View ZDTA Exam Questions

Q: 11

Zscaler Advanced Threat Protection (ATP) is a key capability within Zscaler Internet Access (ZIA), protecting users against attacks such as phishing. Which of the following is NOT part of the ATP workflow?

Options

Correct Answer:

Explanation

Zscaler Advanced Threat Protection (ATP) is a security-focused module within Zscaler Internet Access (ZIA) designed to protect against sophisticated cyber threats. Its workflow includes Intrusion Prevention System (IPS) signatures, advanced URL filtering for high-risk categories like newly registered domains, and policies to block potentially malicious, unscannable files such as password-protected archives.

Reporting on application latency or performance issues, such as a poor Teams call due to a weak WiFi signal, is not a security function. This task falls under the domain of digital experience monitoring, which is handled by a separate Zscaler service, Zscaler Digital Experience (ZDX), not by the ATP security engine.

Why Incorrect

A. IPS is a fundamental component of Zscaler's layered defense and ATP, using signatures to block known exploits and threats targeting clients and servers.

C. Proactively categorizing and applying security policies to newly registered domains is a key ATP strategy to mitigate phishing and malware distribution campaigns.

D. Blocking password-protected files is a common security policy within ATP, as their contents cannot be inspected for malware, representing a significant risk.

References

1. Zscaler Help Portal

"About Advanced Threat Protection": This document outlines the core features of ATP

stating it provides "advanced protection against malicious content from websites

" including "protection against botnet command and control (C&C) networks" and "protection against phishing sites." It also details the integration of IPS controls. This confirms that options A and C are part of the ATP workflow.

2. Zscaler Help Portal

"About Zscaler Digital Experience": This resource describes ZDX as a "user-centric monitoring solution that provides end-to-end visibility of the user-to-app performance." It explicitly mentions monitoring for performance issues

which directly aligns with the scenario in option B and separates it from the security functions of ATP.

3. Zscaler Help Portal

"Configuring Malware Protection Policies": In the section on File Type Control

this guide explains the policy for handling unscannable files. It states

"Zscaler recommends that you block password-protected archives and documents because they cannot be scanned for viruses and spyware

" confirming that blocking such files (Option D) is a security function within ZIA's threat protection capabilities.

Q: 12

As technology that exists for a very long period of time, has URL Filtering lost its effectiveness?

Options

Discussion

Chloe N. Feb 27, 2026 4:06 am

Option A is right. URL filtering still matters a lot, especially as a first layer before heavier checks like sandboxing. Even with HTTPS, if you use SSL inspection, URL filtering works fine. Saw similar questions on practice tests.

Kevin U. Feb 26, 2026 8:35 am

D , since most traffic is encrypted now with HTTPS, basic URL filtering won't see inside unless the org does SSL inspection. Seems kinda outdated for a "cloud-first" model. Pretty sure that's what they're getting at here, but open to other takes.

Ethan V. Mar 6, 2026 11:19 am

D imo. If the org doesn’t use SSL inspection, URL Filtering can’t see inside most traffic so kinda useless.

Kevin F. Feb 25, 2026 11:39 pm

Still A. URL filtering is definitely not outdated and is used as the first layer even with SSL/TLS traffic.

Robin O. Feb 28, 2026 3:29 am

Maybe D. With so much traffic using HTTPS now, URL filtering can't inspect the actual content unless SSL inspection is enabled. I think that makes it far less useful compared to before, so leaning toward D here. Anyone disagree?

Taylor M. Feb 16, 2026 3:28 pm

Option D. since most web traffic is encrypted these days, URL filtering doesn't really cut it anymore from what I've seen.

Taylor U. Feb 28, 2026 2:20 pm

A lot depends on whether SSL/TLS inspection is actually implemented. If it's not, then a lot of HTTPS traffic can't be categorized properly and URL filtering effectiveness really drops. But if SSL inspection is on, filtering still works like before. So does the question assume SSL inspection is being used or not?

Olivia D. Mar 4, 2026 12:35 am

Had something like this in a mock. URL filtering is still widely used as the first defense, especially with SSL inspection handling HTTPS. Picking A.

SeasonedLearner4085 Feb 22, 2026 9:34 pm

Not quite that simple, URL filtering still works even with HTTPS if you have SSL inspection set up. A

Be respectful. No spam.

