ZDTA FINAL EXAM QUESTIONS AND CORRECT ANSWERS LATEST 2025/2026|
GRADED A+| 100% PASS
1.The Zero Trust Exchange verifies identity and context via an IdP. Once this is verified policies
can be enforced to do what four actions? - ✔ANSWER 1. Allow
2. Block
3. Isolate
4. Prioritize
2. Zscaler Private Access (ZPA) configures connectivity to private applications and resources
hosted where? - ✔ANSWER 1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Your private data center
3. Zscaler integrates with multiple IdP partners and can work with _______. - ✔ANSWER
Zscaler can integrate with Active Directory, Azure Active Directory, ADFS, Okta, Ping, or really
any SAML 2.0-compliant identity provider
4.What are the advantages of using SCIM? What are the disadvantages? - ✔ANSWER
Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can add user information, it cannot delete
users from the database)
Disadvantages -
- Not supported by all IdPs
5. What operations are supported by SCIM? - ✔ANSWER 1. Add Users: As they are assigned
to the ZPA SP in the source IDP
,2. Delete Users: Remove ZPA access for users that are either removed from the ZPA SP in the
source IdP, or are removed from the directory completely.
3. Update Users: Update SCIM attributes dynamically (e.g. group memberships)
4. Apply Policy: Based on SCIM user or group attributes.
6. What is the Zscaler Client Connector (ZCC)? - ✔ANSWER It is a lightweight app that sits on
users' endpoints and enforces security policies and access controls regardless of device,
location, or application.
7. What is the recommended mode for Zscaler Client Connector (ZCC) to function when it's
forwarding traffic to Zscaler Internet Access (ZIA) - ✔ANSWER The recommended
mechanism is to use the Zscaler tunnel.
8. What are the three authenticated tunnel options (meaning that once the user is enrolled in
Zscaler Client Connector (ZCC)? - ✔ANSWER 1. ZTunnel - Packet Filter Based
2. ZTunnel - Route-Based
3. ZTunnel with Local Proxy
9. What are the additional options that support legacy implementations for ZCC? - ✔ANSWER
1. Enforced PAC mode, which basically instruments the PAC file in the browser, similar to
what you'd get from a group policy object. That means that the browser itself is forced to go to
Zscaler Internet Access via a specified proxy.
2.None, meaning that the policy is not going to do any configuration of proxy or tunneling
mode, and relies on the group policy object or the default configuration within the browser.
10. Define Service Provider (SP) and the role it plays with IdP integration with Zscaler. -
✔ANSWER Service Provider (SP) - The "Application" Also known as the Relying Party (RP) to
the Identity Provider (IdP) Employs the services of an IdP for the Authentication and
Authorization of users Zscaler acts as a SAML SP
,11. Define Identity Provider (IdP) and the role it plays with IdP integration with Zscaler. -
✔ANSWER IdP - Authenticates Users/Devices Provides Identifiers and Identity Assertions for
users that wish to access a service. IdP examples include: Okta, Ping, AD FS, Azure AD
12. Define Security Assertions and the role it plays with IdP integration with Zscaler. - ✔ANSWER
Also known as Tokens Issued to users by the IdP Presented to SPs / RPs to confirm
authentication Trust based on PKI Assertions may contain: Authentication, Attribute, or
Authorization statements
13. Describe the authentication flow for Zscaler utilizing SAML with an IdP initiated SSO. -
✔ANSWER 1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending request)
3. User clicks to log into Zscaler (ZIA or ZPA pending request)
4. User is redirected to SAML IdP login (this can include user attributes and/or group
memberships)
5. User logs into IdP (this can include user attributes and/or group memberships)
6. IdP sends over assertion Identity to user (SAML assertion is encrypted)
7. User sends identity to Zscaler (SAML assertion is encrypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
14. What type of tunnel is ZTunnel 1.0? - ✔ANSWER It is an HTTP CONNECT tunnel. So as
traffic is forwarded into the tunnel, it creates a CONNECT method toward the cloud. It doesn't
really encapsulate the traffic. It simply adds some header information
15. What type of tunnel is ZTunnel 2.0? - ✔ANSWER It is a DTLS (Datagram Transport Layer
Security) tunnel with fallback to TLS (Transport Layer Security) supporting all client traffic, which
means the Zscaler Firewall, as part of the Zero Trust Exchange, could inspect and apply policy on
all traffic.
