Practice Free ZDTE Exam Online Questions
A ZIA audit shows a PAC deployment occurred before users began reporting failed web access, and the engineer needs proof that access was impacted during the complaint window.
What will provide session-level confirmation?
- A . Dashboard widget counts
- B . Reroll PAC to prior version
- C . Transaction log evidence
- D . Monthly posture report findings
Usage Insights and Policy Usage in ZPA show many application-segment rules with no hits over 30 days. Security widgets show quiet signals.
What is the most defensible next step?
- A . Expand application segments to broader CIDRs
- B . Loosen posture checks for low-use segments
- C . Validate inactivity with streaming logs, then de-scope or remove unused rules
- D . Assume healthy state and leave policy unchanged
A global workforce loses proxy reachability during a service-edge failover. The PAC returns hardcoded Public Service Edge IPs in each PROXY line.
What should an engineer change to improve failover and portability?
- A . Use device subnet checks to pick nearest edge location
- B . Use Zscaler gateway variables in PROXY return statements
- C . Keep hardcoded edges and add secondary IP comments during maintenance
- D . Switch to DNS host tests for regional edge selection
Personal tenant restriction for Gmail fails. Web Insights classifies a cloud app and shows Cloud App Control decision, but SSL Inspection Status shows not inspected.
What action restores the tenant control?
- A . Lower Cloud App risk level
- B . Enable SSL inspection first
- C . Raise URL category allow
- D . Attach correct tenant profile
A DLP report shows repeated exfil to unsanctioned storage from one group. Baseline trends confirm days of attempts.
What action best fits the findings?
Allow the storage app while reviewing business workflow changes.
Raise global threat thresholds to reduce storage uploads across sites.
B Confirm logs, route incidents, then block that app for affected group.
Use a wide-scope API key to auto-push policy blocks.
An automation team will update access rules for a single segment group that serves HR apps during a weekend change window. The workflow must tie policies to specific HR user attributes, enforce a stricter session timeout, and avoid touching other apps. The team also worries about a script failure widening access.
What should the engineer implement?
- A . Shared key tied to multiple services
- B . Global admin token with broad write scope
- C . Long-lived read/write key for reuse
- D . Scoped, time-bound API client
A sanctioned SaaS application shows shadow upload paths through unmanaged sessions.
Which preventive containment aligns to least-privilege access?
- A . Deny subnets upstream
- B . Enforce tenant restrictions
- C . Block SaaS categories
- D . Proxy bypass growth
A media firm hires contractors on unmanaged laptops. No client install is allowed. They need ZIA inspection for SaaS over HTTP/HTTPS. Some tools use custom ports that the firm cannot change.
What should the team do to send traffic to Zscaler?
- A . Force GRE sessions from each host using dynamic DNS names
- B . Require IPSec tunnels from home routers at contractor sites today
- C . Deploy PAC to steer web to ZIA
- D . Instruct contractors to add the client using mailed links now