Zabbix Certified Specialist Exam (3)
(2026/2027 Update)
Questions and Verified Answers | Grade A
Domain 1: Distributed Monitoring & Proxy Architecture (12
Question
Sub-Topic 1.1: Active vs. Passive Proxy Communication Modes and Port
Configuration (4 Questions
Question 1 (Multiple-Choice)
Your organization has deployed a Zabbix proxy in a remote data center behind a strict
corporate firewall that only allows outbound connections. The central Zabbix server is
located in the corporate headquarters and is reachable via the internet. Which proxy
configuration mode and port combination should you implement to ensure reliable
monitoring data collection?
A) Passive proxy mode with the proxy listening on port 10051, and the server configured to
connect to the proxy's external IP address
B) Active proxy mode with the proxy initiating connections to the server on port 10051,
using the Server parameter in zabbix_proxy.conf
C) Active proxy mode with the proxy listening on port 10051 for incoming server
connections
D) Passive proxy mode with the proxy initiating outbound connections to the server on
port 10050
Answer: B) Active proxy mode with the proxy initiating connections to the server on port
10051, using the Server parameter in zabbix_proxy.conf [CORRECT]
Rationale: In active proxy mode, the proxy initiates outbound connections to the central
Zabbix server's trapper process on port 10051. This is the optimal architecture for
environments with strict inbound firewall rules, as it requires only outbound connectivity
from the proxy to the server. The Server parameter in zabbix_proxy.conf specifies the IP
,address or hostname of the central Zabbix server. This operational scalability allows
deployment across DMZ networks, cloud VPCs, and remote sites without requiring firewall
pinholes inbound to the proxy. The trapper process on the server (port 10051) receives
and processes the buffered data sent by the active proxy.
Question 2 (Select-All-That-Apply)
A Zabbix administrator is configuring a passive proxy for a managed service provider
(MSP) environment where the central server must initiate all monitoring connections.
Which of the following configuration parameters and behaviors are correctly associated
with passive proxy operation? (Select all that apply.)
A) The proxy must have ProxyMode=1 configured in zabbix_proxy.conf
B) The central server must have the proxy's IP address or DNS name configured in the
frontend under Administration → Proxies
C) The proxy listens for incoming server connections on TCP port 10051
D) The proxy actively connects to the server on port 10051 to push collected data
E) The proxy requires the Server parameter to specify the central server's IP address for
incoming connection validation
F) The proxy maintains a local SQLite database for data buffering during server outages
Answers: B, C, E [CORRECT]
Rationale: In passive proxy mode (ProxyMode=1 is incorrect—passive mode is actually
ProxyMode=0 in Zabbix; active mode is ProxyMode=1), the proxy listens on port 10051 for
incoming connections from the central server, making B and C correct. The Server
parameter (E) is required in passive mode to define which server IP addresses are
permitted to connect to the proxy for security validation. Option A is incorrect because
ProxyMode=1 designates active mode, not passive. Option D describes active proxy
behavior. Option F, while true that proxies use local databases for buffering, is not specific
to passive mode and applies to both modes.
,Question 3 (True/False)
In an active proxy deployment, the central Zabbix server must have a direct network route
and open firewall rule allowing inbound TCP connections to the proxy on port 10051.
A) True
B) False
Answer: B) False [CORRECT]
Rationale: This statement is false. In active proxy mode, the proxy initiates outbound
connections to the central server on port 10051—the server does not need to initiate any
connections to the proxy. The proxy establishes the connection from inside the network to
the server's trapper process, completely eliminating the need for inbound firewall rules to
the proxy. This architecture is specifically designed for scenarios where the proxy resides
behind NAT, in a DMZ, or in cloud environments where inbound access is restricted. The
operational scalability impact is significant: active proxies can be deployed across
thousands of remote sites without requiring VPN tunnels or firewall exceptions for each
location.