Correct Answer:

Explanation

URL Filtering remains a cornerstone of modern web security and a fundamental component of a Secure Web Gateway (SWG) and Zero Trust architecture. It functions as an efficient and scalable first line of defense by categorizing and applying policy to web destinations before more resource-intensive inspections, like deep content analysis or sandboxing, are performed. In the Zscaler Zero Trust Exchange, URL filtering is applied inline to all traffic, including encrypted sessions via TLS inspection, to enforce security and acceptable use policies, proving its continued effectiveness and relevance.

Why Incorrect

B: This approach is the opposite of a Zero Trust security model, which operates on a principle of "never trust, always verify" and default-deny, not default-allow.

C: CASB and URL Filtering are complementary, not mutually exclusive. URL Filtering provides broad web access control, while CASB offers granular control over specific cloud applications.

D: This is incorrect. Modern security services like the Zscaler proxy perform TLS/SSL inspection, allowing them to decrypt, inspect, and enforce policies on encrypted traffic, including the full URL.

References

1. Zscaler Help Portal

"About URL Filtering": "The URL Filtering policy allows you to control the web traffic that is sent from your organization to the internet. The Zscaler service categorizes URLs and provides URL super-categories and categories that you can use in your policy." This document establishes URL Filtering as a primary policy control mechanism within the Zscaler platform.

2. Zscaler Help Portal

"About SSL Inspection": "With the Zscaler service

you can decrypt

inspect

and re-encrypt all of your SSL-encrypted traffic... When the Zscaler service inspects SSL traffic

it can enforce policies

such as URL Filtering... on the decrypted traffic." This source directly refutes the claim that HTTPS renders URL Filtering ineffective.

3. Zscaler

"What is a Secure Web Gateway (SWG)?": "A core function of any SWG is URL filtering

which controls access to websites based on their category... This is a first line of defense against web-based threats." This official Zscaler resource explicitly defines URL filtering as a "first line of defense."

4. Zscaler

"The Zscaler Zero Trust Exchange" (Whitepaper): The principles outlined in this document are based on least-privileged access and inspecting all traffic. The concept of granting access to all internet sites by default (as suggested in option B) is fundamentally incompatible with the Zero Trust model that Zscaler is built upon.

Q: 13

What is a ZIA Sublocation?

Options

Correct Answer:

Explanation

A ZIA Sublocation is a logical construct used to segment traffic within a broader, defined Location. It is defined by specific IP address ranges or subnets that are part of the parent Location's network. This allows an organization to apply distinct security policies, such as URL Filtering or Cloud App Control, to different groups of users or network segments that share the same internet egress point. A primary example is creating a sublocation for a guest Wi-Fi network to enforce stricter policies compared to the corporate network, even though both traffic types exit through the same gateway.

Why Incorrect

B: A Sublocation's purpose is for policy enforcement and is not defined by its relationship to a Zscaler Subcloud, which is an element of Zscaler's cloud architecture.

C: Sublocations are defined by distinct, non-overlapping IP subnets within a location to differentiate traffic, not to manage or identify overlapping IP addresses.

D: A sublocation is defined by an IP address or subnet, which is independent of the traffic forwarding method, such as Zscaler Client Connector versus a GRE tunnel.

References

1. Zscaler Help Portal

"About Sublocations": "You can create sub-locations for a location to apply different policies to different subnets within the location... A common use case is to create a sub-location for your guest Wi-Fi network. This allows you to apply a stricter policy to your guest Wi-Fi network." This source directly validates that sublocations are for segmenting traffic (like guest vs. employee) for policy application.

2. Zscaler Help Portal

"Configuring Locations": Under the "Sub-Locations" section

the documentation states

"Sub-locations are prefixes of the static IP addresses that are configured for the location. You can define sub-locations to apply policies on a more granular level." This confirms that sublocations are IP-based subsets of a location used for granular policy.

Q: 14

Assume that you have four data centers around the globe, each hosting multiple applications for your users. What is the minimum number of App Connectors you should deploy? Assume that you have four data centers around the globe, each hosting multiple applications for your users. What is the minimum number of App Connectors you should deploy?

Options

Discussion

SkepticalTester3156 Feb 14, 2026 2:33 pm

B vs C here. If you go strictly by 'minimum', C (one per data center) seems logical, but Zscaler typically expects two per site for redundancy so production isn't at risk if one connector fails. Pretty sure exam writers want B to match their HA recommendation, though in theory C could work for a non-HA setup. Let me know if someone has seen this phrased differently.

