ZSCALER EDU 200 ESSENTIALS ZDTA EXAMS SCRIPT
QUESTIONS AND ANSWERS 2025/2026 GRADED A+
✔✔When moving from an Explicit Proxy to a Tunneled/Transparent Proxy - what, if any,
effects will be seen on the client? (Select 3)
Options:
- No Effect
- The client will always resolve DNS
- The client browser needs re-configuration
- Authenticated websites may no longer work
- An Explicit Proxy and a Transparent Proxy are the same thing - ✔✔The client will
always resolve DNS
The client browser needs re-configuration
Authenticated websites may no longer work
✔✔What benefits does a Zscaler Tunnel have over other forwarding mechanisms for
Zscaler Client Connector?
Options:
- Tunnels are the only mechanism to install ZCC
- Tunnels enable only HTTP and HTTPS traffic to be forwarded by ZCC
- Tunnels enable Zscaler to control the end user device
- Tunnels encapsulate traffic and authenticate to the Zero Trust Exchange - ✔✔Tunnels
encapsulate traffic and authenticate to the Zero Trust Exchange
✔✔Browser Based Access enables what kinds of applications to be published?
Options:
- HTTP and HTTPS
- RDP and SSH
- Telnet and RDP
- HTTP, HTTPS, and SSH - ✔✔HTTP and HTTPS
✔✔Why is Z-Tunnel 2.0 superior to Z-Tunnel 1.0? (Select 3)
Options:
- Provides a control channel to update device
- Faster transport mechanism
- Allows multicast traffic
- Enables Cloud Firewall
- Z-Tunnel 1.0 is no longer supported - ✔✔Provides a control channel to update device
Faster transport mechanism
Enables Cloud Firewall
,✔✔What conditions exist for Trusted Network Detection?
Options:
- Hostname Resolution, Network Adaptor IP, Default Gateway
- Hostname Resolution, DNS Servers, Geo Location
- DNS Search Domain, DNS Server, Hostname Resolution
- DNS Servers, DNS Search Domain, Network Adaptor IP - ✔✔DNS Search Domain,
DNS Server, Hostname Resolution
✔✔A server group maps _____ to ____?
Options:
- App Connectors Groups to Application Segments
- Applications to FQDNS
- FQDNs to IP Addresses
- Applications to Application Groups - ✔✔App Connectors Groups to Application
Segments
✔✔Why is SSL/TLS inspection critical in a security architecture?
Options:
- It is not important
- QUIC is an encrypted protocol that rides on SSL; hence, it is important from an
HTTP/3 inspection perspective
- 85-90% of all internet traffic is SSL/TLS encrypted (including threats), as protocols
such as HTTP/2 are only delivered over TLS; SSL/TLS inspection allows you to inspect
the connection and look at the full payload, including HTTP headers, which is important
to be able to block malicious traffic and prevent sensitive data from leaking out of an
organization
- A MITM (man-in-the-middle) attack should always be performed, even for certificate-
pinned applications, as it allows for real-time visibility and storing transactions in plain
text for further inspection by a third auditing party - ✔✔85-90% of all internet traffic is
SSL/TLS encrypted (including threats), as protocols such as HTTP/2 are only delivered
over TLS; SSL/TLS inspection allows you to inspect the connection and look at the full
payload, including HTTP headers, which is important to be able to block malicious traffic
and prevent sensitive data from leaking out of an organization
✔✔How much of an organization's traffic can Zscaler perform SSL/TLS inspection on?
Options:
- Zscaler inspects and decrypts 100% of TLS traffic without constraints
- Up to 50%, based on the geography from which a customer is logging in
- All traffic except for zero day malicious files, which cannot be inspected due to evasive
techniques built into file's process list
, - All traffic except for traffic originating from SaaS providers such as Salesforce, who
utilize special SSL evasion techniques - ✔✔Zscaler inspects and decrypts 100% of TLS
traffic without constraints
✔✔What address translation options are available in the Firewall policy? (Select 3)
Options:
- Destination Port Translation
- Source IP Translation to static IP
- Destination IP Translation to static IP
- Source Port Translation
- Destination IP Translation to FQDN - ✔✔Destination Port Translation
Destination IP Translation to static IP
Destination IP Translation to FQDN
✔✔What is the purpose of the Client Forwarding policy?
Options:
- It defines which Zero Trust Exchange data centers are used
- It controls whether Zscaler Internet Access, Private Access, or Digital Experience is
enabled in the client
- It defines which Application Segments definitions are downloaded by the Zscaler
Client Connector
- It enables forwarding of traffic from ZIA to ZPA for source IP anchoring - ✔✔It defines
which Application Segments definitions are downloaded by the Zscaler Client Connector
✔✔In Zscaler Private Access policy, which criteria can be used to control access?
