Practice Free ZDTE Exam Online Questions
A branch has an SD-WAN edge with a static public IP. The team saw past breakage from NAT in front of tunnels. They want better resiliency and clear user identity.
Which forwarding design meets the requirements?
- A . Steer with PAC for the site and keep browser proxy, skip tunnel design details today.
- B . Build IPSec from the branch using dynamic IPs, add probes, and expect basic failover behavior.
- C . Deploy ZCC on device and remove site tunnels to cut network work during tasks.
- D . Use L2TP tunnel from the edge with static IP, no NAT, dual tunnels with stickiness.
An internal ZPA app serves 300 users. Goal: app timing from real users with low probe load and low noise.
Which probe plan fits?
- A . End User Cloud Path probes for packet loss trend
- B . End User Web plus Hosted Web across regions
- C . Hosted Web probes for broad sites
- D . Scoped End User Web probes for actual user group
A retailer investigates short bursts of outbound port scans from branch sites. The team must validate a firewall rule and correlate events with ZIA web entries using the client source port. Trend summaries will not support forensics, and reconstruction of per-session timing is required.
Which feed and field selection meets the goal?
- A . Web access logs with URL, category, user identity, and site group tags for trends
- B . Cloud NSS feed using JSON array format, hostname fields, and index routing hints
- C . Aggregate firewall logs with five-tuple, 15-minute counters, and policy summary
- D . Full Session firewall logs with src IP, dst IR src port, dst port, action, start and end time, and bytes
A team must contain risky uploads from a sanctioned SaaS while keeping read access.
Which preventive control fits this goal?
- A . DNS block sanctioned domains
- B . DLP upload rules
- C . Firewall deny app subnet
- D . Tenant restriction policies
Which of the following capabilities are outside the scope of Zscaler’s Isolation technologies?
- A . RDP Hosts
- B . SSH Hosts
- C . Web Applications
- D . Thick Client Apps
A cloud zone serves 1.2 Gbps to private apps. All flows use double encryption. Apps span two AZs.
What connector plan meets size and high availability goals?
- A . Two 8 vCPU connectors per AZ; fewer boxes to run and track.
- B . Six baseline connectors placed by the apps, spread across both AZs.
- C . Four baseline connectors in one AZ; single group and key for the set.
- D . Three baseline connectors per AZ; ignore extra headroom to cut load
Web Insights shows Block Policy Type Cloud App Control for Microsoft 365 personal access. Tenant restriction did not take effect. SSL Inspection Status shows not inspected. Where did the block occur, and what first step resolves the failure?
- A . URL Filtering; widen allow rule
- B . Firewall; lower threat sensitivity
- C . Cloud App Control; enable inspection
- D . SSL policy; trust server cert
A private app fails for a subset of users after posture policy edits. Trusted network logic and connectors are unchanged.
Which check best targets root cause?
- A . Review URL categories
- B . Increase DLP coverage
- C . Add more segments
- D . Verify identity attributes
An engineer has a user on a known office LAN. The goal is to avoid routing their private app traffic through the ZTE.
Which action fits the design intent?
- A . Add ZIA bypass for [HIDDEN URL] to adjust GeoIP path.
- B . Set Client Connector trusted-network bypass for that site.
- C . Broaden app policy to permit direct LAN reach.
- D . Deploy a Private Service Edge for the office LAN.
A team runs an internal tool over HTTPS-like traffic on TCP/8443 and TCP/9443. They need URL-based controls and prompts to apply. Testing shows flows are treated as non-web and bypass web rules.
What should the engineer change to meet the requirement?
- A . Map the ports as custom web ports and test proxy path
- B . Allow the HTTPS network app for the tool group
- C . Block the host by a DNS domain list
- D . Raise IPS sensitivity for port 443 traffic