Jamie J. Feb 21, 2026 10:07 am

C , since the question only asks for minimum and doesn't mention HA or redundancy. B is best practice but if you're being strict, C might be the trap.

Sofia Feb 18, 2026 4:56 pm

B makes sense because Zscaler recommends at least two App Connectors per data center, mainly for redundancy and high availability. If you just do one per DC (C), a failure takes that whole DC offline for ZPA access. Pretty sure B is the safe call, but I get why C looks tempting if you're thinking bare minimum.

MeeraM Feb 19, 2026 10:39 am

B , most practice exams and the official guide mention two per site for HA.

Arjun Feb 26, 2026 8:35 pm

Yeah, I'd stick with B. Zscaler always recommends two App Connectors per data center so you have HA and don't lose connectivity if one fails. I get why C is tempting since it's the strict minimum, but for production, B is what they expect. Pretty sure this matches what I've seen in docs and sample questions, but happy to hear if anyone disagrees.

Taylor N. Feb 20, 2026 4:13 pm

B. but I'm not totally sure since the question just says minimum. The typical expectation is two per data center though.

Mason R. Feb 21, 2026 8:53 am

Not sure here, I'd pick C since the wording says minimum not HA.

Luna K. Mar 6, 2026 9:34 am

I think B here. Zscaler expects two App Connectors per data center for production, so you're covered if one fails-otherwise losing access entirely isn't really acceptable for global apps. Four would be technically the absolute minimum, but they basically always mean HA in these types of questions. Pretty sure B matches real-world configs, but let me know if anyone's seen different wording.

Nathan C. Feb 28, 2026 12:51 pm

B tbh, since Zscaler's docs always push two connectors per data center for HA and failover. I saw a similar scenario in practice tests. If you only did C, you'd have no redundancy. Open to corrections if I'm missing something.

Daniel M. Feb 18, 2026 1:14 am

C or B here. Is high availability required in the question? That would change if single vs multiple connectors.

Be respectful. No spam.

Correct Answer:

Explanation

The minimum recommended deployment for a production environment is based on ensuring high availability and redundancy. Zscaler's best practice is to deploy App Connectors in pairs (an N+1 model, where N is at least 1) within an App Connector group for each location. This active-active configuration prevents a single point of failure. With four distinct data centers, deploying two App Connectors in each location results in a total of eight App Connectors, providing resilience and load balancing for the applications hosted within each data center.

Why Incorrect

A. Six - one per data center plus two for cold standby.

App Connectors operate in an active-active model for immediate failover, not a cold standby model. One per data center is not a resilient design.

C. Four - one per data center.

This configuration creates a single point of failure in each data center. If a single App Connector fails, all applications in that location become inaccessible via ZPA.

D. Sixteen - to support a full mesh to the other data centers.

App Connectors do not form a mesh with each other. They establish outbound connections to the Zscaler cloud, which brokers the user-to-application connections.

References

1. Zscaler Help Portal

"About App Connector Groups." Zscaler

Inc. Accessed May 2024.

Reference: In the "High Availability" section

the documentation states

"For high availability

Zscaler recommends that you deploy App Connectors in pairs. You should have at least two App Connectors for each App Connector group

but you can have more." This directly supports the N+1 (minimum of 2) deployment model per location.

2. Zscaler Help Portal

"App Connector Deployment Prerequisites." Zscaler

Inc. Accessed May 2024.

Reference: Under the "App Connector Deployment" section

it is noted

"To ensure redundancy and high availability

you must deploy App Connectors in pairs. You should have at least two App Connectors running for any given App Connector group..." This reinforces the requirement for pairs to achieve a resilient architecture.

3. Zscaler Help Portal

"ZPA Architecture." Zscaler

Inc. Accessed May 2024.

Reference: The architectural diagrams and descriptions confirm that App Connectors make outbound connections to ZPA Public Service Edges (formerly Zscaler Enforcement Nodes or ZENs). There is no direct App Connector-to-App Connector meshing

invalidating the logic in option D.

Q: 15

What is the purpose of a Microtunnel (M-Tunnel) in Zscaler?

