Zscaler Interview Questions – Pushti Networking Academy
Pushti Networking Academy is a Cisco Networking Academy authorized training center in Noida, Uttar Pradesh. They offer a variety of Cisco certified courses, including CCNA, CCNP, and CCIE. They also offer courses on other IT topics, such as Python, Linux, and Ethical Hacking.
In addition to their training courses, Pushti Networking Academy also offers placement assistance to their students. They have a network of partners in the IT industry who are always looking for qualified candidates. Contact Us For CCNA Training In Noida, CCNP Training In Noida, Ethical Hacking Training In Noida, Firewall Training In Noida, Online CCNA Training Institute.
Q1- What is Zscaler
Ans – Zscaler provides the technology and expertise to guide and secure organizations on their digital transformation journeys. It help them move away from appliance-based network and security infrastructure models, replacing traditional inbound and outbound gateways with modern cloud-delivered services built for today’s business
Q2 – How many deployment models available –
Ans – We can deploy Zscaler using two methods –
1- IPSEC VPN
2- GRE Tunnel
1- IPSEC VPN – The configuration of a VPN connection to the “Zscaler Cloud Security Platform”. The use of IPSec allows the use of dynamic WAN addresses on the client side
2- GRE Tunnel – You can self provision your GRE tunnels to connect to the Zscaler service via the ZIA Admin Portal
Q3 – Difference between Tunnel 1.0 and Tunnel 2.0
Ans –
Tunnel 1.0 – Z-Tunnel 1.0 forwards traffic to the Zscaler cloud via CONNECT requests, much like a traditional proxy. Version 1.0 sends all proxy-aware traffic or port 80/443 traffic to the Zscaler service, depending the forwarding profile
configuration
Tunnel 2.0 – Z-Tunnel 2.0 has a tunneling architecture that uses DTLS or TLS to send packets to the Zscaler service. Because of this, Z-Tunnel 2.0 is capable of
sending all ports and protocols.
Use Tunnel 2.0 with below points-
1. Deploy Zscaler Client Connector 2.0.1 (and later) to your users.
2. Select Z-Tunnel 2.0 when configuring a forwarding
profile with Tunnel mode and the packet filter driver is enabled.
3. Configure bypasses for Z-Tunnel 2.0 in Zscaler Client Connector profile.
To learn more, see Best Practices for Adding Bypasses for Z-Tunnel 2.0.
Q4- what is CA in Zscaler
Ans –
The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and
nervous system of a Zscaler cloud. It monitors the cloud and provides a
central location for software and database updates, policy and configuration
settings, and threat intelligence. The CA consists of one active server and two
servers in passive standby mode. The active CA replicates data in real time to
the two standby CAs, so any of them can become active at any time. Each
server is hosted in a separate location to ensure fault tolerance.
Q5 – What is forwarding profile in Zscaler
Ans – The forwarding profile tells Zscaler Client Connector how to treat traffic from
your users’ systems in different network environments for the Zscaler
Internet Access (ZIA) and Zscaler Private Access (ZPA) services
Define how Zscaler Client Connector treats traffic from your users’ systems
for the ZIA service for On Trusted Network, VPN Trusted Network, Off
Trusted Network, or Split VPN Trusted Network types
–>> Tunnel
–>> Tunnel with Local Proxy
–>> Enforce Proxy
–>> None
Tunnel – In Tunnel mode, the app tunnels traffic at the network (IP) layer. It captures user traffic by setting IP routes on user devices. The app forwards all port 80/443 traffic to the Zscaler service through a routing mode tunnel called the
Zscaler Tunnel (Z-tunnel)
Tunnel with Local Proxy —
In Tunnel with Local Proxy mode, Zscaler Client Connector sets proxy
settings on user devices so that all proxy-aware traffic is tunneled to Zscaler.
The app does this by automatically installing a PAC file on the system to force
all traffic to go to the local host.
Enforce Proxy —
The Enforce option is selected by default and cannot be changed. This
option allows Zscaler Client Connector to enforce your proxy settings by
monitoring for network changes and reapplying settings. Zscaler Client
Connector also ensures that users cannot tamper with their proxy settings
• Automatically Detect Settings
• Use Automatic Configuration Scrips
• Use Proxy Server for Your LAN
Q6- What is PAC file in Zscaler
Ans – A proxy auto-configuration (PAC) file is a text file that instructs a browser to
forward traffic to a proxy server, instead of directly to the destination server.