Question 4 (Multiple-Choice)
A financial services company operates Zabbix proxies across three regional offices. The
London office proxy is configured in passive mode, while the Singapore and New York
proxies operate in active mode. During a routine security audit, the network team
discovers that port 10051 is open inbound on the London proxy's firewall but closed
inbound on the Singapore and New York proxies. The audit report flags this as a potential
security concern for the London office. Which architectural change would maintain
monitoring functionality while addressing the security concern?
A) Reconfigure the London proxy to active mode and close inbound port 10051, allowing
the proxy to initiate outbound connections to the server
B) Implement IP whitelisting on the London proxy's firewall to restrict port 10051 access
to the central server's IP only
C) Deploy a VPN tunnel between London and headquarters, keeping passive mode but
encrypting all traffic
, D) Change the London proxy to listen on a non-standard port above 1024 to avoid
detection by automated scanners
Answer: A) Reconfigure the London proxy to active mode and close inbound port 10051,
allowing the proxy to initiate outbound connections to the server [CORRECT]
Rationale: Reconfiguring the London proxy to active mode eliminates the need for
inbound firewall rules entirely, as the proxy will initiate outbound connections to the
central server's trapper process on port 10051. This standardizes the architecture across
all three regional offices to the more secure active mode, which is the recommended
approach for distributed monitoring. While option B (IP whitelisting) reduces risk, it does
not eliminate the attack surface of an open listening port. Option C adds unnecessary
complexity and does not address the fundamental issue of an exposed listening service.
Option D provides security through obscurity, which is not a valid security strategy.
Sub-Topic 1.2: Proxy Data Buffering and Offline Queuing (3 Questions)
Question 5 (Multiple-Choice)
A retail company operates 500 Zabbix active proxies across store locations, each
monitoring local POS systems, HVAC controllers, and network equipment. During a
scheduled maintenance window, the central Zabbix server will be offline for 4 hours. Which
statement accurately describes the expected behavior of the active proxies during this
outage?
A) The proxies will discard all collected data after 60 minutes and resume normal
collection only after the server returns
B) The proxies will buffer all collected historical metrics in their local database,
automatically synchronizing the backlog once the server is restored
C) The proxies will switch to standalone mode and begin alerting via local email
configurations
(2026/2027 Update)
Questions and Verified Answers | Grade A
Domain 1: Distributed Monitoring & Proxy Architecture (12
Question
Sub-Topic 1.1: Active vs. Passive Proxy Communication Modes and Port
Configuration (4 Questions
Question 1 (Multiple-Choice)
Your organization has deployed a Zabbix proxy in a remote data center behind a strict
corporate firewall that only allows outbound connections. The central Zabbix server is
located in the corporate headquarters and is reachable via the internet. Which proxy
configuration mode and port combination should you implement to ensure reliable
monitoring data collection?
A) Passive proxy mode with the proxy listening on port 10051, and the server configured to
connect to the proxy's external IP address
B) Active proxy mode with the proxy initiating connections to the server on port 10051,
using the Server parameter in zabbix_proxy.conf
C) Active proxy mode with the proxy listening on port 10051 for incoming server
connections
D) Passive proxy mode with the proxy initiating outbound connections to the server on
port 10050
Answer: B) Active proxy mode with the proxy initiating connections to the server on port
10051, using the Server parameter in zabbix_proxy.conf [CORRECT]
Rationale: In active proxy mode, the proxy initiates outbound connections to the central
Zabbix server's trapper process on port 10051. This is the optimal architecture for
environments with strict inbound firewall rules, as it requires only outbound connectivity
from the proxy to the server. The Server parameter in zabbix_proxy.conf specifies the IP
,address or hostname of the central Zabbix server. This operational scalability allows
deployment across DMZ networks, cloud VPCs, and remote sites without requiring firewall
pinholes inbound to the proxy. The trapper process on the server (port 10051) receives
and processes the buffered data sent by the active proxy.
Question 2 (Select-All-That-Apply)
A Zabbix administrator is configuring a passive proxy for a managed service provider
(MSP) environment where the central server must initiate all monitoring connections.
Which of the following configuration parameters and behaviors are correctly associated
with passive proxy operation? (Select all that apply.)
