the sub-domain

Symptom *.apps.corp.in cert works for hr.apps.corp.in but fails for v2.eu.apps.corp.in.

Cause A wildcard covers exactly one label. *.apps.corp.in*.eu.apps.corp.in.

Diagnose Compare the BA hostname depth against the cert's wildcard depth.

Fix Issue a cert covering the deeper level, or restructure BA hostnames to one wildcard level.

Verify Each BA hostname resolves with a matching SAN.

Pause & Predict

A native app uses certificate pinning. ZPA Diagnostics shows a clean Open status and normal ConnectionSetupTime, yet the app's own screen says "TLS handshake failed." Where is the failure?

Client-side, app-to-server TLS — not ZPA. A pinned client rejects ZPA's Service Edge cert regardless of chain validity. ZPA succeeds (status Open), but the app refuses the cert it sees. Fix = disable pinning for that app or bypass ZPA for it. The "ZPA looks fine but app fails" pattern is the tell.
Scenario 10 · Pinned cert

Native app rejects ZPA even though Diagnostics is green

Symptom ZPA shows Open, normal setup time; the app itself errors on TLS.

Cause Certificate pinning — the client only trusts a specific server cert and rejects ZPA's Service Edge cert.

Diagnose Normal LSS setup time + no connector errors + app-side TLS failure = classic pinning signature.

Fix Disable pinning for the app (vendor permitting) or bypass ZPA for that destination.

Verify App connects; ZPA log unchanged.

Scenario 11 · Double encryption

Double-encrypted segment fails the connector's cert check

Symptom Segment marked Double Encryption stops connecting; App Connector logs show TLS handshake errors.

Cause Double Encryption requires the connector to verify the ZPA Service Edge cert; a mismatch or trust gap breaks the inner tunnel.

Diagnose Connector log TLS handshake errors; LSS DoubleEncryption field confirms the mode.

Fix Ensure connector trusts the Service Edge cert; if not required, disable Double Encryption on the segment.

Verify Handshake errors clear; segment connects.

Quick check · Q3 of 10 · Apply

Aditya needs to publish portal.apps.corp.in and billing.apps.corp.in via Browser Access with one wildcard cert. Which SAN actually covers both?

Correct: a. Both hostnames sit one label below apps.corp.in, so *.apps.corp.in covers them. A wildcard matches exactly one level — that's why a deeper host like v2.eu.apps.corp.in would NOT be covered and needs its own cert.
👉 So far: Browser Access pain is almost always cert chain, wildcard depth, pinning, or double-encryption trust. Next: the trickiest bucket — ZPA fighting ZIA over a domain.

④ Steering & Diagnostics — when ZPA and ZIA both want the same domain

ZCC runs ZPA and ZIA on the same laptop. If both could claim a domain, one wins — and the wrong winner makes the app "disappear". This bucket also covers SIPA and how to actually read Diagnostics.

ZCC domain-claim and ZPA-ZIA steering flow ZCC decides per request: a private FQDN in an app segment goes to ZPA; otherwise it goes to ZIA. Forwarding-profile bypass and SIPA change the path; mis-claims are marked as denial points. ZCC request for a FQDN In an App Segment? (ZPA claims it) YES → ZPA private app broker NO → ZIA internet / SaaS proxy Overlap / bypass mis-set → wrong service claims it SIPA: ZPA segment with "Use Client Forwarding Policy" → out to ZIA, back via ZPA Gateway.
The domain-claim fork. A private FQDN inside an app segment goes to ZPA; everything else to ZIA. Overlap or a wrong forwarding-profile bypass sends it to the wrong service (red).
Scenario 12 · Domain overlap

Internal app intermittently routes to ZIA instead of ZPA

Symptom auth.corp.local sometimes loads, sometimes gives an internet-proxy error; auth loops appear.

Cause The IdP/app domain overlaps what ZIA also handles, so ZCC's domain claim is ambiguous — interception loops.

Diagnose Check ZCC App Profile / Forwarding Profile + ZIA URL handling; confirm the FQDN is firmly inside a ZPA app segment.

Fix Make ZPA authoritative for the private FQDN (precise segment) and add a ZIA bypass for it so ZIA doesn't fight for it.

Verify Diagnostics consistently shows the FQDN handled by ZPA.

Scenario 13 · SIPA / source-IP anchor

App needs the client's real source IP, but sees a Zscaler IP

Symptom A geo/IP-allowlisted SaaS rejects users; the app sees a Zscaler egress IP, not the expected corporate IP.

Cause Source IP Anchoring isn't fully wired across ZPA and ZIA, or the bypass field is wrong.

Diagnose ZPA segment must have Source IP Anchor on and Bypass = Use Client Forwarding Policy; access policy Client Type = ZIA Service Edge; ZIA Forwarding Control → Forwarding Control Policy method = ZPA via a ZPA Gateway bound to that server group.

Fix Set the missing "Use Client Forwarding Policy" bypass; align segment-group names across ZPA/ZIA; activate both consoles.

