Zscaler Digital Transformation - Engineer
(WIP) Exam Guide 2026
1. Current Zscaler 150 Zero Trust Exchange data centers worldwide
Stats 230B+ Requests processed per day
8.4B+ Security incidents & policy violations prevented per day
250K Unique security updates per day
2. What are the 1. Central Authority = The Brains
three levels of 2. Enforcement Nodes & Brokers = The Engines
Zscaler's mul- 3. Logging Services = The Memory
titenant ar-
chitechure
3. What is the Con- The control plane is where all of the policy administration and functions are done.
trol Plane? All of the authentication exists at the control plane. This can be thought of as the
Central Authority as well.
4. What is the En- Zscaler Enforcement Nodes (ZENs) are full-featured, inline internet security gate-
forcement Node ways within the Zscaler cloud. They inspect all web traflc bi-directionally for
/ Public Service malware and enforce security and compliance policies. ZENs act as a proxy,
Edge? handling traflc and applying security rules. These were relabeled Public Service
Edges.
5. What is the ZIA The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and nervous
Central Authori- system of a Zscaler cloud. It monitors the cloud and provides a central location
ty? for software and database updates, policy and configuration settings, and threat
intelligence. The CA consists of one active server and two servers in passive
standby mode. The active CA replicates data in real time to the two standby CAs,
so any of them can become active at any time. Each server is hosted in a separate
location to ensure fault tolerance.
, Zscaler Digital Transformation - Engineer
(WIP) Exam Guide 2026
6. What is the ZPA The Central Authority is the brains of the Zscaler Private Access cloud as well in
Central Authori- terms of understanding your applications that you define from your application
ty? segments, which App Connectors are able to service those requests, the health of
those App Connectors, and the paths that the users should take to get to those
applications through those App Connectors. And it manages the visibility of those
applications, and gives you real-time updates of those applications
7. How does the An administrator will log into the admin interface, they get a security token to
Zscaler Central access the data.
Authority (CA)
work? Access is determined by RBAC control for that administrator to control what they're
able to see (i.e. can be allowed to see the user information in logs, may not be
allowed to see the user information in the logs, etc. The control can extend to
a variety of areas, such as being able to manage certain security policies, URL
filtering policies, firewall policies, etc.
Admins may or may not be granted a token to access logs, download, view
information, decrypt user info, etc. depending on access levels.
8. How does a When they connect, the node pulls down the policy information as a base policy
user interact with object, then downloads only changes between users (User A, User B, etc. This is
the Public Service done with 192-bit Bitmaps references the changes to the base policy.
Edge (PSE)?
For traflc inspection, the PSE/ZEN (Zscaler Enforcement Node - same thing as
PSE) performce a Single-Scan Multi-Action. The IP header is stripped and the
packet sent ott the ditterent engines for processing and the ZEN makes a decision
based on responses
9. What is Zscaler's Open, anyone can request access to peer.
Peering Policy?
,10. How does Zscaler Within the data centers, there are multiple service instances, N+1 redundancy for
provide fault tol- every single one of the Zscaler Enforcement Nodes, and N+2 redundancy for our
erance in their Central Authority, the brains of the cloud, as well as the logging content for the
DCs? cloud. And then within those cloud nodes, there are load balancers
11. Describe Zs-
caler's Order of
Execution
12. What is Sub- A subcloud is a subset of ZIA Public Service Edges, which are full-featured se-
cloud? cure internet gateways that inspect all web traflc bi-directionally for malware
and enforce security, compliance and next-generation firewall (NGFW) policies.
Subclouds are also of interest if you have Private Service Edges, or you want to
restrict access to Public Service Edges.
Useful to geofence users to specific locations, flip to ditterent DCs if one is having
issues. etc.
13. How do you set- You must use a custom PAC file that doesn't use the variables gateway.<Zscaler
up Subcloud? cloud> and ${GATEWAY} in its return statement.
Use the following variables for applications that don't support PAC files:
gateway.<Subcloud>.<Zscaler cloud> secondary.gateway.<Subcloud>.<Zscaler
, cloud>
Use the following variables in PAC files:
${GATEWAY.<Subcloud>.<Zscaler cloud>} ${SECONDARY.GATEWAY.<Sub-
cloud>.<Zscaler cloud>}
Use the following variables for Kerberos:
${GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
${SECONDARY.GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
Example, if you want to restrict the traflc forwarding within the data centers only
in the US, then configure your PAC files to use the Zscaler-managed subcloud
CONUS for any of the following clouds:
zscaler.net
zscalertwo.net
zscalerthree.net
Use the variables ${GATEWAY.CONUS.<Zscaler cloud>} and ${SECONDARY.GATE-
WAY.CONUS.<Zscaler cloud>} in the return statement of your PAC file.
14. What is Zscaler's The first thing to think about Zscaler is simply an overlay network. We don't provide
position on China a VPN. We're not obfuscating the traflc. We're also not a content provider. We're a
traffic and opera- viable security solution to provide inspection and policy around a customer's traflc
tions? before it egresses to the internet. We don't generate traflc, we don't generate
requests or create content.
It's a simple security posture for customers. Users generate the request and
they're accessing content that is provided by something else. Zscaler is applying
that security policy. As an overlay network, Zscaler must comply and operate within
the laws and regulations of the country where our nodes are hosted, including
China.
