ZDTA Exam Study Questions with
Correct Answers Already Graded
A+
1. What benefits does a Zscaler Tunnel have over other forwarding
mechanisms for Zscaler Client Connector?
Options:
- Tunnels are the only mechanism to install ZCC
- Tunnels enable only HTTP and HTTPS traffic to be forwarded by
ZCC
- Tunnels enable Zscaler to control the end user device
- Tunnels encapsulate traffic and authenticate to the Zero Trust
Exchange - ANSWER Tunnels encapsulate traffic and authenticate to
the Zero Trust Exchange
2. The Zero Trust Exchange verifies identity and context via an IdP. Once this
is verified policies can be enforced to do what four actions? - ANSWER 1.
Allow
2. Block
3. Isolate
4. Prioritize
3. If you're migrating from an on-premises proxy to the Zscaler Internet Access
platform, existing PAC files may be migrated to Zscaler. (True or False?) -
ANSWER True
4. These three actions can be pushed out through group policy objects and
identified from your existing PAC file, migrated into the browser
, configuration, and pushed out before the migration to Zscaler occurs. -
ANSWER 1) the intranet zone and saying these sites are my intranet sites
that I should then automatically authenticate to within Google, Chrome,
Edge browsers, etc... via the
2) AuthServerAllowList. And within Firefox you would add things to the
3) auth.trusted-uris configuration option.
5. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - On network change - ANSWER
Any time there is a network change, such as when the device comes out of
hibernation and reconnects to Wi-Fi, I turn Wi-Fi on and off, or I restart the
processes. There'll be a full refresh of all of those objects.
6. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - Every Two Hours - ANSWER
Every two hours Zscaler Client Connector will check for software updates.
7. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) -Every Hour - ANSWER Every
hour Zscaler Client Connector will connect and download any policy
updates for the app profiles and forwarding profiles. If the PAC files or
URLs are changed, it will automatically update every hour as this counts as
a profile change.
8. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - Every 15 Minutes - ANSWER
However every 15 minutes, Zscaler Client Connector will download the
PAC file of the app profiles and the forwarding profiles in case they have
changed.
,9. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - Manually - ANSWER The end
user can obviously also initiate an update through the administration of
Zscaler Client Connector and force a check for software updates or force a
check for policy change.
10.What posture checks can be done on BYOD & Corporate devices? -
ANSWER 1. Device Security - Anti-Virus, OS Version, Disk Encryption,
Firewall
2.Endpoint Protection -use this in policy to provide access to applications. And
then interface with third-party endpoint protection, such as CarbonBlack,
CrowdStrike, SentinelOne, Defender, and the CrowdStrike ZTA score to make
policy decisions.
- For example, if Defender tells us the device is compromised, then we
can prevent access to an application.
11.What does the Strict Enforcment option do? - ANSWER cloudName and
policyToken options to ensure that the user is automatically triggered to the
right cloud and authentication token.
Basically it makes sure that the user can not access the Internet until they are
enrolled.
12.What do you need to ensure when deploying app connectors? - ANSWER
1. They are deployed in pairs (minimum)
2. Can route to the internet and internal applications.
3. Meet the minimum VM requirements.
4. Can connect to applications (TCP/UDP) for health checking.
, 5. Source IPs are registered in Active Directory Sites & Services, as the
requests will be seen as coming from the App Connectors.
2. When deploying an app connector the connector group needs what
provisioned for each group? - ANSWER A provisioning key.
Provisioning keys are signed by an intermediate certificate authority and the
intermediate trusted by the root CA. Clients are enrolled against a client
intermediate certificate authority.
3. Note: Revoking/deleting the intermediates breaks the trust, invalidating the
provisioning keys. THESE PROVISIONING KEYS ARE TO BE
TREATED AS IF THEY ARE CREDENTIALS.
4. When provisioning connector groups for app connectors what must they be
associated with? - ANSWER A Server Group.
Note: Dynamic Server Discovery on that server group means that either the 40
group or the connectors will automatically perform DNS resolution and create
synthetic server associations that advertise those applications. This is the default
(recommended) configuration and, it is not recommended to move away from
Dynamic Server Discovery unless for a very specific reason.
5. What is an application segment? - ANSWER This is a grouping of
applications (which must be defined within an application segment), those
defined FQDNS that make that application function. A segment group is a
grouping of similar applications that you want to apply policy to.
Example: IF you wanted Sales to be able to access all of these applications. In
such a case, there would be different applications in different segments,
Correct Answers Already Graded
A+
1. What benefits does a Zscaler Tunnel have over other forwarding
mechanisms for Zscaler Client Connector?