Options

Discussion

Jason O. Feb 16, 2026 4:43 pm

Why do they always have to throw in Microsoft/Azure distractions? It's D, M-Tunnel is all about creating those secure tunnels to internal apps, not just anything cloud. ZPA keeps users off the network and grants access app-by-app with least privilege. Pretty sure that's what they're getting at, unless I'm missing some odd use case.

Karan W. Mar 2, 2026 1:18 pm

B isn't it, D is right. Microtunnel's for private/internal app access via ZPA, not specifically Microsoft apps like B suggests. Pretty sure that's the recurring trap on similar practice sets.

Nina X. Mar 3, 2026 6:00 pm

Probably D for this. M-Tunnel is really for secure channels to internal/private apps, not general M365 or Azure stuff. If anyone's seen different in live configs, let me know.

Layla O. Feb 28, 2026 1:35 am

D , saw similar phrasing in official docs and practice exams.

Zoe N. Mar 1, 2026 7:58 am

Nora P. Feb 22, 2026 3:12 am

C/D? I get why B could look right since Microsoft apps are so common, but Microtunnel's main role is to connect users securely to internal/private apps (D). ZPA isn't about general Microsoft or Azure AD traffic. Pretty sure D is it, but open if someone has a different take.

Jack S. Feb 19, 2026 10:09 pm

D imo, Microtunnel is for secure access to internal applications not Microsoft-specific stuff. Pretty sure this lines up with ZPA docs.

Maya Feb 15, 2026 6:23 am

D vs B but it's D. M-Tunnel is about internal app access, not just Microsoft services. B is tempting but doesn't fit ZPA's core use.

Cameron Q. Mar 3, 2026 3:51 pm

D, Only M-Tunnel sets up that secure connection straight to internal apps, fits what ZPA is designed for. The others are more about general client or cloud services access. Confident on D but open if I missed something.

Be respectful. No spam.

Correct Answer:

Explanation

The Zscaler Microtunnel (M-Tunnel) is a fundamental component of the Zscaler Private Access (ZPA) architecture. Its primary purpose is to establish a secure, on-demand, end-to-end encrypted tunnel from a user's device to a specific internal (private) application. When a user requests access, ZPA dynamically creates an M-Tunnel that connects the Zscaler Client Connector (ZCC) on the user's device to the App Connector co-located with the application. This process ensures that users are never placed on the network and are granted direct, policy-based access only to the applications they are authorized to use, embodying a zero trust security model.

Why Incorrect

A. ZPA M-Tunnels are designed for user-to-application communication, not for direct peer-to-peer connections between Zscaler Client Connector (ZCC) clients.

B. M-Tunnels are for accessing private applications. Access to public SaaS applications like Microsoft 365 is typically secured through Zscaler Internet Access (ZIA).

C. Authentication is handled by an Identity Provider (IdP) like Azure AD before an M-Tunnel is established. The M-Tunnel is for application access post-authentication.

References

1. Zscaler Help Portal

"About Microtunnels": "When a user requests access to an application

ZPA establishes a secure

end-to-end encrypted tunnel

called a Microtunnel (M-Tunnel)

between the user's device and the application. The M-Tunnel ensures that the user has a direct

secure path to the application without ever being placed on the network."

2. Zscaler Help Portal

"Understanding Zscaler Private Access (ZPA)": "ZPA is a cloud service that provides secure

zero trust access to internal applications... ZPA uses inside-out connectivity to connect users to applications... This connection is established using a lightweight Zscaler software called Zscaler Client Connector on the user's device and App Connectors in the data center where the applications are hosted." The M-Tunnel is the mechanism for this connection.

3. Zscaler Help Portal

"About Zscaler Client Connector": "For ZPA

Zscaler Client Connector creates a secure

private microtunnel that connects the user's device directly to the apps they need

without having to connect to the network."

Q: 16

A user is accessing a private application through Zscaler with SSL Inspection enabled. Which certificate will the user see on the browser session?

Options

Correct Answer:

Explanation

When Zscaler performs SSL/TLS inspection for traffic to a private application, it functions as a full proxy, executing a Man-in-the-Middle (MITM) process. The Zscaler Service Edge intercepts and terminates the TLS connection initiated by the user's browser. It then establishes a separate, new TLS connection to the private application's server. To present a valid certificate back to the user's browser for the intercepted session, Zscaler dynamically generates a certificate for the requested application domain. This new certificate is signed by the Zscaler Root CA, which must be trusted by the user's client device. The user's browser, therefore, sees this Zscaler-generated MITM certificate, not the application's original certificate.

