Local breakout for bypass domains
The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ETP for bypass are directed to the origin from the branch or enterprise network. These domains bypass ETP Proxy. For this configuration, your network must have a direct route to the Internet. If your network does not have a direct route to the Internet and as a result, it cannot access these origins, make sure you disable this option. When disabled, the traffic is directed to ETP. ETP directs this traffic to the origin without scanning it.
- Bypass is supported on TLS and HTTP/1 traffic. The bypass action is not supported on traffic that uses other protocols such as user datagram protocol (UDP), HTTP/2, or Quick UDP Internet Connection (QUIC).
- If ETP Client is active on client devices, this setting ignores traffic from clients that are off the corporate network.
- This setting applies to domains that are configured in the policy with the bypass action. It does not apply to internal IP addresses or DNS suffixes that are configured in the ETP Network Configuration.
- If you disable this setting, make sure the domains that are required for ETP are allowed by your organization’s firewall and can access the Internet. For a list of domains, see Configure your enterprise firewall.
- If your enterprise sets up ETP Proxy as a selective proxy only and your organization does not use ETP Client, Security Connector as a DNS Forwarder, or proxy chaining, make sure the Local Breakout for Bypass Domains setting is enabled. If this setting is disabled, domains that are configured for bypass are directed to ETP for resolution and then dropped.