Zscaler for Users(EDU-200) Exam Questions Flashcards
TLS inspection provides what functionality? (select 3)
- Validation of certificate and issuer
- Ability to decrypt and scan encrypted content
- Policy for which traffic should be inspected
What options for TLS inspection certificates are available? (select 2)
- Zscaler Root Certificate Authority
- Customer Root Certificate Authority
Do most organisations worldwide inspect 100% of all SSL/TLS encrypted traffic?
The reality is more nuanced - certain traffic exclusions for healthcare and financial websites may be required depending on the organisation’s choice - that is why the Zscaler platform can bypass SSL inspection for certain categories of websites. Furthermore certain types of latency sensitive traffic such as UCaaS should be bypassed, so organisations rarely inspect all traffic
In Zscaler Private Access Policy, which criteria can be used to control access? (select 3)
- SAML or SCIM Attribute
- Client connector posture and trusted network
- Client type
Why is SSL/TLS inspection critical in a security architecture?
85-90% of all internet traffic is SSL/TLS encrypted (including threats), as protocols such as HTTP/2 are only delivered over TLS;
SSL/TLS inspection allows you to inspect
In what way does Zscaler’s identity proxy enable authentication to SaaS applications?
Issuing SAML assertions
In order for Zscaler to enforce policy based on accessing devices, what method is best used by IDP’s to share info about a user’s accessing device?
SAML
What is the fastest way to change a user’s access entitlements?
Send different attributes via SCIM
What is used to detect if a SAML assertion was modified after being issued?
Options: XML, Digital Signatures, Attributes, Tokens
Digitial signatures
How does Zscaler Internet Access authenticate users? (select 3)
- SAML
- LDAP
- Hosted Database
How is a SAML assertion delivered to Zscaler?
Options:
The IdP sends it via an HTTP post directly to the SP via a backend API,
The SP sends it via an HTTP post directly to the IdP via a backend API,
The IdP sends it via the user’s browser to the SP,
The SP sends it via a trusted authority to the IdP
The IDP sends it via the user’s browser to the SP (Service Provider)
A Server group maps ___ to ___
App Connectors Groups to Application Segments
You want Zscaler client Connector to automatically redirect to your corporate SAML IDP on launch. Which installer options should you configure to do so? (Select 2)
- –cloudname
- –userDomain
You have datacentres in New York, San Francisco, London and Hong Kong. Each Datacentre hosts multiple applications, and all have internet connectivity. What is the Min number of App Connectors you should deploy for production?
8, 2 per DC
Where is the control to prevent a user from exiting Zscaler client connector?
In the application profile
Which services can coexist on an application segment?
Options:
* Isolation, Browser Access, and Inspection;
* RDP, SSH, and Inspection;
* Inspection, Isolation, and RDP;
* CIFS, RDP, and SSH
Isolation, Browser Access, and Inspection
Privileged Remote Access supports which protocols? (select 2)
- SSH
- RDP
When moving from an Explicit proxy to a tunneled/transparent proxy - what, if any effects will be seen on the client? (select 3)
- The client will always resolve DNS
- The client browser needs re-configuration
- Authenicated websites may no longer work
How often does the Zscaler client connector check for software updates?
Options: Every 2 hours, Every 6 hours, Every 12 hours, Every 24 hours
Every 2hrs
What benefits does a Zscalser Tunnel have over other forwarding mechanisms for Zscaler Client Connector?
Tunnel encapsulates traffic and authenticates to the Zero trust exchange
What mechanisms identifies the Zero Trust Exchange node to be used for Zscaler Tunnels?
The PAC file used in the application profile
What conditions exist for Trusted Network Detection?
DNS Search Domain, DNS Server, Hostname Resolution
Why is Z-Tunnel 2.0 superior to Z-Tunnel 1.0? (select 3)
- Provides a control channel to update
- Faster transport mechanism
- Enables cloud firewall
Which check guarantees identification of a corporate-managed device by the Zscaler Client Connector?
Client certs & non-exportable private key
How much of an organisation’s traffic can Zscaler perform SSL/TLS on?