, 16. Which is best practice ZTunnel 1.0 or 2.0? - ✔ANSWER With Z-Tunnel 2.0, which is the
best practice option, the tunnel is the control channel and a single tunnel from the client to the
Zero Trust Exchange. Any notifications from the Client Connector admin portal (aka. "Mobile
Admin") are passed through the Zero Trust Exchange directly to the client, and those happen in
real time.
17. Set this up in order to make the decision as to which forwarding profile matches our desired
outcome. - ✔ANSWER Multiple trusted networks.
18. What are the enforcing proxy action types? - ✔ANSWER 1. Automatically Detect Settings
- The client sends a WPAD (Web Proxy Auto-Discovery) lookup looking for a proxy.
2. Use Automatic Configuration Script - Explicitly configure where the Zscaler Client Connector
sets your custom system PAC file to download and run through that PAC file configuration for
traffic to be explicitly proxied to a proxy server. Also referred to as a forwarding PAC file.
3. Use Proxy Server for Your LAN -This is a hard-coded proxy import (IP address and a port or an
FQDN and a port) with the ability to bypass local addresses. A local address is something that is
non-fully qualified.
4. Execute GPO Update - The Windows machine will provide a GPO (Group Policy Object)
update/force from Active Directory to set the proxy settings on the machine.
19. What are the most common configuration items for an application profile? - ✔ANSWER
1 Custom PAC URL - References the PAC file configured in the ZIA Admin Portal, making
decisions on traffic that should be forwarded or bypassed from the Zero Trust Exchange.
2 Override WPAD - Ensures that the system GPO WPAD configuration is prevented, and makes
sure that the WPAD configuration in the forwarding profile is used as a precedence.
3· Restart WinHTTP - specific to Windows devices Ensures that the system refreshes all of the
proxy configuration once Zscaler Client Connector is established.
4· Install Zscaler SSL Certificate - Covered more in the next section. If you aren't pushing out
your own certificates from your own Certificate Authority, then simply enabling this option will
use the one provided by Zscaler. 23
5· Tunnel Internal Client Connector Traffic - Ensures that the health updates and policy traffic
passes through the Zscaler tunnels towards the Zero Trust Exchange. Or more specifically, it
doesn't go direct to the Zero Trust Exchange - it stays within the zero trust tunnels.
GRADED A+| 100% PASS
1.The Zero Trust Exchange verifies identity and context via an IdP. Once this is verified policies
can be enforced to do what four actions? - ✔ANSWER 1. Allow
2. Block
3. Isolate
4. Prioritize
2. Zscaler Private Access (ZPA) configures connectivity to private applications and resources
hosted where? - ✔ANSWER 1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Your private data center
3. Zscaler integrates with multiple IdP partners and can work with _______. - ✔ANSWER
Zscaler can integrate with Active Directory, Azure Active Directory, ADFS, Okta, Ping, or really
any SAML 2.0-compliant identity provider
4.What are the advantages of using SCIM? What are the disadvantages? - ✔ANSWER
Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can add user information, it cannot delete
users from the database)
Disadvantages -
- Not supported by all IdPs
5. What operations are supported by SCIM? - ✔ANSWER 1. Add Users: As they are assigned
to the ZPA SP in the source IDP
,2. Delete Users: Remove ZPA access for users that are either removed from the ZPA SP in the
source IdP, or are removed from the directory completely.
3. Update Users: Update SCIM attributes dynamically (e.g. group memberships)
4. Apply Policy: Based on SCIM user or group attributes.
6. What is the Zscaler Client Connector (ZCC)? - ✔ANSWER It is a lightweight app that sits on
users' endpoints and enforces security policies and access controls regardless of device,
location, or application.
7. What is the recommended mode for Zscaler Client Connector (ZCC) to function when it's
forwarding traffic to Zscaler Internet Access (ZIA) - ✔ANSWER The recommended
mechanism is to use the Zscaler tunnel.
8. What are the three authenticated tunnel options (meaning that once the user is enrolled in
Zscaler Client Connector (ZCC)? - ✔ANSWER 1. ZTunnel - Packet Filter Based
2. ZTunnel - Route-Based
3. ZTunnel with Local Proxy
9. What are the additional options that support legacy implementations for ZCC? - ✔ANSWER
1. Enforced PAC mode, which basically instruments the PAC file in the browser, similar to
what you'd get from a group policy object. That means that the browser itself is forced to go to
Zscaler Internet Access via a specified proxy.
