Zscaler ZDTA Exam: Key Concepts, Question Types, and Security
Features ACTUAL UPDATED QUESTIONS AND CORRECT ANSWERS
How many questions and how much time are on the 50 questions and 90 minutes of seat time.
ZDTA exam?
What types of questions are on the ZDTA exam? Multiple choice, scenarios with graphics, and matching.
Which seven domains are tested on the ZDTA exam? Identity Services, Basic Connectivity, Platform Services, Zscaler Digital
Experience, Access Control, Cybersecurity Services, and Basic Data Protection.
What is the first thing Zscaler does when a user connects It verifies identity and context and consumes attributes for policy decisions.
to the Zero Trust Exchange?
Which Zscaler product protects SaaS and internet Zscaler Internet Access (ZIA) protects SaaS and internet apps; Zscaler Private
applications, and which protects private applications? Access (ZPA) connects users to private applications and resources.
Besides SAML, what other identity methods can ZIA use? LDAP or a hosted database.
Name some common identity providers Zscaler Active Directory, Azure AD, ADFS, Okta, Ping, and any SAML 2.0-compliant
integrates with. identity provider.
After SAML authentication, where are attributes used to In the Zscaler Client Connector Portal via the service entitlement policy.
decide ZPA and ZDX enrollment?
What is Z-Tunnel 1.0 and what type of traffic does it A legacy HTTP CONNECT tunnel that mainly intercepts TCP port 80 and 443
primarily handle? traffic.
, What are two key limitations of Z-Tunnel 1.0? It does not truly encapsulate traffic and provides limited visibility into non-web
traffic.
What is Z-Tunnel 2.0 and why is it the best practice A DTLS tunnel with TLS fallback that supports all client traffic (TCP, UDP, ICMP)
option? and provides a control channel for real-time updates and logging.
Why does Z-Tunnel 2.0 use DTLS over UDP and when DTLS over UDP gives faster transport; it falls back to TLS over TCP if UDP is
does it fall back to TLS/TCP? blocked, such as by a firewall.
In route-based tunnel mode, how does traffic reach Traffic follows the routing table into a routed adapter bound to Zscaler Client
Zscaler? Connector, then is forwarded to the Zscaler cloud or bypassed to the internet
according to policy.
In Tunnel with Local Proxy mode, what is required for A Forwarding Profile PAC targeting the local listener on Zscaler Client Connector
proxy-aware applications? so proxy-aware apps send traffic to it.
What does Trusted Network Detection use to decide if a Hostname and IP mapping, DNS search domains, and DNS server information
user is on a trusted network? from DHCP.
With tunnel mode, what is the recommended setting for Enforce a no-proxy configuration to avoid conflicting with tunnel-based
system proxy configuration and why? forwarding.
What is the purpose of the strictEnforcement option To require cloudName and policyToken so the user is directed to the correct
during Client Connector installation? cloud and cannot access the internet until enrolled.
Where can you find Zscaler Client Connector logs on In the C:\\ProgramData\\zscaler directory.
Windows for troubleshooting?
What are some core components of Zscaler's Platform Private Service Edges, Device Posture, TLS Inspection, Policy Framework, and
Services suite? Analytics and Reporting.
What does Device Posture do within Zscaler Client It assigns a device trust level used in Zero Trust Network Access policy decisions.
Connector?
Give examples of posture checks used to distinguish Checks such as root CA trust, domain join state, registry entries, specific files, and
BYOD from corporate devices. client certificate properties.
Why is TLS inspection necessary from a security Without TLS inspection, controls are blind to malicious payloads, data leakage,
perspective? and emerging threats inside encrypted traffic.
After decryption, what HTTP elements become visible for HTTP headers, request and response headers, full request URL, request method,
inspection? and the payload.
What problem can certificate pinning cause for TLS Pinned apps reject Zscaler's man-in-the-middle certificate, so those apps may
inspection and how might it be mitigated? need SSL bypass or special configuration while browser access remains possible.
Name at least four criteria that Zscaler's granular policy User, group, or department; URL category or cloud app; destination IP or FQDN
engine can use. group; device name, OS, and trust level; TLS version and certificate validation
state.