Verify App sees the anchored IP; SIPA path shows in logs.

The #1 SIPA trap

SIPA fails silently when the segment-group names don't match across ZPA and ZIA, or when changes aren't activated in both consoles. The config "looks right" in each portal — but the rules never join. Always activate both, and copy the group name verbatim.

Scenario 14 · Reading Diagnostics

You don't know which step failed — use Diagnostics to trace it

Symptom "It just doesn't work" and you have no lead.

Cause Unknown — that's the point of the tool.

Diagnose Analytics → DiagnosticsUser Activity (per-request ConnectionStatus, Policy, Connector, ServerIP, timing) and User Status / Authentication (SAML/SCIM received). Admin console keeps ~14 days; longer needs LSS to a SIEM.

Fix Let the field that's wrong point you to the bucket: empty Policy → missing ALLOW; empty Connector → mapping; high ConnectionSetupTime → connector-to-server.

Verify After the fix, the same User Activity row reads Open with a named connector.

LSS User Activity query (Splunk) — the one-shot triage 
index=zpa sourcetype=zpa_user_activity
  Username="aditya.k@wipro.com" Host="auth.corp.local"
| table LogTimestamp, ConnectionStatus, Policy,
        Connector, ServerIP, ConnectionSetupTime, DoubleEncryption
Expected output — a healthy row 
ConnectionStatus  : Open
Policy            : Allow-Corp-Auth
Connector         : connector-mumbai-01
ServerIP          : 10.50.5.30
ConnectionSetupTime: 38 ms
DoubleEncryption  : false
Field-to-bucket cheat (memorise this)

Empty Policy + Close → missing ALLOW or identity miss (Bucket 1). Empty Connector + Close → server-group / connector-group mapping (Bucket 2). Open but high ConnectionSetupTime → connector-to-server reachability. Open + app-side TLS fail → cert pinning (Bucket 3).

Quick check · Q4 of 10 · Analyze

An internal app keeps bouncing between working and an "internet proxy" error, with occasional auth loops. The FQDN is in a ZPA app segment. Most likely root cause?

Correct: c. Intermittent ZPA-vs-internet behavior plus auth loops on a domain that ZPA should own is the classic ZPA↔ZIA domain-claim conflict. Make ZPA authoritative with a precise app segment and add a ZIA bypass so ZIA stops fighting for the same FQDN.

Top symptoms → first portal check (the cheat in flip form)

🚫
Access Denied
tap

First check: Diagnostics → User Activity Policy field. Named rule = order issue. Empty = missing ALLOW / identity. So what: never guess, read the field.

App times out
tap

First check: Connector field. Empty = mapping (Bucket 2). Named + high setup time = connector-to-server. So what: splits two very different fixes.

🔐
Cert error
tap

First check: Certificate Management chain + wildcard depth. App-side TLS fail with green ZPA = pinning. So what: separates BA cert vs pinned app.

🔀
Wrong service
tap

First check: forwarding profile + is FQDN in a ZPA segment? Add a ZIA bypass for private FQDNs. So what: stops ZPA/ZIA tug-of-war.

Source IP Anchoring (SIPA) path cheat-sheet Client traffic for a SIPA segment bypasses ZPA via Client Forwarding Policy to ZIA, then ZIA forwarding control sends it back through a ZPA Gateway so the app sees the anchored source IP. Client (ZCC) real source IP ZIA Forwarding Control ZPA Gateway → Server Group App sees anchored IP Bypass = "Use Client Forwarding Policy" Method = ZPA names must match ✓ activated
SIPA in one line: client → ZIA → ZPA Gateway → app. The three red labels are the exact spots SIPA breaks. Green = the step everyone forgets (activate both consoles).

One-glance cheat-sheet — symptom → first portal check

ZPA troubleshooting cheat-sheet Six tiles mapping a symptom to the first portal check and the bucket: access denied, app times out, cert error, wrong service, SCIM deny, and SIPA wrong IP. ZPA: connector green, app down? Read the field that's wrong. 🚫 Access Denied Diagnostics → User Activity Policy named = order; empty = missing ALLOW ⏳ App times out Connector field empty = group mapping; named+slow = conn→server 🔐 Cert error Certificate Management chain + wildcard depth; green ZPA+TLS fail=pinning 🔀 Wrong service Forwarding profile FQDN in ZPA segment? add ZIA bypass 👥 SCIM denies all Identity Mgmt → Groups populated? wait ≥48h; bridge with SAML attr 🌍 SIPA wrong IP ZPA + ZIA both group names match? activate BOTH consoles Golden rule: a healthy connector proves ONE of five+ links. Diagnose the chain: empty Policy → identity/ALLOW · empty Connector → mapping · slow → reachability · TLS-only fail → pinning.
Screenshot this. Six symptoms, one first-check each — the fastest path from "app down" to the right bucket.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer scoped to this lesson. No login, no waiting.

