Experience Center

Using Application Segment Multimatch

When a user tries to access a private application, a request is mapped to an application segment. After the application is mapped to an application segment, the policy search is performed, and the request is either allowed or blocked based on the policy configuration.

To learn more, see About Access Policy and Configuring Access Policies.

Prerequisites

Use the Zscaler Client Connector version that has 50K applications support (4.1 for MacOS and 4.0 for Windows). To enable the necessary version for your organization, contact Zscaler Support.

Exact Match vs. Multimatch

There are two application match behaviors available in Private Applications: Exact Match and Multimatch. Exact match is the default behavior.

About Exact Match

The default behavior of Private Applications is to perform an exact match of applications. If two or more application segments cover the same destination address, Zscaler Client Connector attempts to match traffic to the more granular application segment. Consider the following example of two Application Segments with the overlapping domain name "example.com":

Example: Exact Match
If a user navigates to server1.example.com TCP port 3389, the request maps to the more specific application segment, which is App_Seg2.
Application Segment Name
Application
Protocol
Ports
App_Seg1
*.example.com
TCP, UDP
1–52, 54–65535
App_Seg2
server1.example.com
TCP
443, 3389
Close

Application Segment Name	Application	Protocol	Ports
App_Seg1	*.example.com	TCP, UDP	1–52, 54–65535
App_Seg2	server1.example.com	TCP	443, 3389

About Multimatch

Multimatch allows an application request to match multiple application segments.

The following examples illustrate how applications are mapped to application segments, as well as how policy execution works when Multimatch is enabled vs not enabled on application segments.

Multiple application segment matches

The primary use for Multimatch is when there are multiple possible application segment matches. The tables below show application segment configuration, the policy configuration, and how they match up.

Application Segment Configuration
Application Segment Name	Application	Protocol	Ports	Multimatch
App_Seg1	*.example.com	TCP, UDP	1–52, 54–65535	Enabled
App_Seg2	server1.example.com	TCP	443, 3389	Enabled

Access Policy Configuration
#	Access Policy Name	Application Segment Name	Policy Action	User Group
1	Allow App_Seg2	App_Seg2	Allow	Admin_Grp
2	Allow App_Seg1	App_Seg1	Allow	All

Application Match and Policy Search Results
User	Group	FQDN: Port & Protocol	Matched Application Segment with Multimatch	Matched Application Segment without Multimatch	Matched Policy Number with Multimatch	Matched Policy Number without Multimatch
user1	Admin_Grp	server1.example.com:3389+TCP	App_Seg1 App_Seg2	App_Seg2	1	1
user1	Admin_Grp	server1.example.com:22+TCP	App_Seg1	Dropped on client	2	N/A
user2	IT_Grp	server1.example.com:22+TCP	App_Seg1	Dropped on client	2	N/A
user3	IT_Grp	server1.example.com:80+TCP	App_Seg1	Dropped on client	2	N/A
user3	IT_Grp	server1.example.com:443+TCP	App_Seg1 App_Seg2	App_Seg2	2	Blocked by default policy

Behavior after inserting a block rule

Let's look at how the policy search results change by inserting a block policy in the rule set.

Application Segment Configuration
Application Segment Name	Application	Protocol	Ports	Multimatch
App_Seg1	*.example.com	TCP, UDP	1–52, 54–65535	Enabled
App_Seg2	server1.example.com	TCP	443, 3389	Enabled

Access Policy Configuration
#	Access Policy Name	Application Segment Name	Policy Action	User Group
1	Allow App_Seg2	App_Seg2	Allow	Admin_Grp
2	Block App_Seg	App_Seg2	Block	All
3	Allow App_Seg1	App_Seg1	Allow	All

Application Match and Access Policy Search Results
User	Group	FQDN: Port & Protocol	Matched Application Segment with Multimatch	Matched Application Segment without Multimatch	Matched Policy Number with Multimatch	Matched Policy Number without Multimatch
user1	Admin_Grp	server1.example.com:3389+TCP	App_Seg1 App_Seg2	App_Seg2	1	1
user1	Admin_Grp	server1.example.com:443+TCP	App_Seg1 App_Seg2	App_Seg2	1	1
user1	Admin_Grp	server1.example.com:22+TCP	App_Seg1	Dropped on client	3	N/A
user2	IT_Grp	server1.example.com:22+TCP	App_Seg1	Dropped on client	3	N/A
user3	IT_Grp	server1.example.com:80+TCP	App_Seg1	Dropped on client	3	N/A
user3	IT_Grp	server1.example.com:443+TCP	App_Seg1 App_Seg2	App_Seg2	2	2

Matched vs. Not Matched

Multiple matches apply to applications from most specific to least specific. As soon as an application is encountered that does not support Multimatch, the multimatching stops. The examples below show each possible outcome for matched and not matched results:

Example 1

Application Match
Application	Multimatch	Requested Domain
Application	Multimatch	server1.db.hr.company.com	server2.ui.hr.company.com
*.db.hr.company.com	Enabled	Matched	Not matched
*.ui.hr.company.com	Disabled	Not matched	Matched
*.hr.company.com	Enabled	Matched	Not matched
*.company.com	Disabled	Not matched	Not matched

Example 2

Application Match
Application	Multimatch	Requested Domain
Application	Multimatch	server1.db.hr.company.com
server1.db.hr.company.com	Enabled	Matched
*.db.hr.company.com	Enabled	Matched
*.hr.company.com	Enabled	Matched
*.company.com	Disabled	Not matched
*.com	Enabled	Not matched

Example 3

Application Match
Application	Multimatch	Requested Domain
Application	Multimatch	server1.db.hr.company.com	server2.db.hr.company.com
server1.db.hr.company.com	Disabled	Matched	Not matched
*.db.hr.company.com	Enabled	Not matched	matched
*.hr.company.com	Enabled	Not matched	Matched
*.company.com	Disabled	Not matched	Not matched

Example 4

Application Match
Application	Multimatch	Requested Domain
Application	Multimatch	server2.ui.hr.company.com
server2.ui.hr.company.com	Enabled	Matched
*.ui.hr.company.com	Disabled	Not matched
*.hr.company.com	Enabled	Not matched
*.company.com	Disabled	Not matched

When you have decided what application segments you want matched, you can enable Multimatch for that application segment. To learn more, see Configuring Defined Application Segments.