Features ACTUAL UPDATED QUESTIONS AND CORRECT ANSWERS
How many questions and how much time are on the 50 questions and 90 minutes of seat time.
ZDTA exam?
What types of questions are on the ZDTA exam? Multiple choice, scenarios with graphics, and matching.
Which seven domains are tested on the ZDTA exam? Identity Services, Basic Connectivity, Platform Services, Zscaler Digital
Experience, Access Control, Cybersecurity Services, and Basic Data Protection.
What is the first thing Zscaler does when a user connects It verifies identity and context and consumes attributes for policy decisions.
to the Zero Trust Exchange?
Which Zscaler product protects SaaS and internet Zscaler Internet Access (ZIA) protects SaaS and internet apps; Zscaler Private
applications, and which protects private applications? Access (ZPA) connects users to private applications and resources.
Besides SAML, what other identity methods can ZIA use? LDAP or a hosted database.
Name some common identity providers Zscaler Active Directory, Azure AD, ADFS, Okta, Ping, and any SAML 2.0-compliant
integrates with. identity provider.
After SAML authentication, where are attributes used to In the Zscaler Client Connector Portal via the service entitlement policy.
decide ZPA and ZDX enrollment?
What is Z-Tunnel 1.0 and what type of traffic does it A legacy HTTP CONNECT tunnel that mainly intercepts TCP port 80 and 443
primarily handle? traffic.
, What are two key limitations of Z-Tunnel 1.0? It does not truly encapsulate traffic and provides limited visibility into non-web
traffic.
What is Z-Tunnel 2.0 and why is it the best practice A DTLS tunnel with TLS fallback that supports all client traffic (TCP, UDP, ICMP)
option? and provides a control channel for real-time updates and logging.
Why does Z-Tunnel 2.0 use DTLS over UDP and when DTLS over UDP gives faster transport; it falls back to TLS over TCP if UDP is
does it fall back to TLS/TCP? blocked, such as by a firewall.
In route-based tunnel mode, how does traffic reach Traffic follows the routing table into a routed adapter bound to Zscaler Client
Zscaler? Connector, then is forwarded to the Zscaler cloud or bypassed to the internet
according to policy.
In Tunnel with Local Proxy mode, what is required for A Forwarding Profile PAC targeting the local listener on Zscaler Client Connector
proxy-aware applications? so proxy-aware apps send traffic to it.
What does Trusted Network Detection use to decide if a Hostname and IP mapping, DNS search domains, and DNS server information
user is on a trusted network? from DHCP.
With tunnel mode, what is the recommended setting for Enforce a no-proxy configuration to avoid conflicting with tunnel-based
system proxy configuration and why? forwarding.
What is the purpose of the strictEnforcement option To require cloudName and policyToken so the user is directed to the correct
during Client Connector installation? cloud and cannot access the internet until enrolled.
Where can you find Zscaler Client Connector logs on In the C:\\ProgramData\\zscaler directory.
Windows for troubleshooting?
What are some core components of Zscaler's Platform Private Service Edges, Device Posture, TLS Inspection, Policy Framework, and
Services suite? Analytics and Reporting.
What does Device Posture do within Zscaler Client It assigns a device trust level used in Zero Trust Network Access policy decisions.
Connector?
Give examples of posture checks used to distinguish Checks such as root CA trust, domain join state, registry entries, specific files, and
BYOD from corporate devices. client certificate properties.
Why is TLS inspection necessary from a security Without TLS inspection, controls are blind to malicious payloads, data leakage,
perspective? and emerging threats inside encrypted traffic.
After decryption, what HTTP elements become visible for HTTP headers, request and response headers, full request URL, request method,
inspection? and the payload.
What problem can certificate pinning cause for TLS Pinned apps reject Zscaler's man-in-the-middle certificate, so those apps may
inspection and how might it be mitigated? need SSL bypass or special configuration while browser access remains possible.
Name at least four criteria that Zscaler's granular policy User, group, or department; URL category or cloud app; destination IP or FQDN
engine can use. group; device name, OS, and trust level; TLS version and certificate validation
state.