ZSCALER EDU 200 ESSENTIALS ZDTA TEST PAPER
QUESTIONS AND ANSWERS 2025/2026 GRADED A+
✔✔What is an Application Segment? (Select 3)
Options:
- A mechanism to append DNS Suffixes to short names
- A list of FQDNs or IP Addresses
- A list of TCP or UDP Ports
- A wildcard domain
- Segments define the network subnets applications exist on - ✔✔A list of FQDNs or IP
Addresses
A list of TCP or UDP Ports
A wildcard domain
✔✔Zscaler Private Access isolation policy controls what?
Options:
- It prevents two clients on the same network from communicating (peer to peer)
- It triggers Zscaler Client Connector to prevent access to all applications
- It controls Browser Based Access to redirect the session into a web container
- It moves all user traffic into a container on the client - ✔✔It controls Browser Based
Access to redirect the session into a web container
✔✔Cloud Path can provide visibility over which paths?
Options:
- Cloud Path can provide visibility into the traffic going directly via ZIA and ZPA
- In tunnels formed over ZIA using ZCC Tunnel 2.0 only
- Mainly tunnels which are running ZPA (mtunnels)
- Direct Internet traffic only, as it is not possible to traceroute via Layer 7 Proxy -
✔✔Cloud Path can provide visibility into the traffic going directly via ZIA and ZPA
✔✔What component of SAML authentication is the Service Provider (SP)? - ✔✔Zscaler
acts as a SAML SP
✔✔What component of SAML authentication is the Identity Provider (IdP)? - ✔✔IdP
examples include: Okta,
Ping, AD FS, Azure AD
✔✔What are security assertions? - ✔✔Also known as tokens, they are issued to users
by the IdP and presented to SPs/RPs to confirm authentication. Trust is based on Public
Key Infrastructure (PKI). Assertions may contain:
Authentication, Attribute, or Authorization statements.
, ✔✔How does SAML authentication work using Zscaler? - ✔✔1. Request Application
2. Redirect to Zscaler SP (ZIA/ZPA)
3. Login Request
4. Redirect to SAML IdP
5. Login to IdP
6. SAML Assertion Identity
7. SAML
8. Auth Token issued
9. Access granted to application
✔✔What functionality does SCIM provide? - ✔✔It supports the addition, deletion, and
updating of users as well as the ability to apply policy based on SCIM user or group
attributes.
✔✔Define a zero trust connection - ✔✔Independent of any network for control or trust.
Zero trust ensures access is granted by never sharing the network between the
originator and the destination application.
✔✔What tunnel methods does ZTunnel 2.0 use? - ✔✔DTLS with a fallback to TLS
✔✔How does ZTunnel 1.0 work? - ✔✔Uses a HTTP CONNECT tunnel. Use 2 tunnels,
one connecting to ZTE for authentication, enrollment, and passing traffic. The other
tunnel is used for applying policy updates every 60 minutes.
✔✔What does the app profile PAC URL define? - ✔✔The Zero Trust Exchange node to
be used based on the client's geographic IP information.
✔✔What does a forwarding profile PAC do? - ✔✔Steers traffic toward or away from the
Client Connector
✔✔What does an app profile PAC do? - ✔✔Steers traffic toward or away from the
Zscaler Cloud
✔✔How often does Zscaler Client Connector download policy updates
for the app profiles and forwarding profiles? - ✔✔Every hour
✔✔How often will Zscaler Client Connector download the PAC file of the
app profiles and the forwarding profiles? - ✔✔Every 15 minutes
✔✔How do app connectors work? - ✔✔They establish connections through the firewall
to the Zscaler cloud and the Zero Trust Exchange facilitates a reverse connection.
✔✔How are app connectors deployed? - ✔✔A provisioning key is created for each
connector group, which is signed by by an intermediate certificate authority and
QUESTIONS AND ANSWERS 2025/2026 GRADED A+
✔✔What is an Application Segment? (Select 3)
Options:
- A mechanism to append DNS Suffixes to short names
- A list of FQDNs or IP Addresses
- A list of TCP or UDP Ports
- A wildcard domain
- Segments define the network subnets applications exist on - ✔✔A list of FQDNs or IP
Addresses
A list of TCP or UDP Ports
A wildcard domain
✔✔Zscaler Private Access isolation policy controls what?
Options:
- It prevents two clients on the same network from communicating (peer to peer)
- It triggers Zscaler Client Connector to prevent access to all applications
- It controls Browser Based Access to redirect the session into a web container
- It moves all user traffic into a container on the client - ✔✔It controls Browser Based
Access to redirect the session into a web container
✔✔Cloud Path can provide visibility over which paths?
Options:
- Cloud Path can provide visibility into the traffic going directly via ZIA and ZPA
- In tunnels formed over ZIA using ZCC Tunnel 2.0 only
- Mainly tunnels which are running ZPA (mtunnels)
- Direct Internet traffic only, as it is not possible to traceroute via Layer 7 Proxy -
✔✔Cloud Path can provide visibility into the traffic going directly via ZIA and ZPA
✔✔What component of SAML authentication is the Service Provider (SP)? - ✔✔Zscaler
acts as a SAML SP
✔✔What component of SAML authentication is the Identity Provider (IdP)? - ✔✔IdP
examples include: Okta,
Ping, AD FS, Azure AD
✔✔What are security assertions? - ✔✔Also known as tokens, they are issued to users
by the IdP and presented to SPs/RPs to confirm authentication. Trust is based on Public
Key Infrastructure (PKI). Assertions may contain:
Authentication, Attribute, or Authorization statements.
, ✔✔How does SAML authentication work using Zscaler? - ✔✔1. Request Application
2. Redirect to Zscaler SP (ZIA/ZPA)
3. Login Request
4. Redirect to SAML IdP
5. Login to IdP
6. SAML Assertion Identity
7. SAML
8. Auth Token issued
9. Access granted to application
✔✔What functionality does SCIM provide? - ✔✔It supports the addition, deletion, and
updating of users as well as the ability to apply policy based on SCIM user or group
attributes.
✔✔Define a zero trust connection - ✔✔Independent of any network for control or trust.
Zero trust ensures access is granted by never sharing the network between the
originator and the destination application.
✔✔What tunnel methods does ZTunnel 2.0 use? - ✔✔DTLS with a fallback to TLS
✔✔How does ZTunnel 1.0 work? - ✔✔Uses a HTTP CONNECT tunnel. Use 2 tunnels,
one connecting to ZTE for authentication, enrollment, and passing traffic. The other
tunnel is used for applying policy updates every 60 minutes.
✔✔What does the app profile PAC URL define? - ✔✔The Zero Trust Exchange node to
be used based on the client's geographic IP information.
✔✔What does a forwarding profile PAC do? - ✔✔Steers traffic toward or away from the
Client Connector
✔✔What does an app profile PAC do? - ✔✔Steers traffic toward or away from the
Zscaler Cloud
✔✔How often does Zscaler Client Connector download policy updates
for the app profiles and forwarding profiles? - ✔✔Every hour
✔✔How often will Zscaler Client Connector download the PAC file of the
app profiles and the forwarding profiles? - ✔✔Every 15 minutes
✔✔How do app connectors work? - ✔✔They establish connections through the firewall
to the Zscaler cloud and the Zero Trust Exchange facilitates a reverse connection.
✔✔How are app connectors deployed? - ✔✔A provisioning key is created for each
connector group, which is signed by by an intermediate certificate authority and