It contains JavaScript that specifies the proxy server and optionally, additional
parameters that specify when and under what circumstances a browser
forwards traffic to the proxy server. For example, a PAC file can specify on
what days of the week or what hours of the day traffic is sent to a proxy, or
for which domains and URLs traffic is not sent to a proxy.
Q7 – What is Suggragate IP in Zscaler –
Ans – In some deployments from known locations, you can enable the Zscaler
surrogate IP service to map a user to a private IP address so it applies the
user’s policies, instead of the location’s policies, to traffic that it cannot
authenticate
Below is the point to use Suggragate IP –
• Applications that do not support cookies, such as Google Earth and
Skydrive
• HTTPS transactions that are not decrypted
• Transactions that use unknown user agents
Q 8 – What is Architecture of Zscaler
Ans – Zscaler operates the world’s largest security-as-a-service (SaaS) cloud
platform to provide the industry’s only 100% cloud-delivered web and mobile
security solution. The highly scalable, global, multi-cloud infrastructure
features three key components: the Zscaler Central Authority, ZIA Public
Service Edges (formerly Zscaler Enforcement Nodes or ZENs), and Nanolog
clusters.
Q 9 – What is ZIA Public Service Edges
Ans –
ZIA Public Service Edges are full-featured, inline internet security gateways
that inspect all internet traffic bi-directionally for malware, and enforce
security and compliance policies. An organization can forward its traffic to
any ZIA Public Service Edge in the world or use the advanced geo-IP
resolution capability of Zscaler to direct its users’ traffic to the nearest ZIA
Public Service Edge
Q10 – What is Nanolog clusters
Ans – Nanolog clusters store transaction logs and provide reports. Each cluster
consists of one active server and two servers in passive standby mode. The
active Nanolog immediately replicates data to the other two servers, so any
of them can become active at any time, with no data loss.
Q11 – What is Zscaler Private Access (ZPA)
Ans – The Zscaler Private Access (ZPA) service enables organizations to provide
access to internal applications and services while ensuring the security of
their networks. ZPA is an easier to deploy, more cost-effective, and more
secure alternative to VPNs. Unlike VPNs, which require users to connect to
your network to access your enterprise applications, ZPA allows you to give
users policy-based secure access only to the internal apps they need to get
their work done. With ZPA, application access does not require network
access.
Q 12 – What is App connector
Ans – Lightweight virtual machines (VM) that are installed in the data centers that
host your servers and applications. They connect to ZPA Public Service Edges
or ZPA Private Service Edges only to provide users access to applications in
your data center, and do not accept inbound connections
Q 13 – What is ZIA
Ans – Zscaler Internet Access (ZIA) helps secure your internet and SaaS connections by delivering a complete secure stack as a service from the cloud. By moving security to a globally distributed cloud, Zscaler brings the Internet gateway closer to the user for a faster more secure experience
Q 14 – What is Zscaler Client Connector –
Ans – Installed on your users’ devices, the Zscaler Client Connector connects to the ZPA cloud to enable granular, policy-based access to your organization’s
internal resource Zscaler Client Connector can also forward your users’ traffic to the Zscaler cloud to secure their internet traffic
Q 15 – How many authentication methods available in Zscaler.
The following table lists the benefits and requirements for the seven
supported authentication methods
• Identity Federation Using SAML
• Kerberos Authentication
• Directory Server Synchronization
• Zscaler Authentication Bridge
• One-Time Link
• One-Time Token
• Passwords
Q 16 – which one first look URL filtering or Cloud App.
Ans – By default, the Cloud App Control policy takes precedence over the URL
Filtering policy
Q 17 – What is Admin Rank in URL filtering
Ans – Enter a value from 0-7 (0 is the highest rank). Your assigned admin
rank determines the values you can select. You cannot select a rank that is
higher than your own.
Q 18- What is the Know and Unknow location in Zscaler.
Ans – When an organization forwards its traffic to the Zscaler service through
a GRE or IPSec tunnel, Zscaler provisions your organization’s IP addresses, its called know location. rest of traffic treated as Unknown location.
When the Zscaler service receives traffic, it checks whether the traffic is from a known location (a location that is configured on the ZIA Admin Portal), or from an unknown location (remote user traffic). If the traffic is from a known location, the service processes the traffic based on the location settings.
Example:- the service checks whether the location has authentication enabled and proceeds accordingly. It also applies any location policies that you configure and logs Internet activity by location