Options:
- Tunnels are the only mechanism to install ZCC
- Tunnels enable only HTTP and HTTPS traffic to be forwarded by
ZCC
- Tunnels enable Zscaler to control the end user device
- Tunnels encapsulate traffic and authenticate to the Zero Trust
Exchange - ANSWER Tunnels encapsulate traffic and authenticate to
the Zero Trust Exchange
2. The Zero Trust Exchange verifies identity and context via an IdP. Once this
is verified policies can be enforced to do what four actions? - ANSWER 1.
Allow
2. Block
3. Isolate
4. Prioritize
3. If you're migrating from an on-premises proxy to the Zscaler Internet Access
platform, existing PAC files may be migrated to Zscaler. (True or False?) -
ANSWER True
4. These three actions can be pushed out through group policy objects and
identified from your existing PAC file, migrated into the browser
, configuration, and pushed out before the migration to Zscaler occurs. -
ANSWER 1) the intranet zone and saying these sites are my intranet sites
that I should then automatically authenticate to within Google, Chrome,
Edge browsers, etc... via the
2) AuthServerAllowList. And within Firefox you would add things to the
3) auth.trusted-uris configuration option.
5. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - On network change - ANSWER
Any time there is a network change, such as when the device comes out of
hibernation and reconnects to Wi-Fi, I turn Wi-Fi on and off, or I restart the
processes. There'll be a full refresh of all of those objects.
6. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - Every Two Hours - ANSWER
Every two hours Zscaler Client Connector will check for software updates.
7. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) -Every Hour - ANSWER Every
hour Zscaler Client Connector will connect and download any policy
updates for the app profiles and forwarding profiles. If the PAC files or
URLs are changed, it will automatically update every hour as this counts as
a profile change.
8. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - Every 15 Minutes - ANSWER
However every 15 minutes, Zscaler Client Connector will download the
PAC file of the app profiles and the forwarding profiles in case they have
changed.
,9. Client Connector Intervals (when will ZCC refresh information it has about
apps, profiles, PAC files, and/or policy) - Manually - ANSWER The end
user can obviously also initiate an update through the administration of
Zscaler Client Connector and force a check for software updates or force a
check for policy change.
10.What posture checks can be done on BYOD & Corporate devices? -
ANSWER 1. Device Security - Anti-Virus, OS Version, Disk Encryption,
Firewall
2.Endpoint Protection -use this in policy to provide access to applications. And
then interface with third-party endpoint protection, such as CarbonBlack,
CrowdStrike, SentinelOne, Defender, and the CrowdStrike ZTA score to make
policy decisions.
- For example, if Defender tells us the device is compromised, then we
can prevent access to an application.
11.What does the Strict Enforcment option do? - ANSWER cloudName and
policyToken options to ensure that the user is automatically triggered to the
right cloud and authentication token.
Basically it makes sure that the user can not access the Internet until they are
enrolled.
12.What do you need to ensure when deploying app connectors? - ANSWER
1. They are deployed in pairs (minimum)
2. Can route to the internet and internal applications.
3. Meet the minimum VM requirements.
4. Can connect to applications (TCP/UDP) for health checking.
, 5. Source IPs are registered in Active Directory Sites & Services, as the
requests will be seen as coming from the App Connectors.
2. When deploying an app connector the connector group needs what
provisioned for each group? - ANSWER A provisioning key.
Provisioning keys are signed by an intermediate certificate authority and the
intermediate trusted by the root CA. Clients are enrolled against a client
intermediate certificate authority.
3. Note: Revoking/deleting the intermediates breaks the trust, invalidating the
provisioning keys. THESE PROVISIONING KEYS ARE TO BE
TREATED AS IF THEY ARE CREDENTIALS.
4. When provisioning connector groups for app connectors what must they be
associated with? - ANSWER A Server Group.
Note: Dynamic Server Discovery on that server group means that either the 40
group or the connectors will automatically perform DNS resolution and create
synthetic server associations that advertise those applications. This is the default
(recommended) configuration and, it is not recommended to move away from
Dynamic Server Discovery unless for a very specific reason.
5. What is an application segment? - ANSWER This is a grouping of
applications (which must be defined within an application segment), those
defined FQDNS that make that application function. A segment group is a
grouping of similar applications that you want to apply policy to.
Example: IF you wanted Sales to be able to access all of these applications. In
such a case, there would be different applications in different segments,