Why Incorrect

A. An HTTPS session always requires a certificate to be presented to the browser to establish a secure, encrypted connection.

B. The certificate is signed by the trusted Zscaler Root CA, not a typical untrusted, self-signed certificate.

C. The real server certificate is presented to the Zscaler Service Edge, not the user's browser, during an inspected session.

References

1. Zscaler Help Portal

"About SSL Inspection": "To inspect SSL traffic

the Zscaler service establishes a separate SSL tunnel with the destination server and with the user's browser. It then decrypts and inspects the content passing between the two tunnels. To do this

the Zscaler service uses a Zscaler-signed certificate... The Zscaler service dynamically generates a certificate and signs it with the Zscaler root certificate." (help.zscaler.com/zia/about-ssl-inspection)

2. Zscaler Help Portal

"Using Your Own Certificate for SSL Inspection": "When performing SSL inspection

the Zscaler service uses a Zscaler-signed certificate by default. It dynamically generates a certificate and signs it with the Zscaler root certificate." (help.zscaler.com/zia/using-your-own-certificate-ssl-inspection)

3. Zscaler Whitepaper

"The Zscaler Zero Trust Exchange Architecture": In the section "SSL/TLS Inspection at Scale

" the architecture is described: "Zscaler terminates the user’s connection and opens a new one to the destination... The Zscaler proxy presents a certificate to the user that is signed by the Zscaler root CA." (zscaler.com/resources/white-papers/zscaler-zero-trust-exchange-architecture.pdf

Page 10)

Q: 17

An administrator would like users to be able to use the corporate instance of a SaaS application. Which of the following allows an administrator to make that distinction?

Options

Correct Answer:

Explanation

Cloud Application Control is a specific Zscaler feature designed to provide granular control over SaaS applications. It allows administrators to create policies that can differentiate between corporate and personal instances of the same application. This is often achieved through tenant restriction, where Zscaler inserts specific headers into the user's web request, signaling to the SaaS provider which tenant (i.e., the corporate instance) the user is authorized to access. This directly addresses the need to ensure users can only use the sanctioned corporate instance while blocking access to personal or other unauthorized instances.

Why Incorrect

A. Out-of-band CASB: This solution connects to SaaS applications via APIs to scan data at rest and enforce policies within the app, but it does not control real-time user access to specific instances.

C. URL filtering with SSL inspection: URL filtering operates at the domain level. It is generally insufficient for distinguishing between corporate and personal tenants that often share the same login URL.

D. Endpoint DLP: This technology focuses on preventing sensitive data from leaving the endpoint device; it does not manage or control user login access to different SaaS application instances.

---

References

1. Zscaler Help Portal

"About Cloud App Control": "The Zscaler service provides Cloud App Control policies that allow you to control the cloud applications that users in your organization can access... Additionally

you can enforce tenant restrictions for certain cloud applications to ensure users can only log in with their corporate accounts."

2. Zscaler Help Portal

"Configuring Tenant Profiles": "You can create tenant profiles for specific cloud applications and then use them in your Cloud App Control policy to enforce tenant restrictions. When you enforce tenant restrictions

you can allow users to access only your organization's corporate accounts for a specific cloud application and block access to their personal accounts."

3. Zscaler Help Portal

"Adding a Cloud App Control Policy Rule": The documentation on creating policy rules explicitly shows the option to apply "Tenant Profiles" as an action for selected cloud applications

which is the mechanism used to enforce access to a specific corporate instance.

Q: 18

Zscaler forwards the server SSL/TLS certificate directly to the user's browser session in which situation?

Options

Discussion

Amelia Feb 27, 2026 11:08 pm

Sara J. Feb 27, 2026 6:38 pm

Its C here, seen this exact scenario called out in both official Zscaler docs and a couple practice exams. If SSL inspection is bypassed by policy, Zscaler just lets the real server certificate pass through. Pretty sure that's what they're testing for, but open to corrections.

Sara Feb 21, 2026 11:26 am

Don’t think it’s D, definitely C here. The exemption in SSL Inspection policy is what makes Zscaler forward the real cert.

Aaron Feb 22, 2026 1:42 am

Yeah I'd go C here. Zscaler only forwards the server's cert if SSL inspection policy says to exempt that traffic.