Zscaler can inspect and decrypt 100% of TLS traffic without constraints
TLS inspection provides what functionality? (select3)
- Validation of cert and issuer
- Ability to decrypt and scan encrypted content
- Policy for which traffic should be inspected
To ensure Zero Trust, users should not be connected to __, but to the application.
The network
What is an Application segment? (select 3)
- A list of FQDNs or IP Address
- A list of TCP or UDP ports
- A Wildcard domain
What is the fastest way to change a user’s access entitlements?
Sent different attributes via SCIM
Zscaler Private Access isolation policy controls what?
It controls browser-based access to redirect the session into a web container
What is the primary function of the Zscaler Client Connector?
Options: Traffic forwarding, DNS resolution, SSL inspection, User authentication
Traffic forwarding
How does Zscaler handle SSL traffic?
Options: By decrypting and inspecting it, By blocking it, By bypassing it, By redirecting it
By decrypting and inspecting it
What is the purpose of the Zscaler Zero Trust Exchange?
Options: To provide secure internet access, To manage user identities, To enforce security policies, All of the above
All of the above
Which feature allows Zscaler to enforce security policies based on user identity and context?
Options: Policy Engine, Identity Proxy, Security Cloud, Application Segment
Policy Engine
What is the role of the Zscaler Admin Portal?
Options: To configure policies, To monitor traffic, To generate reports, All of the above
All of the above
How does Zscaler ensure that only authorized users can access specific applications?
Options: By using IP whitelisting, By using SAML authentication, By using VPN, By using firewall rules
By using SAML authentication
What is the benefit of using Zscaler’s Browser Isolation feature?
Options: To improve browsing speed, To prevent malware from reaching the endpoint, To reduce bandwidth usage, To enhance user experience
To prevent malware from reaching the endpoint
Which Zscaler feature helps in identifying and mitigating threats in real-time?
Options: ThreatLabZ, Policy Engine, Identity Proxy, Application Segment
ThreatLabZ
How does Zscaler’s Data Loss Prevention (DLP) feature work?
Options: By encrypting data, By blocking unauthorized data transfers, By monitoring data in transit, All of the above
By monitoring data in transit
What is the purpose of Zscaler’s Cloud Firewall?
Options: To block all incoming traffic, To inspect and control outbound traffic, To manage DNS requests, To encrypt data
To inspect and control outbound traffic
Which Zscaler feature allows for secure access to internal applications without a VPN?
Options: Zscaler Internet Access, Zscaler Private Access, Zscaler Cloud Firewall, Zscaler Browser Isolation
Zscaler Private Access
How does Zscaler handle DNS requests from users?
Options: By forwarding them to the nearest DNS server, By resolving them locally, By redirecting them to a secure DNS service, By blocking all DNS requests
By redirecting them to a secure DNS service
What is the function of Zscaler’s Advanced Threat Protection?
Options: To block phishing emails, To detect and block malware, To encrypt user data, To manage user identities
To detect and block malware
Which protocol does Zscaler use to tunnel traffic securely?
Options: IPsec, GRE, SSL, All of the above
All of the above
What is the role of Zscaler’s Policy Engine?
Options: To enforce security policies, To manage user sessions, To monitor network traffic, To generate reports
To enforce security policies
How does Zscaler ensure data privacy during SSL inspection?
Options: By using end-to-end encryption, By decrypting and re-encrypting traffic, By bypassing SSL traffic, By blocking SSL traffic
By decrypting and re-encrypting traffic
What is the benefit of using Zscaler’s Sandbox feature?
Options: To improve network speed, To isolate and analyze suspicious files, To manage user access, To encrypt data
To isolate and analyze suspicious files
Which Zscaler feature helps in controlling access to specific URLs and applications?
Options: URL Filtering, Cloud Firewall, Advanced Threat Protection, Browser Isolation
URL Filtering
How often does Zscaler update its threat intelligence database?
