Free Zscaler ZDTA Practice Exam with Questions & Answers | Set: 3

When trusted corporate locations already forward traffic through GRE or IPSec tunnels, Client Connector should not create a second tunnel on top of the location tunnel while the device is on the trusted network. Off trusted network, however, the client must create its own Tunnel 2.0 path to the Zero Trust Exchange. Option C (None for on-trusted and tunnel v2.0 for off-trusted) is correct because the recommended combination is None on trusted and Tunnel 2.0 off trusted.

Why the other options are incorrect:

A. Tunnel v2.0 for on-trusted and tunnel v2.0 for off-trusted: Tunnel v2.0 on a trusted network would duplicate forwarding when GRE/IPSec tunnels already steer location traffic to Zscaler. On trusted networks, the client should not build another tunnel.

B. None for on-trusted and none for off-trusted: None/None leaves Client Connector without tunnel forwarding on both trusted and untrusted networks. That defeats the intended traffic steering design.

D. Tunnel v2.0 for on-trusted and none for off-trusted: Tunnel v2.0 on trusted and none off trusted reverses the desired behavior. Remote/off-trusted users need Client Connector tunneling; trusted locations already use GRE/IPSec.

Out-of-band CASB protects data at rest in supported SaaS repositories by connecting to the provider through APIs. Google Drive is a supported cloud storage/collaboration application where files, sharing links, and sensitive content can be inspected and remediated after storage. Option C (Google Drive) is correct because Google Drive is a SaaS data-at-rest use case.

Why the other options are incorrect:

A. Yahoo Mail: Yahoo Mail is webmail. It can be controlled by ZIA, but the scenario’s target is Google Drive cloud storage.

B. Twitter: Twitter/X is a social media service. It is not the cloud file-sharing destination used in the scenario.

D. Facebook: Facebook is a social platform. It does not represent the Google Drive storage action being tested.

ZDX Score is a normalized digital-experience score used to represent how well a user or application is performing. It is expressed on a 1-to-100 scale, making degraded application, network, and endpoint experience easy to compare across users, locations, and time windows. Option A (1-100) is correct because 1-100 is the ZDX scoring range.

Why the other options are incorrect:

B. 1-10: A 1-10 scale is too coarse for ZDX. ZDX uses a 1-100 score so administrators can see more granular experience changes.

C. 1 - 1000: A 1-1000 scale would imply excessive precision that ZDX does not present. The product score is the simpler 1-100 user-experience scale.

D. 0 - 50: A 0-50 range is not the ZDX scale. ZDX scores are represented on a 1-100 scale.

A watering-hole attack compromises a legitimate website or service that the intended victims already trust and commonly visit. The attacker plants malicious active content, such as injected JavaScript or exploit code, so users are infected during normal browsing instead of being lured to an obviously suspicious site. The answer is Option A (Watering Hole Attack) because it specifically describes malware hosted on a commonly accessed service, which is the defining trait of this attack type.

Why the other options are incorrect:

B. Pre-existing Compromise: Pre-existing compromise means the target is already affected before the current event. A watering-hole attack is different: the attacker poisons a site the victims already visit.

C. Phishing Attack: Phishing starts with social engineering: fake messages, links, or login pages. The question describes a legitimate common website being seeded with malicious JavaScript.

D. Exploit Kits: Exploit kits automate exploitation after a victim reaches malicious content. They can be used inside an attack chain, but the scenario is naming the watering-hole delivery pattern.

Z-Tunnel 2.0 extends forwarding beyond web proxy traffic by securing all IP unicast traffic through DTLS/TLS tunnels to the Zero Trust Exchange. This enables Cloud Firewall and other controls to inspect all TCP and UDP ports, and ICMP where supported, rather than only browser HTTP/HTTPS flows. Option C (All TCP and UDP ports as well as ICMP traffic) is correct because Tunnel 2.0 is the all-ports-and-protocols forwarding model for Client Connector.

Why the other options are incorrect:

A. TCP ports 80, 443 and 8080 only: Ports 80, 443, and 8080 describe common web proxy traffic. Tunnel 2.0 forwards broader IP traffic, including TCP, UDP, and ICMP.