Luke Feb 20, 2026 4:36 am

I think this is same as a common exam questions. on some practice material, and it was C.

Rowan F. Mar 3, 2026 4:27 am

C tbh, that's the scenario where Zscaler doesn't intercept SSL so it just lets the server's real cert flow to the browser. Custom ports or previous sessions don't matter here, it's all about the inspection exemption. Pretty confident but tell me if you disagree.

Sara R. Feb 16, 2026 8:48 am

C here, that's what the official Zscaler docs mention. If SSL inspection is bypassed by policy, Zscaler just passes the server cert right through. Saw this in practice questions too, but if anyone saw otherwise let me know.

Nora Feb 23, 2026 4:37 pm

Probably C

Olivia K. Feb 23, 2026 3:06 pm

C makes sense here. When traffic is specifically exempted in SSL Inspection policy, Zscaler just passes the server's original cert to the browser instead of doing its usual re-encryption thing. D wouldn't really trigger this behavior, it's entirely about the policy config. Pretty sure on this but open if anyone sees it differently.

Skyler O. Feb 28, 2026 8:42 pm

C or D? I see similar wording in practice dumps and always appreciate when the question is this clear. Nice one.

Be respectful. No spam.

Correct Answer:

Explanation

Zscaler performs SSL/TLS inspection by acting as a man-in-the-middle (MitM), decrypting traffic, and re-encrypting it with a Zscaler-issued certificate. However, when an administrator configures an SSL Inspection policy rule to exempt or bypass inspection for specific traffic (e.g., for privacy or application compatibility reasons), the Zscaler service does not perform decryption. In this scenario, Zscaler tunnels the encrypted session, and the original SSL/TLS certificate from the destination server is passed directly to the user's browser. The browser then establishes a secure session directly with the server through the Zscaler proxy.

Why Incorrect

A. Detecting a known threat signature within encrypted traffic requires SSL inspection, where Zscaler would issue its own certificate, not the server's.

B. Web traffic on custom TCP ports is not automatically exempted; it is subject to SSL inspection policies just like standard port traffic.

D. A user's past connection history does not influence the SSL inspection policy, which is evaluated for each new session based on configured rules.

References

1. Zscaler Help Portal

"About SSL Inspection": In the section describing the process

it states

"When SSL inspection is disabled for traffic

the ZIA Public Service Edge...allows the encrypted traffic to pass through without inspection

and the original server certificate is presented to the user's browser." This directly confirms that exemption policies result in forwarding the server certificate.

2. Zscaler Help Portal

"Configuring SSL Inspection Policy": This document details the policy actions. The "Do Not Inspect" action is defined as the method to "Bypass SSL inspection." This is the specific configuration that triggers the behavior described in the question.

3. Zscaler

"ZIA SSL Inspection Deployment Guide

" Page 6: The guide explains SSL bypasses: "For traffic that is bypassed from decryption

Zscaler simply tunnels the SSL/TLS traffic between the client and the server. The client receives the original server certificate and Zscaler has no visibility into the encrypted tunnel." This reinforces that a bypass policy is the direct cause.

Q: 19

What ports and protocols are forwarded to the Zero Trust Exchange when Zscaler Client Connector is using Tunnel 2.0?

Options

Discussion

NoraC Feb 27, 2026 9:22 am

Anyone double-check in the official admin guide or do a lab for Tunnel 2.0? Practice exams hint C covers the full scope.

Morgan Feb 15, 2026 2:51 am

C makes sense for Tunnel 2.0 since it's full packet, all TCP/UDP and even ICMP.

Sofia E. Feb 23, 2026 9:27 am

C/D? Official doc or some hands-on labs should clear it. Seen similar on practice exams.

Owen Feb 21, 2026 12:38 pm

I was leaning toward B at first since HTTP/HTTPS and DNS are common with these agents. Mostly see those in network captures, so figured Tunnel 2.0 would just handle app/web protocols. Looks like that's not quite right though.

Priya Feb 24, 2026 5:58 pm

Not sure D is right, it's C since Tunnel 2.0 includes ICMP too.

SteadySec6669 Feb 27, 2026 6:28 am

Its C, covers all TCP and UDP plus ICMP with Tunnel 2.0. Not restricted to just web or a few services.