Options: Every hour, Every 6 hours, Every 12 hours, Every 24 hours
Every hour
Which Zscaler feature allows for secure access to SaaS applications?
Options: Zscaler Internet Access, Zscaler Private Access, Zscaler Cloud Firewall, Zscaler Browser Isolation
Zscaler Internet Access
How does Zscaler enforce security policies for remote users?
Options: By using IP whitelisting, By using SAML authentication, By using VPN, By using the Zscaler Client Connector
By using the Zscaler Client Connector
Which protocol is primarily used by Zscaler for secure web traffic inspection?
Options: HTTP, HTTPS, FTP, SFTP
HTTPS
What is the role of Zscaler’s ThreatLabZ?
Options: To manage user identities, To provide real-time threat intelligence, To encrypt data, To control access to applications
To provide real-time threat intelligence
What is the benefit of Zscaler’s Data Loss Prevention (DLP) feature?
Options: To improve network speed, To prevent unauthorized data transfers, To manage user access, To encrypt data
To prevent unauthorized data transfers
Which Zscaler feature helps in identifying and mitigating phishing attacks?
Options: URL Filtering, Cloud Firewall, Advanced Threat Protection, Browser Isolation
Advanced Threat Protection
How does Zscaler ensure secure access to internal applications?
Options: By using IP whitelisting, By using SAML authentication, By using VPN, By using Zscaler Private Access
By using Zscaler Private Access
Which Zscaler feature helps in preventing data exfiltration?
Options: URL Filtering, Cloud Firewall, Data Loss Prevention (DLP), Browser Isolation
Data Loss Prevention (DLP)
How does Zscaler ensure secure access to cloud applications?
Options: By using IP whitelisting, By using SAML authentication, By using VPN, By using Zscaler Internet Access
By using Zscaler Internet Access
How does Zscaler handle traffic from unmanaged devices?
Options: By blocking it, By redirecting it to a secure gateway, By allowing it without inspection, By encrypting it
By redirecting it to a secure gateway
What is the primary role of the Zscaler Client Connector in the Zscaler platform?
a) To provide endpoint antivirus protection
b) To establish a secure connection to the Zero Trust Exchange
c) To manage user identity integration
d) To analyze traffic and generate reports
b) To establish a secure connection to the Zero Trust Exchange
Which authentication protocol enables Single Sign-On (SSO) in Zscaler’s Zero Trust Exchange?
a) LDAP
b) SCIM
c) SAML
d) Kerberos
c) SAML
Which Zscaler service is designed to securely connect users to private applications without exposing them to the internet?
a) Zscaler Digital Experience (ZDX)
b) Zscaler Internet Access (ZIA)
c) Zscaler Private Access (ZPA)
d) Zscaler Cybersecurity Suite
c) Zscaler Private Access (ZPA)
What is the recommended mechanism for forwarding traffic using the Zscaler Client Connector?
a) Route-Based Forwarding
b) ZTunnel 2.0
c) ZTunnel 1.0
d) Local Proxy
b) ZTunnel 2.0
What is one key advantage of using SCIM over SAML for user provisioning?
a) SCIM is supported by all identity providers
b) SCIM supports automatic updates to user attributes
c) SCIM provides stronger authentication mechanisms
d) SCIM eliminates the need for certificates
b) SCIM supports automatic updates to user attributes
ZTunnel 1.0 provides better visibility into non-web traffic compared to ZTunnel 2.0. True/False
Correct Answer: False
TLS Inspection in Zscaler is designed to decrypt and inspect 100% of encrypted traffic to identify threats and enforce data protection policies.
Correct Answer: True
In Zscaler, the browser-based access method requires the Zscaler Client Connector to be installed on the user’s device.
Correct Answer: False
You are tasked with enabling secure remote access for third-party contractors to specific internal web applications. Which Zscaler feature would you configure, and why?
Configure Browser Access in Zscaler Private Access (ZPA) to allow secure, clientless access to internal web applications. This avoids the need for a VPN or Zscaler Client Connector installation and provides access through a standard browser with ZTNA policies in place.