(WIP) Exam Guide 2026
1. Current Zscaler 150 Zero Trust Exchange data centers worldwide
Stats 230B+ Requests processed per day
8.4B+ Security incidents & policy violations prevented per day
250K Unique security updates per day
2. What are the 1. Central Authority = The Brains
three levels of 2. Enforcement Nodes & Brokers = The Engines
Zscaler's mul- 3. Logging Services = The Memory
titenant ar-
chitechure
3. What is the Con- The control plane is where all of the policy administration and functions are done.
trol Plane? All of the authentication exists at the control plane. This can be thought of as the
Central Authority as well.
4. What is the En- Zscaler Enforcement Nodes (ZENs) are full-featured, inline internet security gate-
forcement Node ways within the Zscaler cloud. They inspect all web traflc bi-directionally for
/ Public Service malware and enforce security and compliance policies. ZENs act as a proxy,
Edge? handling traflc and applying security rules. These were relabeled Public Service
Edges.
5. What is the ZIA The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and nervous
Central Authori- system of a Zscaler cloud. It monitors the cloud and provides a central location
ty? for software and database updates, policy and configuration settings, and threat
intelligence. The CA consists of one active server and two servers in passive
standby mode. The active CA replicates data in real time to the two standby CAs,
so any of them can become active at any time. Each server is hosted in a separate
location to ensure fault tolerance.
, Zscaler Digital Transformation - Engineer
(WIP) Exam Guide 2026
6. What is the ZPA The Central Authority is the brains of the Zscaler Private Access cloud as well in
Central Authori- terms of understanding your applications that you define from your application
ty? segments, which App Connectors are able to service those requests, the health of
those App Connectors, and the paths that the users should take to get to those
applications through those App Connectors. And it manages the visibility of those
applications, and gives you real-time updates of those applications
7. How does the An administrator will log into the admin interface, they get a security token to
Zscaler Central access the data.
Authority (CA)
work? Access is determined by RBAC control for that administrator to control what they're
able to see (i.e. can be allowed to see the user information in logs, may not be
allowed to see the user information in the logs, etc. The control can extend to
a variety of areas, such as being able to manage certain security policies, URL
filtering policies, firewall policies, etc.
Admins may or may not be granted a token to access logs, download, view
information, decrypt user info, etc. depending on access levels.
8. How does a When they connect, the node pulls down the policy information as a base policy
user interact with object, then downloads only changes between users (User A, User B, etc. This is
the Public Service done with 192-bit Bitmaps references the changes to the base policy.
Edge (PSE)?
For traflc inspection, the PSE/ZEN (Zscaler Enforcement Node - same thing as
PSE) performce a Single-Scan Multi-Action. The IP header is stripped and the
packet sent ott the ditterent engines for processing and the ZEN makes a decision
based on responses
9. What is Zscaler's Open, anyone can request access to peer.
Peering Policy?
,10. How does Zscaler Within the data centers, there are multiple service instances, N+1 redundancy for
provide fault tol- every single one of the Zscaler Enforcement Nodes, and N+2 redundancy for our
erance in their Central Authority, the brains of the cloud, as well as the logging content for the
DCs? cloud. And then within those cloud nodes, there are load balancers
11. Describe Zs-
caler's Order of
Execution
12. What is Sub- A subcloud is a subset of ZIA Public Service Edges, which are full-featured se-
cloud? cure internet gateways that inspect all web traflc bi-directionally for malware
and enforce security, compliance and next-generation firewall (NGFW) policies.
Subclouds are also of interest if you have Private Service Edges, or you want to
restrict access to Public Service Edges.
Useful to geofence users to specific locations, flip to ditterent DCs if one is having
issues. etc.
13. How do you set- You must use a custom PAC file that doesn't use the variables gateway.<Zscaler
up Subcloud? cloud> and ${GATEWAY} in its return statement.
Use the following variables for applications that don't support PAC files:
gateway.<Subcloud>.<Zscaler cloud> secondary.gateway.<Subcloud>.<Zscaler
, cloud>
Use the following variables in PAC files:
${GATEWAY.<Subcloud>.<Zscaler cloud>} ${SECONDARY.GATEWAY.<Sub-
cloud>.<Zscaler cloud>}
Use the following variables for Kerberos:
${GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
${SECONDARY.GATEWAY.<Subcloud>.<Zscaler cloud>_HOST}
Example, if you want to restrict the traflc forwarding within the data centers only
in the US, then configure your PAC files to use the Zscaler-managed subcloud
CONUS for any of the following clouds:
zscaler.net
zscalertwo.net
zscalerthree.net
Use the variables ${GATEWAY.CONUS.<Zscaler cloud>} and ${SECONDARY.GATE-
WAY.CONUS.<Zscaler cloud>} in the return statement of your PAC file.
14. What is Zscaler's The first thing to think about Zscaler is simply an overlay network. We don't provide
position on China a VPN. We're not obfuscating the traflc. We're also not a content provider. We're a
traffic and opera- viable security solution to provide inspection and policy around a customer's traflc
tions? before it egresses to the internet. We don't generate traflc, we don't generate
requests or create content.
It's a simple security posture for customers. Users generate the request and
they're accessing content that is provided by something else. Zscaler is applying
that security policy. As an overlay network, Zscaler must comply and operate within
the laws and regulations of the country where our nodes are hosted, including
China.