(Select 3)
Options
- Zero Trust Exchange data center
- SAML or SCIM Attribute
- Client Connector Posture and Trusted Network
- Client Type
- Zscaler Internet Access Enabled - ✔✔SAML or SCIM Attribute
Client Connector Posture and Trusted Network
Client Type
✔✔Which are the acceptable actions for Firewall policy? (Select 3)
Options:
- Allow
- Block/Drop
- Block/Reset
- Block/FIN+ACK
QUESTIONS AND ANSWERS 2025/2026 GRADED A+
✔✔When moving from an Explicit Proxy to a Tunneled/Transparent Proxy - what, if any,
effects will be seen on the client? (Select 3)
Options:
- No Effect
- The client will always resolve DNS
- The client browser needs re-configuration
- Authenticated websites may no longer work
- An Explicit Proxy and a Transparent Proxy are the same thing - ✔✔The client will
always resolve DNS
The client browser needs re-configuration
Authenticated websites may no longer work
✔✔What benefits does a Zscaler Tunnel have over other forwarding mechanisms for
Zscaler Client Connector?
Options:
- Tunnels are the only mechanism to install ZCC
- Tunnels enable only HTTP and HTTPS traffic to be forwarded by ZCC
- Tunnels enable Zscaler to control the end user device
- Tunnels encapsulate traffic and authenticate to the Zero Trust Exchange - ✔✔Tunnels
encapsulate traffic and authenticate to the Zero Trust Exchange
✔✔Browser Based Access enables what kinds of applications to be published?
Options:
- HTTP and HTTPS
- RDP and SSH
- Telnet and RDP
- HTTP, HTTPS, and SSH - ✔✔HTTP and HTTPS
✔✔Why is Z-Tunnel 2.0 superior to Z-Tunnel 1.0? (Select 3)
Options:
- Provides a control channel to update device
- Faster transport mechanism
- Allows multicast traffic
- Enables Cloud Firewall
- Z-Tunnel 1.0 is no longer supported - ✔✔Provides a control channel to update device
Faster transport mechanism
Enables Cloud Firewall
,✔✔What conditions exist for Trusted Network Detection?
Options:
- Hostname Resolution, Network Adaptor IP, Default Gateway
- Hostname Resolution, DNS Servers, Geo Location
- DNS Search Domain, DNS Server, Hostname Resolution
- DNS Servers, DNS Search Domain, Network Adaptor IP - ✔✔DNS Search Domain,
DNS Server, Hostname Resolution
✔✔A server group maps _____ to ____?
Options:
- App Connectors Groups to Application Segments
- Applications to FQDNS
- FQDNs to IP Addresses
- Applications to Application Groups - ✔✔App Connectors Groups to Application
Segments
✔✔Why is SSL/TLS inspection critical in a security architecture?
Options:
- It is not important
- QUIC is an encrypted protocol that rides on SSL; hence, it is important from an
HTTP/3 inspection perspective
- 85-90% of all internet traffic is SSL/TLS encrypted (including threats), as protocols
such as HTTP/2 are only delivered over TLS; SSL/TLS inspection allows you to inspect
the connection and look at the full payload, including HTTP headers, which is important
to be able to block malicious traffic and prevent sensitive data from leaking out of an
organization
- A MITM (man-in-the-middle) attack should always be performed, even for certificate-
pinned applications, as it allows for real-time visibility and storing transactions in plain
text for further inspection by a third auditing party - ✔✔85-90% of all internet traffic is
SSL/TLS encrypted (including threats), as protocols such as HTTP/2 are only delivered
over TLS; SSL/TLS inspection allows you to inspect the connection and look at the full
payload, including HTTP headers, which is important to be able to block malicious traffic
and prevent sensitive data from leaking out of an organization
✔✔How much of an organization's traffic can Zscaler perform SSL/TLS inspection on?
Options:
- Zscaler inspects and decrypts 100% of TLS traffic without constraints
- Up to 50%, based on the geography from which a customer is logging in
- All traffic except for zero day malicious files, which cannot be inspected due to evasive
techniques built into file's process list
, - All traffic except for traffic originating from SaaS providers such as Salesforce, who
utilize special SSL evasion techniques - ✔✔Zscaler inspects and decrypts 100% of TLS
traffic without constraints
✔✔What address translation options are available in the Firewall policy? (Select 3)
Options:
- Destination Port Translation
- Source IP Translation to static IP
- Destination IP Translation to static IP
- Source Port Translation
- Destination IP Translation to FQDN - ✔✔Destination Port Translation
Destination IP Translation to static IP
Destination IP Translation to FQDN
✔✔What is the purpose of the Client Forwarding policy?
Options:
- It defines which Zero Trust Exchange data centers are used
- It controls whether Zscaler Internet Access, Private Access, or Digital Experience is
enabled in the client
- It defines which Application Segments definitions are downloaded by the Zscaler
Client Connector
- It enables forwarding of traffic from ZIA to ZPA for source IP anchoring - ✔✔It defines
which Application Segments definitions are downloaded by the Zscaler Client Connector
✔✔In Zscaler Private Access policy, which criteria can be used to control access?
(Select 3)
Options
- Zero Trust Exchange data center
- SAML or SCIM Attribute
- Client Connector Posture and Trusted Network
- Client Type
- Zscaler Internet Access Enabled - ✔✔SAML or SCIM Attribute
Client Connector Posture and Trusted Network
Client Type
✔✔Which are the acceptable actions for Firewall policy? (Select 3)
Options:
- Allow
- Block/Drop
- Block/Reset
- Block/FIN+ACK