A) The proxy must have ProxyMode=1 configured in zabbix_proxy.conf
B) The central server must have the proxy's IP address or DNS name configured in the
frontend under Administration → Proxies
C) The proxy listens for incoming server connections on TCP port 10051
D) The proxy actively connects to the server on port 10051 to push collected data
E) The proxy requires the Server parameter to specify the central server's IP address for
incoming connection validation
F) The proxy maintains a local SQLite database for data buffering during server outages
Answers: B, C, E [CORRECT]
Rationale: In passive proxy mode (ProxyMode=1 is incorrect—passive mode is actually
ProxyMode=0 in Zabbix; active mode is ProxyMode=1), the proxy listens on port 10051 for
incoming connections from the central server, making B and C correct. The Server
parameter (E) is required in passive mode to define which server IP addresses are
permitted to connect to the proxy for security validation. Option A is incorrect because
ProxyMode=1 designates active mode, not passive. Option D describes active proxy
behavior. Option F, while true that proxies use local databases for buffering, is not specific
to passive mode and applies to both modes.
,Question 3 (True/False)
In an active proxy deployment, the central Zabbix server must have a direct network route
and open firewall rule allowing inbound TCP connections to the proxy on port 10051.
A) True
B) False
Answer: B) False [CORRECT]
Rationale: This statement is false. In active proxy mode, the proxy initiates outbound
connections to the central server on port 10051—the server does not need to initiate any
connections to the proxy. The proxy establishes the connection from inside the network to
the server's trapper process, completely eliminating the need for inbound firewall rules to
the proxy. This architecture is specifically designed for scenarios where the proxy resides
behind NAT, in a DMZ, or in cloud environments where inbound access is restricted. The
operational scalability impact is significant: active proxies can be deployed across
thousands of remote sites without requiring VPN tunnels or firewall exceptions for each
location.
Question 4 (Multiple-Choice)
A financial services company operates Zabbix proxies across three regional offices. The
London office proxy is configured in passive mode, while the Singapore and New York
proxies operate in active mode. During a routine security audit, the network team
discovers that port 10051 is open inbound on the London proxy's firewall but closed
inbound on the Singapore and New York proxies. The audit report flags this as a potential
security concern for the London office. Which architectural change would maintain
monitoring functionality while addressing the security concern?
A) Reconfigure the London proxy to active mode and close inbound port 10051, allowing
the proxy to initiate outbound connections to the server
B) Implement IP whitelisting on the London proxy's firewall to restrict port 10051 access
to the central server's IP only
C) Deploy a VPN tunnel between London and headquarters, keeping passive mode but
encrypting all traffic
, D) Change the London proxy to listen on a non-standard port above 1024 to avoid
detection by automated scanners
Answer: A) Reconfigure the London proxy to active mode and close inbound port 10051,
allowing the proxy to initiate outbound connections to the server [CORRECT]
Rationale: Reconfiguring the London proxy to active mode eliminates the need for
inbound firewall rules entirely, as the proxy will initiate outbound connections to the
central server's trapper process on port 10051. This standardizes the architecture across
all three regional offices to the more secure active mode, which is the recommended
approach for distributed monitoring. While option B (IP whitelisting) reduces risk, it does
not eliminate the attack surface of an open listening port. Option C adds unnecessary
complexity and does not address the fundamental issue of an exposed listening service.
Option D provides security through obscurity, which is not a valid security strategy.
Sub-Topic 1.2: Proxy Data Buffering and Offline Queuing (3 Questions)
Question 5 (Multiple-Choice)
A retail company operates 500 Zabbix active proxies across store locations, each
monitoring local POS systems, HVAC controllers, and network equipment. During a
scheduled maintenance window, the central Zabbix server will be offline for 4 hours. Which
statement accurately describes the expected behavior of the active proxies during this
outage?
A) The proxies will discard all collected data after 60 minutes and resume normal
collection only after the server returns
B) The proxies will buffer all collected historical metrics in their local database,
automatically synchronizing the backlog once the server is restored
C) The proxies will switch to standalone mode and begin alerting via local email
configurations