2.None, meaning that the policy is not going to do any configuration of proxy or tunneling
mode, and relies on the group policy object or the default configuration within the browser.
10. Define Service Provider (SP) and the role it plays with IdP integration with Zscaler. -
✔ANSWER Service Provider (SP) - The "Application" Also known as the Relying Party (RP) to
the Identity Provider (IdP) Employs the services of an IdP for the Authentication and
Authorization of users Zscaler acts as a SAML SP
,11. Define Identity Provider (IdP) and the role it plays with IdP integration with Zscaler. -
✔ANSWER IdP - Authenticates Users/Devices Provides Identifiers and Identity Assertions for
users that wish to access a service. IdP examples include: Okta, Ping, AD FS, Azure AD
12. Define Security Assertions and the role it plays with IdP integration with Zscaler. - ✔ANSWER
Also known as Tokens Issued to users by the IdP Presented to SPs / RPs to confirm
authentication Trust based on PKI Assertions may contain: Authentication, Attribute, or
Authorization statements
13. Describe the authentication flow for Zscaler utilizing SAML with an IdP initiated SSO. -
✔ANSWER 1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending request)
3. User clicks to log into Zscaler (ZIA or ZPA pending request)
4. User is redirected to SAML IdP login (this can include user attributes and/or group
memberships)
5. User logs into IdP (this can include user attributes and/or group memberships)
6. IdP sends over assertion Identity to user (SAML assertion is encrypted)
7. User sends identity to Zscaler (SAML assertion is encrypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
14. What type of tunnel is ZTunnel 1.0? - ✔ANSWER It is an HTTP CONNECT tunnel. So as
traffic is forwarded into the tunnel, it creates a CONNECT method toward the cloud. It doesn't
really encapsulate the traffic. It simply adds some header information
15. What type of tunnel is ZTunnel 2.0? - ✔ANSWER It is a DTLS (Datagram Transport Layer
Security) tunnel with fallback to TLS (Transport Layer Security) supporting all client traffic, which
means the Zscaler Firewall, as part of the Zero Trust Exchange, could inspect and apply policy on
all traffic.
, 16. Which is best practice ZTunnel 1.0 or 2.0? - ✔ANSWER With Z-Tunnel 2.0, which is the
best practice option, the tunnel is the control channel and a single tunnel from the client to the
Zero Trust Exchange. Any notifications from the Client Connector admin portal (aka. "Mobile
Admin") are passed through the Zero Trust Exchange directly to the client, and those happen in
real time.
17. Set this up in order to make the decision as to which forwarding profile matches our desired
outcome. - ✔ANSWER Multiple trusted networks.
18. What are the enforcing proxy action types? - ✔ANSWER 1. Automatically Detect Settings
- The client sends a WPAD (Web Proxy Auto-Discovery) lookup looking for a proxy.
2. Use Automatic Configuration Script - Explicitly configure where the Zscaler Client Connector
sets your custom system PAC file to download and run through that PAC file configuration for
traffic to be explicitly proxied to a proxy server. Also referred to as a forwarding PAC file.
3. Use Proxy Server for Your LAN -This is a hard-coded proxy import (IP address and a port or an
FQDN and a port) with the ability to bypass local addresses. A local address is something that is
non-fully qualified.
4. Execute GPO Update - The Windows machine will provide a GPO (Group Policy Object)
update/force from Active Directory to set the proxy settings on the machine.
19. What are the most common configuration items for an application profile? - ✔ANSWER
1 Custom PAC URL - References the PAC file configured in the ZIA Admin Portal, making
decisions on traffic that should be forwarded or bypassed from the Zero Trust Exchange.
2 Override WPAD - Ensures that the system GPO WPAD configuration is prevented, and makes
sure that the WPAD configuration in the forwarding profile is used as a precedence.
3· Restart WinHTTP - specific to Windows devices Ensures that the system refreshes all of the
proxy configuration once Zscaler Client Connector is established.
4· Install Zscaler SSL Certificate - Covered more in the next section. If you aren't pushing out
your own certificates from your own Certificate Authority, then simply enabling this option will
use the one provided by Zscaler. 23
5· Tunnel Internal Client Connector Traffic - Ensures that the health updates and policy traffic
passes through the Zscaler tunnels towards the Zero Trust Exchange. Or more specifically, it
doesn't go direct to the Zero Trust Exchange - it stays within the zero trust tunnels.