Neha L. Mar 1, 2026 8:24 am

C vs D? Really close but with Tunnel 2.0, it's not limited to "web, FTP, SSH" like D says. It forwards everything IP-based-TCP, UDP, ICMP-so C is the edge case winner if you check the docs.

Layla T. Feb 18, 2026 9:57 am

C is correct here because Tunnel 2.0 doesn't just handle web traffic, it sends all TCP/UDP and even ICMP over to the Zscaler cloud. Pretty sure that's what allows full inspection and policy enforcement. If anyone got a different result let me know.

SeasonedCandidate8770 Mar 3, 2026 1:57 pm

Probably C. Tunnel 2.0 forwards all TCP, UDP, and ICMP so it covers more than just web or DNS traffic.

Be respectful. No spam.

Correct Answer:

Explanation

Zscaler Tunnel 2.0 is a proprietary, packet-based tunneling protocol designed to forward all IP traffic from an endpoint to the Zscaler Zero Trust Exchange. This comprehensive approach is not limited to specific ports or application protocols. It encapsulates all TCP and UDP traffic, regardless of the port number, as well as other IP-based protocols like ICMP. This enables the Zscaler cloud to perform deep packet inspection and apply security policies to all user traffic, providing a complete security posture consistent with Zero Trust principles.

Why Incorrect

A. This is incorrect because Tunnel 2.0 is not limited to specific web ports; it forwards all IP traffic from the device.

B. This is incorrect as it only mentions web and DNS traffic, while Tunnel 2.0 is designed to handle all protocols.

D. This is incorrect because it lists only a subset of protocols, failing to capture the "all ports and protocols" capability of Tunnel 2.0.

References

1. Zscaler Official Documentation

Help Portal: In the article "About Z-Tunnel 2.0

" it is stated: "Z-Tunnel 2.0 is the default tunneling protocol for Zscaler Client Connector. It is a proprietary tunneling protocol that encapsulates all IP traffic

including TCP

UDP

and ICMP

and forwards it to the Zscaler cloud." (Source: Zscaler Help Portal

"About Z-Tunnel 2.0"

Section: "Z-Tunnel 2.0 Overview").

2. Zscaler Official Documentation

Help Portal: The "Configuring Forwarding Profiles for Zscaler Client Connector" guide specifies the behavior of different forwarding methods. For the "Tunnel" method

which uses Z-Tunnel 2.0

it states: "When you select Tunnel as the forwarding method

Zscaler Client Connector uses Z-Tunnel 2.0 to forward all port and protocol traffic to the Zscaler service." (Source: Zscaler Help Portal

"Configuring Forwarding Profiles for Zscaler Client Connector"

Section: "Windows and macOS Forwarding Options").

Q: 20

What method does Zscaler Identity Threat Detection and Response use to gather information about AD domains?

Options

Correct Answer:

Explanation

Zscaler Identity Threat Detection and Response (ITDR) is designed to provide visibility into an organization's identity attack surface by continuously monitoring Active Directory (AD). To achieve this, the Identity Protection engine directly queries the AD environment. It uses the Lightweight Directory Access Protocol (LDAP), the standard protocol for interacting with directory services like AD. A configured service account with appropriate read-only permissions is used to run these LDAP queries, allowing the engine to discover AD domains and forests and gather detailed information about configurations, users, and groups without relying on network-level scanning or log analysis.

Why Incorrect

A. Scanning network ports: This is a general network reconnaissance technique and does not provide the specific, detailed object and attribute information from Active Directory that ITDR requires.

C. Analyzing firewall logs: Firewall logs contain information about network traffic, not the internal configuration state, user permissions, or group policies within Active Directory.

D. Packet sniffing: While it could theoretically capture LDAP traffic, this is an inefficient, indirect, and less reliable method compared to making direct, authenticated queries to the directory service.

References

1. Zscaler Help Portal

"About Identity Protection Profiles": In the description of how the system functions

the documentation states

"The Identity Protection engine discovers your AD domains and forests by running LDAP queries and then assesses the security posture of your AD configuration."

2. Zscaler Help Portal

"Step-by-Step Configuration Guide for Zscaler Identity Threat Detection & Response": In the "Prerequisites" section (specifically

under "Identity Protection Service Account")

it details the requirement for a service account with "read-only permissions to the Active Directory (AD) domain." This requirement exists to facilitate direct

authenticated queries against the domain controllers.

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE