A customer requires 2 Gbps of throughput through the GRE tunnels to Zscaler. Which is the ideal architecture?
Two primary and two backup GRE tunnels from internal routers with NAT enabled
Two primary and two backup GRE tunnels from border routers with NAT disabled
Two primary and two backup GRE tunnels from internal routers with NAT disabled
Two primary and two backup GRE tunnels from border routers with NAT enabled
Zscaler design guidance for GRE connectivity emphasizes three key principles: terminate GRE on border (edge) devices, avoid NAT on GRE source addresses, and scale bandwidth by using multiple tunnels. In Zscaler documentation and engineering training, each GRE tunnel is typically sized for up to about 1 Gbps of throughput. For a 2 Gbps requirement, customers are advised to deploy at least two primary GRE tunnels, with two additional backup tunnels for redundancy and failover.
These tunnels should terminate on border routers that own public IP addresses, ensuring optimal routing and simplifying troubleshooting. Zscaler specifically recommends that the public source IPs used for GRE must not be translated by NAT, because the Zscaler cloud must see the original, registered public IP to associate tunnels with the correct organization and enforce policy. Enabling NAT on GRE traffic can break tunnel establishment and lead to asymmetric or unpredictable routing.
Using internal routers introduces extra hops and complexity and often requires NAT or policy-based routing, which goes against recommended best practices. Similarly, any architecture with NAT enabled on GRE traffic conflicts with Zscaler’s published requirements. Therefore, the ideal and recommended design for 2 Gbps via GRE is two primary and two backup GRE tunnels from border routers with NAT disabled.
An organization needs to comply with regulatory requirements that mandate web traffic inspected by ZIA to be processed within a specific geographic region. How can Zscaler help achieve this compliance?
By allowing traffic to bypass ZIA Public Service Edges and connect directly to the destination
By creating a subcloud that includes only ZIA Public Service Edges within the required region
By deploying local VPNs to ensure regional traffic compliance
By dynamically allocating traffic to the closest Public Service Edge, regardless of the region
Zscaler Internet Access (ZIA) supports regional processing requirements through the concept of subclouds. A subcloud is defined as a subset of ZIA Public Service Edges (and optionally Private Service Edges) that operate as full-featured secure internet gateways inspecting all web traffic. ZIA administrators can create a custom pool of data centers (Public Service Edges) that are constrained to a specific geography and then associate locations or tunnels with that subcloud. This ensures that user traffic forwarded to ZIA is only terminated and inspected within that defined regional pool, helping satisfy data-residency and regulatory mandates
By contrast, Zscaler’s default behavior is to use geo-IP and DNS to send traffic to the nearest available Public Service Edge globally, which may violate regional-processing rules (making option D unsuitable in a compliance-driven scenario) Bypassing ZIA (option A) or deploying local VPNs (option C) would undermine the Zero Trust model and remove ZIA’s inline security controls. Therefore, configuring a subcloud that includes only Public Service Edges in the mandated region is the architecturally correct and exam-aligned method to keep inspection within a specific geography.
===========
Which of the following external IdPs is unsupported by OIDC with Zscaler ZIdentity?
PingOne
Auth0
Microsoft AD FS
OneLogin
The ZIdentity documentation on external identity providers explains that Zscaler supports various third-party IdPs over SAML and OIDC, and then provides specific configuration guides for each provider. For PingOne, Auth0, and OneLogin, the ZIdentity help explicitly describes configuring each as an OpenID Provider (OP) for ZIdentity, clearly stating that they are used to provide SSO via OpenID Connect (OIDC).
By contrast, the ZIdentity guides for Microsoft AD FS consistently describe configuring AD FS “as the SAML Identity Provider (IdP) for ZIdentity,” and the examples focus on SAML assertions, claim rules, and certificate bindings—not OIDC flows. In other words, AD FS is supported in a SAML mode with ZIdentity, but it is not listed among the IdPs configured as OpenID Providers for OIDC-based integrations.
The Digital Transformation Engineer identity modules reinforce this differentiation by mapping external IdPs to either OIDC or SAML in the ZIdentity configuration, and the hands-on labs use Azure/Microsoft Entra ID or PingOne for OIDC examples, while AD FS is shown only in SAML scenarios.
Therefore, among the options listed, Microsoft AD FS is the external IdP that is unsupported by OIDC with Zscaler ZIdentity, making option C the correct answer.
===========
Which set of protocols was developed to provide the most secure passwordless authentication methods, using services such as Windows Hello and YubiKey?
SCIM
OpenID
Fast Identity Online 2 (FIDO2)
SAML
FIDO2 (Fast Identity Online 2) is a family of open authentication standards designed specifically to enable strong, phishing-resistant, passwordless authentication. It combines the WebAuthn standard (for browsers and web applications) with the CTAP protocol (for communicating with authenticators such as security keys). Vendors like Microsoft explicitly describe Windows Hello and FIDO2 security keys as passwordless sign-in mechanisms, and Yubico likewise highlights FIDO2 support on YubiKey devices for passwordless and multi-factor authentication.
Zscaler’s identity-related documentation and partner guides reference FIDO2 and passwordless methods such as Windows Hello for Business and FIDO2-based passkeys as modern options that integrate with identity providers (e.g., Microsoft Entra ID / Azure AD) and can be used for Zscaler authentication flows.
By contrast, SCIM is a provisioning standard for user and group lifecycle management, not an authentication protocol. OpenID (and OpenID Connect) and SAML are federation and SSO protocols that typically still rely on passwords or existing credentials at the identity provider, even though they may be used alongside MFA. Only FIDO2 is purpose-built for secure, hardware- or device-bound, passwordless authentication with biometrics or secure PINs, which is exactly what the question describes with examples like Windows Hello and YubiKey.
===========
An organization wants to upload internal PII (personally identifiable information) into the Zscaler cloud for blocking without fear of compromise. Which of the following technologies can be used to help with this?
Dictionaries
Engines
IDM
EDM
Zscaler’s advanced data protection stack includes Exact Data Match (EDM), Indexed Document Match (IDM), dictionaries, and predefined DLP engines. Zscaler describes EDM as a technique that “fingerprints” sensitive values—such as PII from structured data sources (databases or spreadsheets)—so the platform can detect and block exact matches to those values while greatly reducing false positives.
With EDM, an on-premises index tool hashes the sensitive fields (for example, names, IDs, or other PII) and then uploads only these hashes—not the readable PII itself—into the Zscaler cloud. Zscaler documentation emphasizes that only hashed fingerprints are sent, allowing organizations to protect internal data “without having to transfer that data to the cloud” in plain form. This directly addresses the requirement to block exfiltration of internal PII without fear of compromise.
Dictionaries and core DLP engines focus on pattern- or keyword-based detection (such as generic PII patterns) rather than matching exact records from an internal dataset. IDM, on the other hand, fingerprints whole documents or forms (for example, templates or high-value documents) rather than row-level PII records. Therefore, for uploading organization-specific PII in a privacy-preserving, hashed form to enable precise blocking, EDM is the correct technology.
===========
Top of Form
Bottom of Form
Which authorization framework is used by OneAPI to provide secure access to Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), and Zscaler Client Connector APIs?
JSON Web Tokens
OAuth 2.0
SAML
API Keys
Zscaler OneAPI provides a unified, programmatic interface to automate configuration and operations across the Zscaler platform, including ZIA, ZPA, and Zscaler Client Connector. Zscaler’s OneAPI documentation clearly states that OneAPI uses the OAuth 2.0 authorization framework to secure access to these APIs.
In practice, administrators or automation platforms register an API client in ZIdentity, obtain OAuth 2.0 access tokens, and then use those tokens to call OneAPI endpoints. The use of OAuth 2.0 ensures standardized flows for client authentication, token issuance, and scope-based authorization, aligning with modern security best practices and making it easier to control and audit API access. Zscaler also highlights OAuth 2.0 as one of the three architectural pillars of OneAPI, along with a common endpoint and tight integration with ZIdentity.
While JSON Web Tokens (JWTs) can be used as a token format inside OAuth 2.0, they are not, by themselves, the authorization framework. SAML is typically used for browser-based SSO, not for securing REST APIs in this context. API Keys are simpler credential schemes and are not what Zscaler prescribes for OneAPI. As a result, OAuth 2.0 is the correct and exam-relevant answer.
===========
What are the four distinct stages in the Cloud Sandbox workflow?
Pre-Filtering → Cloud Effect → Behavioral Analysis → Post-Processing
Behavioral Analysis → Post-Processing → Engage your SOC Team for further investigation
Cloud Effect → Pre-Filtering → Behavioral Analysis → Post-Processing
Pre-Filtering → Behavioral Analysis → Post-Processing → Cloud Effect
Zscaler Cloud Sandbox is described in Zscaler threat-protection training as following a four-stage workflow. The documented order is: Cloud Effect, Pre-Filtering, Behavioral Analysis, and Post-Processing.
Cloud Effect – Before detonation, files are checked against global threat intelligence and prior sandbox verdicts so that known malicious objects can be immediately blocked, and known benign files can be allowed without re-analysis.
Pre-Filtering – Static and signature-based checks (antivirus, file heuristics, and related engines) quickly discard clearly malicious or clearly safe files, reducing load on deep analysis.
Behavioral Analysis – Suspicious or unknown samples are executed in a virtual environment to observe behavior such as process spawning, registry changes, or C2 activity.
Post-Processing – Final verdicts are generated, policies are enforced (block, quarantine, allow), and new indicators are fed back into threat intelligence for future Cloud Effect decisions.
This exact ordered sequence—Cloud Effect → Pre-Filtering → Behavioral Analysis → Post-Processing—is what appears in ZDTE study material, so option C is correct.
What is a digital entity that would be identified by Zscaler External Attack Surface Management?
A service hostname that contains revealing information.
Certificates installed on clients to enable SSL inspection.
The IP address of a properly deployed Zscaler App Connector.
Lists of known compromised usernames and passwords.
Zscaler External Attack Surface Management (EASM) is focused on discovering and monitoring an organization’s internet-facing digital assets. In the Engineer curriculum, EASM is described as continuously identifying domains, subdomains, hostnames, IP addresses, TLS certificates, and cloud services that are exposed to the public internet. A key example used in the training is hostnames that “leak” internal context, such as environment names, projects, technologies, or business units. These hostnames are treated as digital entities because they represent externally reachable services and can give valuable clues to an attacker during reconnaissance.
By contrast, SSL inspection certificates installed on endpoints are internal controls and not part of the external attack surface. A Zscaler App Connector is designed to initiate only outbound connections and is intentionally not directly reachable from the internet, so its IP address is not an EASM discovery target. Likewise, lists of compromised usernames and passwords relate to threat intelligence and identity protection, not the mapping of exposed assets. Therefore, the only option that correctly matches the type of digital entity EASM is meant to identify is a service hostname that contains revealing information.
===========
Which type of sensitive information can be protected using OCR (Optical Character Recognition) technology?
Personally Identifiable Information (PII)
Network configurations
Software licenses
Financial transactions
Zscaler’s Data Protection platform integrates Optical Character Recognition (OCR) into its inline Data Loss Prevention (DLP) capabilities. OCR enables Zscaler to extract text embedded within images—such as screenshots, scanned documents, or photos of forms—and subject that text to the same DLP inspection engines that normally analyze plain text content.
Once OCR has converted image content into text, Zscaler can apply predefined dictionaries, custom dictionaries, and advanced classifiers to detect sensitive data types, including personally identifiable information (PII) such as national ID numbers, passport numbers, addresses, or other regulated personal data. This is crucial because many data leaks occur via screenshots or scanned documents that traditional, text-only DLP engines would miss.
While OCR could, in theory, detect patterns related to network configurations, software licenses, or financial transactions, Zscaler’s training and exam materials emphasize its use to protect sensitive data in images—especially user-related regulated data such as PII and other compliance-relevant information. Network configurations and software licenses are better addressed through configuration management and IP protection policies, and “financial transactions” describes activities rather than a specific information pattern. Therefore, Personally Identifiable Information (PII) is the best and most exam-accurate answer for the type of sensitive information protected using OCR.
===========
How many key engines does the Zscaler Firewall Module have?
Three
Two
Five
Four
In the Zscaler for Users – Engineer path, the Zscaler Cloud Firewall (Firewall Module in ZIA) is described as being built around four key engines. The training emphasizes that the firewall is not a single, monolithic filter but a set of parallel inspection engines that collectively provide advanced Layer 3/4 control, application and service awareness, DNS security, and inline threat prevention. These engines evaluate traffic simultaneously, and the most restrictive outcome is applied, aligning with Zscaler’s broader “parallel processing” model for policy enforcement.
The curriculum highlights that this multi-engine design allows Zscaler to go beyond traditional firewalls, combining user and application awareness with security controls such as IPS and DNS-based protection within the same cloud-native enforcement stack. Having four coordinated engines enables granular, identity-based firewall policies that work for users regardless of location, without the need for separate appliances. Options suggesting two, three, or five engines do not match the way the Firewall Module is presented in the ZDTE/EDU-202 materials. Therefore, the correct answer, and the number you are expected to know for the exam, is four.
===========
What is Zscaler Deception?
A set of decoys representing users and server elements used to identify an attacker accessing our infrastructure.
A set of decoys representing network elements used to identify an attacker accessing our infrastructure.
A simple and more effective targeted threat detection solution built on the Zscaler Zero Trust architecture.
An early detection system supported via servers located inside our corporate infrastructure.
In the Zscaler Digital Transformation Engineer material, Zscaler Deception is introduced as an advanced threat-detection capability that is tightly integrated with the Zero Trust Exchange. The official description emphasizes that it is a simple, cloud-delivered, and highly effective targeted threat detection solution built on Zscaler’s Zero Trust architecture, which is almost word-for-word reflected in option C.
Deception works by deploying high-fidelity decoys, lures, and credentials—designed to be indistinguishable from real assets—from the attacker’s point of view. Any interaction with these decoys is inherently suspicious, yielding high-confidence, low-noise alerts that help security teams quickly identify lateral movement, credential theft, and post-compromise activity. The key point in the training is that this capability is delivered from the Zscaler cloud, leveraging the existing Zero Trust platform; it does not require additional on-premise detection servers or traditional network-centric sensors.
Options A and B reduce the concept to “sets of decoys” and ignore the integrated Zero Trust detection value and cloud-native delivery model. Option D incorrectly suggests on-prem server infrastructure as the foundation. The exam materials clearly frame Zscaler Deception as a Zero Trust–based targeted threat detection solution, making option C the correct choice.
===========
An IT administrator is reviewing the recently configured ZDX module in their environment and checks the performance data on the dashboard. The administrator notices that no software inventory has populated. What could be a probable reason?
ZDX client is not configured to collect inventory data
ZDX license doesn't have inventory collection entitlement
Zscaler Client Connector needs to be whitelisted on the EDR tool
ZDX client version being used is 4.3
Zscaler Digital Experience (ZDX) relies on Zscaler Client Connector to collect device and application telemetry from endpoints. Performance metrics (such as device, network, and application scores) are enabled as part of the core ZDX deployment, which explains why the administrator can already see performance data on the dashboard. However, software inventory is an additional inventory feature that must be explicitly enabled in the ZDX administration settings.
ZDX documentation describes an “Inventory Settings” page where administrators must turn on a setting such as “Collect Software Inventory Data.” When this option is enabled and the minimum supported versions of Client Connector and the ZDX module are present, Client Connector begins collecting installed software details and sending this inventory to the ZDX cloud for visualization.
If the collection toggle is left disabled, ZDX will continue to show performance metrics but no entries appear under Software Inventory or related views, even though licensing and versions are otherwise correct. The other options listed either relate to licensing, generic EDR conflicts, or a specific client version and do not match the documented dependency on enabling software-inventory collection. Therefore, the most accurate reason is that the ZDX client (via policy) is not configured to collect inventory data.
===========
Which feature of Zscaler Private AppProtection provides granular control over user access to specific applications?
Threat Intelligence integration
Application segmentation
Role-based access control
User behavior analysis
Zscaler’s application segmentation is the feature that delivers granular, per-application control over which users can access which private apps. In the ZDTE study material and cyberthreat protection quick reference guides, Zscaler explains that application segmentation makes apps and servers completely invisible to unauthorized users, thereby minimizing the attack surface while allowing authorized users to reach only the specific applications they are entitled to.
Zscaler Private AppProtection builds on this segmentation foundation: policies are defined at the application layer using identity (user, group), context, and app attributes, instead of broad network constructs like IP ranges or subnets. This enables security teams to create fine-grained rules that tightly bind users to individual applications, rather than to entire networks. While Private AppProtection adds inline inspection, virtual patching, and exploit prevention, segmentation is the part that dictates who can talk to what.
Threat intelligence integration (option A) enriches detection but does not itself define access. Role-based access control (option C) applies mainly to admin and management roles in consoles, not to runtime user-to-application paths. User behavior analysis (option D) informs risk but is not the primary enforcement mechanism. The specific feature that provides granular control over user access to particular private applications is application segmentation.
===========
Which tunnel mode supports both web and non-web applications, ensuring comprehensive security for modern enterprises?
IPSec Tunnel
Z-Tunnel 1.0
GRE Tunnel
Z-Tunnel 2.0
Zscaler Client Connector supports multiple tunnel modes to send user traffic to the Zscaler security cloud. In the Digital Transformation Engineer material, Z-Tunnel 2.0 is described as the recommended and most capable mode because it supports both web and non-web applications across all ports and protocols. This enables comprehensive inspection and Zero Trust policy enforcement for SaaS, web, and private applications from a single, unified tunnel.
Z-Tunnel 1.0 was primarily designed for web traffic, with limitations around non-web protocols and certain advanced use cases. As enterprises adopt more modern and diverse application stacks (VoIP, collaboration tools, custom TCP/UDP apps), Z-Tunnel 1.0 often cannot provide full coverage. GRE and IPSec tunnels (options A and C) are typically used for site-to-cloud connectivity from branch or data center routers, not as endpoint-based tunnels from user devices.
Z-Tunnel 2.0 uses an advanced encapsulation mechanism that can simultaneously support ZIA and ZPA, apply granular user- and device-based policies, and provide rich telemetry for analytics. It is explicitly positioned in Zscaler’s training as the tunnel mode that delivers end-to-end protection for both web and non-web traffic, making it the correct answer for enterprises needing broad, modern coverage.
===========
How does log streaming work in ZIA?
NSS (Nanolog Streaming Service) opens a secure tunnel to the cloud. User access goes through the ZEN (Zscaler Enforcement Node). ZEN sends the logs to the cloud Nanolog for storage. Cloud Nanolog streams a copy of the log to NSS. NSS sends the log to the SIEM over the network.
NSS opens a secure tunnel to the cloud. Cloud Nanolog streams a copy of the log to NSS. User access goes through the ZEN. ZEN sends the logs to the cloud Nanolog for storage. NSS sends the log to the SIEM over the network.
User access goes through the ZEN (Zscaler Enforcement Node). NSS (Nanolog Streaming Service) opens a secure tunnel to the cloud. ZEN sends the logs to the cloud Nanolog for storage. Cloud Nanolog streams a copy of the log to NSS. NSS sends the log to the SIEM over the network.
NSS opens a secure tunnel to the cloud. ZEN sends the logs to the cloud Nanolog for storage. User access goes through the ZEN. Cloud Nanolog streams a copy of the log to NSS. NSS sends the log to the SIEM over the network.
In ZIA, user traffic is first forwarded to a Zscaler Enforcement Node (ZEN), where security and access policies are enforced and transaction logs are generated. Those logs are then sent from the ZEN to the cloud-based Nanolog cluster, which is the highly scalable logging and storage layer used by Zscaler. Nanolog compresses and stores the logs for reporting, analytics, and long-term retention.
To deliver logs to a customer’s SIEM, the Nanolog Streaming Service (NSS) is deployed in the customer environment. NSS establishes a secure, outbound tunnel to the Nanolog service in the Zscaler cloud and subscribes to that customer’s log stream. Nanolog then continuously streams a copy of relevant logs over this secure connection to NSS. NSS receives the logs, converts them into the required output format (for example, syslog or CEF), and forwards them on to the configured SIEM or log receiver.
Option C is the only answer that correctly represents the logical sequence: user traffic through ZEN, ZEN to Nanolog, secure tunnel from NSS, Nanolog streaming to NSS, and finally NSS forwarding to the SIEM.
===========
TESTED 16 Jul 2026
