Q: 5
Does the Cloud Firewall detect evasion techniques that would allow applications to communicate
over non-standard ports to bypass its controls?
Options
Discussion
C vs A. C tries to push responsibility to the on-prem firewall, but Zscaler Cloud Firewall does its own deep packet inspection so it isn't just relying on upstream firewalls. A mentions DPI for detecting protocol evasions, which lines up with what I've seen in both docs and similar questions. D sounds close but mentions blocking, not really detection. Pretty sure it's A unless I'm missing some Zscaler nuance. Anyone see a scenario where C would make sense?
C/D? C seems like a trap here since it shifts responsibility to the on-prem firewall but that's not really the Zscaler answer. D talks about blocking, but question is more about detection, right?
Maybe A is the best pick here. From what I've seen in practice exams, Zscaler tends to highlight Deep Packet Inspection as the main way to detect protocol evasions before applying any blocking with IPS or other engines. D talks more about blocking, so I'm pretty sure A fits since question is just about detection. Open to other takes if someone thinks otherwise.
D here, since the IPS engine detects and blocks evasion even if DPI gets more focus on exams.
D imo, these Zscaler questions always toss in the IPS engine as bait. If the Cloud Firewall's IPS is what they mean, blocking invalid traffic makes sense. Pretty sure that's what it does against protocol evasions. Not 100% though, since DPI usually gets more credit-happy to see pushback if I'm off here.
Feels like D is right, since it mentions the IPS engine detecting and blocking transactions that use evasion techniques. Zscaler does a lot with IPS signatures for threat detection. Not totally sure if blocking comes after detection here, but D looks reasonable to me.
A tbh
Saw something like this on a practice exam, it was A for DPI catching protocol evasions. Not 100 percent but pretty sure that's how Zscaler wants it.
C or D, I remember a similar question mentioning on-prem firewalls handling evasion but not totally sure which way it goes here.
Its A. Deep Packet Inspection actually catches those protocol evasions on non-standard ports. At least that's how Zscaler does it.
Be respectful. No spam.