Pre-curated from Zscaler ZPA help docs + community Q&A. For live prod issues, paste your Diagnostics → User Activity row into chat.techclick.in.

📝 Wrap-up — six more

You've answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Apply

Sneha just enabled a brand-new SCIM-group-based ALLOW rule and the whole group is denied. The cleanest production move is:

Correct: d. SCIM group membership propagates on the IdP's schedule; Zscaler recommends ≥48h before relying on SCIM-group policies. Verify the group is populated, wait, and bridge with a SAML attribute. Never flip the default to allow — that breaks zero-trust for everything.
Q6 · Analyze

A specific-FQDN segment for app1.corp.local:443 was added under a *.corp.local wildcard. Now app1.corp.local:8443 fails. Why?

Correct: b. A specific FQDN segment removes that host from wildcard coverage for ALL ports — port narrowness doesn't change specificity. Listing only 443 orphans 8443. Add the port to the specific segment, or turn on Multimatch so both can match.
Q7 · Analyze

ZPA Diagnostics shows Open with a normal ConnectionSetupTime, no connector errors — but the native app's own UI says "TLS handshake failed". Root cause?

Correct: a. "ZPA looks perfectly fine but the app fails on TLS" is the signature of certificate pinning. The pinned client trusts only a specific server cert and rejects ZPA's. The other options would all leave a visible ZPA-side signal (deny, no match, empty connector).
Q8 · Analyze

Karthik built SIPA: ZPA segment, ZIA forwarding policy, ZPA Gateway. Each console looks correct, but the app still sees a Zscaler IP. The most likely miss is:

Correct: c. SIPA joins two consoles by exact-name reference and only takes effect when both are activated. The classic silent miss is a mismatched segment-group name, the wrong bypass setting, or forgetting to activate one side. DIPP is a NAT concept, not ZPA SIPA.
Q9 · Evaluate

A 5,000-seat SOC debates: (X) one broad *.corp.local segment for everything, or (Y) specific segments per app group + Multimatch where needed. Which is the better design and why?

Correct: d. Zero-trust wants least-privilege: specific segments let you scope policy, identity, and connector groups per app. One broad wildcard exposes everything and removes granular control. Multimatch exists precisely to handle intentional overlaps without the carve-out breakage — it doesn't disable policy.
Q10 · Evaluate

An engineer proposes "to fix the ZPA-vs-internet flapping, just set the access-policy default action to ALLOW so nothing gets blocked." Sound or not?

Correct: b. Default-allow misdiagnoses the problem AND removes the entire security model. The flapping is ZPA↔ZIA domain claim — solved by making ZPA authoritative for the private FQDN and adding a ZIA bypass. A symptom band-aid that opens every app is never the right call.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the bucket that tripped you up and tap "Try again".

✍️ Explain it back (2 lines)

In your own words: why does a green App Connector NOT prove the app will open? Type it, then reveal the expert version.

Expert version: A healthy connector proves only the last of five+ links (user → ZCC → Service Edge → policy → app segment → connector group → app). The request can die earlier at segment match, access policy, or identity — none of which the connector's health reflects. So you diagnose by chain, reading the Diagnostics field that's wrong.

🧑‍🏫 Teach a friend

Tap to generate a one-liner you can paste to a teammate who's stuck.

"ZPA tip: 'connector is green' only proves the LAST link. Open Diagnostics → User Activity — empty Policy field = missing ALLOW/identity, empty Connector field = server-group/connector-group mapping. Read the field that's wrong before you touch the connector."

📩 Quiz me again later

Opt in and we'll send 3 micro-questions on this lesson at Day 1, Day 7, and Day 30 — spaced recall locks it in.

✓ You're in. We'll nudge you with 3 quick questions — opt out anytime from your profile.

Glossary — the words this lesson used

📚 Sources

  1. Zscaler Help — Configuring Access Policies & About Segment Groups / Configuring Application Segments. help.zscaler.com/zpa
  2. Zscaler Help — ZPA App Connector Troubleshooting Runbook & Accessing User Activity / User Status Diagnostics. help.zscaler.com/zpa
  3. Zscaler Help — Enabling SCIM for Identity Management, Browser Access, Certificate Management (Browser Access web-server certs). help.zscaler.com/zpa
  4. Zscaler Help (ZIA) — About / Configuring Source IP Anchoring (SIPA) using ZPA, Forwarding Control. help.zscaler.com/zia
  5. Zscaler Community — ZPA application-segment config for Browser Access with SIPA enabled; practitioner ZPA troubleshooting decision-tree notes (GitHub-hosted field references, 2025).
  6. Zscaler Academy — ZDTA (Digital Transformation Administrator) certification blueprint — Identity, Connectivity, Access Control services.

What's next?

You've mastered the ZPA service. Next, go one layer down into the App Connector itself — enrollment, DNS, version drift, and the on-host logs that explain connector-to-server failures.

Next · ZPA App Connector Deep-Dive → Practice on exam.techclick.in →

— Techclick Team