B. Any HTTP/HTTPS traffic as well as DNS: DNS resolves names to IP addresses; it is a support service, not an access protocol or scoring engine by itself.

D. All Web ports as well as FTP and SSH: RDP, SSH, and VNC are privileged remote access protocols for desktop, shell, and graphical administration.

Trusted Network Detection uses network-observable criteria such as DNS server, DNS search domain, gateway, and network ranges to determine whether the endpoint is on a corporate network. An Org ID is tenant identity, not a network characteristic visible on the endpoint. Option C (Org ID) is correct because Org ID is unrelated to trusted-network properties.

Why the other options are incorrect:

A. DNS Server: DNS Server criteria identify a trusted network by checking whether the endpoint sees expected internal resolver addresses.

B. Default Gateway: Default Gateway can identify a local network path, but it is not always one of the exact trusted-network criteria set in this item.

D. Network Range: Network range can describe local addressing, but the tested Trusted Network property set is based on the exact ZCC detection fields in the question.

URL Filtering can send traffic to Browser Isolation only when the policy can determine that the user's browser is supported for isolation handling. The User Agent field provides that browser and client context, so it must be defined for Browser Isolation behavior to work correctly in the URL Filtering rule. Option B (User Agent) is correct because User Agent is the required field for applying the isolation action.

Why the other options are incorrect:

A. Groups: Groups target which users the URL rule applies to. Browser Isolation still needs User Agent so Zscaler can determine browser support/handling.

C. Departments: Departments are user attributes for rule targeting. They do not tell Zscaler whether the browser session can be isolated.

D. Device Trust: Device Trust is a posture/context signal. Browser Isolation depends on User Agent information for browser-specific handling.

Zscaler Client Connector is the endpoint agent that connects users to the Zero Trust Exchange from any location. It handles authentication, traffic steering, tunnel creation, posture collection, and integration with ZIA, ZPA, and ZDX. Option A (Client connector) is correct because Client Connector is the endpoint component.

Why the other options are incorrect:

B. Private Service Edge: A Private Service Edge is an enforcement point deployed for private access, not a user endpoint component.

C. IPSec/GRE Tunnel: IPS inspects traffic inline for exploit signatures and attack patterns, then blocks or resets offending sessions.

D. App Connector: An App Connector connects users to private apps through ZPA. It is not the data-protection or SaaS control tested in this question.

Intermediate CA rotation reduces exposure if a certificate were mishandled and keeps the inspection trust chain short-lived. Zscaler's rotation model for intermediate CA certificates uses a short validity window rather than long-lived static certificates. Option C (Certificates are rotated every seven days and have a 14-day expiration) is correct because the tested rotation policy is seven-day rotation with a fourteen-day expiration.

Why the other options are incorrect:

A. Certificates are rotated every 90 days and have a 180-day expiration: Ninety-day rotation and 180-day expiration would leave intermediate certificates active much longer than the Zscaler inspection model described here.

B. Lifetime certificates have no expiration date: Lifetime certificates would never expire, which is the opposite of good inspection-certificate hygiene. Zscaler uses short-lived intermediate certificates.

D. Certificates are issued dynamically and expire in 24 hours: A 24-hour expiration would be unnecessarily short and is not the documented intermediate CA timing in this exam item.

For modern SaaS and web applications, Cloud Application policies usually provide more precise access control than broad URL categories. They can distinguish applications and activities rather than treating the destination as only a URL category. Option A (Cloud Application policies provide better access control) is correct because Cloud Application policies provide deeper application-aware control.

Why the other options are incorrect:

B. URL filtering policies provide better access control: URL Filtering controls web destinations by category, URL, risk, and action such as allow, block, caution, or isolate.

C. Wherever possible URL policies are recommended: URL policies are still useful for category-based web filtering. For SaaS applications, Cloud Application policies provide richer application and activity awareness.

D. Both provide the same filtering capabilities: The two policy types are not equivalent. URL Filtering is destination/category focused, while Cloud App Control understands SaaS apps and actions.