Match the Zscaler component with its primary function:
Component Function
a) ZIA i) Provides secure access to SaaS and internet apps
b) ZPA ii) Enables private application access for remote users
c) ZDX iii) Monitors digital experience and network performance
d) TLS Inspection iv) Inspects encrypted traffic for security threats
a - i, b - ii, c - iii, d - iv
Which of the following is NOT a component of Zscaler’s Zero Trust Exchange?
a) Identity Integration
b) Device Posture
c) Direct Network Sharing
d) Access Control
c) Direct Network Sharing
What is the primary benefit of using ZTunnel 2.0 over ZTunnel 1.0?
a) Simplifies PAC file management
b) Supports inspection of non-web traffic
c) Removes the need for authentication tokens
d) Enables manual device updates
b) Supports inspection of non-web traffic
Which platform capability ensures consistent policy enforcement regardless of user location?
a) TLS Inspection
b) Zscaler Private Access
c) Device Posture
d) Zscaler Client Connector
d) Zscaler Client Connector
What is a key feature of Zscaler’s Browser Access solution?
a) Requires VPN for remote access
b) Provides clientless access to internal applications
c) Supports device-level antivirus scanning
d) Requires TLS certificates on user devices
b) Provides clientless access to internal applications
What is the purpose of a forwarding PAC file in Zscaler?
a) To steer traffic towards or away from Zscaler Client Connector
b) To configure SSL inspection settings
c) To determine SAML authentication policies
d) To provision user identities via SCIM
a) To steer traffic towards or away from Zscaler Client Connector
Which Zscaler service monitors digital experience for users and applications?
a) ZIA
b) ZPA
c) ZDX
d) SCIM
c) ZDX
What is the purpose of Trusted Network Detection in Zscaler?
a) To identify malicious DNS queries
b) To determine if a device is within a corporate network
c) To disable TLS inspection for trusted websites
d) To bypass SCIM provisioning for specific devices
b) To determine if a device is within a corporate network
What type of traffic does the Zscaler Internet Access (ZIA) platform primarily secure?
a) SaaS and public internet traffic
b) Internal corporate applications
c) Virtual private network (VPN) traffic
d) Encrypted DNS queries
a) SaaS and public internet traffic
Which statement about SCIM authorization is correct?
a) SCIM attributes are static and require reauthentication to update.
b) SCIM automates the revocation of user access.
c) SCIM replaces the need for SAML authentication.
d) SCIM only supports user provisioning, not group management.
b) SCIM automates the revocation of user access.
Which Zscaler component creates a reverse connection to secure private applications?
a) Zscaler Enforcement Node (ZEN)
b) App Connector
c) SAML Identity Provider
d) Zscaler Client Connector
b) App Connector
Device Posture checks allow Zscaler to apply policy based on the security state of a device.
True
Zscaler TLS inspection can operate without deploying any certificates to client devices.
False
A wildcard application segment in ZPA is recommended for initial application discovery.
True
ZTunnel 1.0 supports all TCP and UDP traffic.
False
Privileged Remote Access requires installation of the Zscaler Client Connector.
False
Your organization is transitioning from a hub-and-spoke network to a Zero Trust model. Which Zscaler feature would you prioritize for securing access to internet applications?
Zscaler Internet Access (ZIA) should be prioritized as it provides secure, policy-driven access to SaaS and public internet applications.
A user reports being unable to access a private application. How would you troubleshoot using Zscaler tools?
-Check user authentication and identity provider logs.
-Verify application segment configuration in ZPA.
-Review the App Connector health and connectivity to the application.
-Analyze user activity using Zscaler’s analytics and reporting tools.
Match the Zscaler feature with its corresponding description:
Feature Description
a) TLS Inspection i) Decrypts and inspects encrypted communications
b) Zscaler Client Connector ii) Provides endpoint-based traffic forwarding
c) SAML iii) Enables Single Sign-On (SSO) authentication
d) SCIM iv) Automates user provisioning and access revocation
a - i, b - ii, c - iii, d - iv
Zscaler’s Zero Trust model avoids sharing the _______ between users and applications.
network
The primary method for connecting devices to Zscaler’s Zero Trust Exchange is through the _______.
Zscaler Client Connector
What role does the App Connector play in Zscaler Private Access (ZPA)?
a) It decrypts TLS traffic.
b) It routes traffic from users to private applications.
c) It authenticates users with the identity provider.
d) It serves as a public-facing gateway for internal servers.
b) It routes traffic from users to private applications.
Which feature is used in Zscaler to block access to certain websites based on their content?
a) Browser Access
b) URL Filtering
c) Device Posture
d) Application Segmentation
b) URL Filtering
What does Zscaler TLS Inspection rely on to decrypt secure traffic?
a) Zscaler Root Certificate Authority
b) Forwarding PAC files
c) SCIM Provisioning
d) App Connectors
a) Zscaler Root Certificate Authority
What is a key difference between ZTunnel 1.0 and ZTunnel 2.0?
a) ZTunnel 2.0 supports encrypted DNS traffic.
b) ZTunnel 1.0 uses a DTLS-based tunnel, while ZTunnel 2.0 does not.
c) ZTunnel 1.0 only supports HTTP/HTTPS traffic, whereas ZTunnel 2.0 supports all protocols.
d) ZTunnel 2.0 requires manual configuration for every device.
c) ZTunnel 1.0 only supports HTTP/HTTPS traffic, whereas ZTunnel 2.0 supports all protocols.
Which action is typically performed during the ZPA enrollment process?
a) A SAML assertion is consumed by the App Connector.
b) A user manually registers their device through a portal.
c) Zscaler issues a client authentication token.
d) SCIM pushes policy changes to the Zscaler Client Connector.
c) Zscaler issues a client authentication token.
How often does Zscaler Client Connector download policy updates by default?
a) Every 15 minutes
b) Every 30 minutes
c) Every hour
d) Every two hours
c) Every hour
What is the purpose of the Zero Trust Network Access (ZTNA) policy in Zscaler?
a) To define encryption standards for TLS connections
b) To enforce least-privilege access to applications
c) To configure routing rules for public applications
d) To automate device posture updates
b) To enforce least-privilege access to applications
Which component does Zscaler recommend deploying in pairs for redundancy?
a) Zscaler Enforcement Node (ZEN)
b) App Connector
c) SAML Identity Provider
d) Device Posture Checker
b) App Connector
Which Zscaler capability allows the use of customer-specific certificates for TLS inspection?
a) Forwarding PAC Configuration
b) Custom Root Certificate Authority
c) Client Authentication Tokens
d) Privileged Remote Access
b) Custom Root Certificate Authority
What is the default interval for Zscaler Client Connector to refresh the PAC file?
a) Every 5 minutes
b) Every 15 minutes
c) Every 30 minutes
d) Every hour
b) Every 15 minutes
SAML authentication in Zscaler allows for dynamic user provisioning.
False
TLS Inspection in Zscaler is blind to non-web traffic such as DNS or FTP.
False
Zscaler Private Access (ZPA) eliminates the need for VPNs.
True
The Zscaler Client Connector enforces security policies on devices only when connected to a trusted network.
False
SCIM provisioning is best used for automating updates to user attributes.
True
Match the Zscaler term with its description:
Term Description
a) ZIA i) Secures SaaS and public internet traffic
b) ZPA ii) Provides secure access to internal applications
c) ZTunnel 2.0 iii) Supports all TCP/UDP traffic through a DTLS tunnel
d) Browser Access iv) Clientless access to web applications
a - i, b - ii, c - iii, d - iv
The _______ feature in Zscaler ensures that traffic is directed based on geographic proximity to ZEN nodes.
Application Profile PAC
Zscaler supports SAML integration with identity providers such as Okta, ________, and Ping.
Azure AD
TLS Inspection policies can be configured to exclude _______ services such as Microsoft Office 365 from decryption.
trusted
In Zscaler, _______ connectors establish connections from private applications to the Zero Trust Exchange.
App
