Zscaler Interview questions and answers

 Zscaler Interview questions and answers --

Q1- What is Zscaler 

Ans - 

Zscaler provides the technology and expertise to guide and secure organizations on their digital transformation journeys. It help them move away from appliance-based network and security infrastructure models, replacing traditional inbound and outbound gateways with modern cloud-delivered services built for today’s business

Q2 - How many deployment models available -

Ans - We can deploy Zscaler using two methods -

1- IPSEC VPN 

2- GRE Tunnel

1- IPSEC VPN -

The configuration of a VPN connection to the “Zscaler Cloud Security Platform”. The use of IPSec allows the use of dynamic WAN addresses on the client side

2- GRE Tunnel-

You can self provision your GRE tunnels to connect to the Zscaler service via the ZIA Admin Portal

Q3 - Difference between Tunnel 1.0 and Tunnel 2.0

Ans -

Tunnel 1.0 - 

Z-Tunnel 1.0 forwards traffic to the Zscaler cloud via CONNECT requests, much like a traditional proxy. Version 1.0 sends all proxy-aware traffic or port 80/443 traffic to the Zscaler service, depending the forwarding profile configuration

Tunnel 2.0 -

Z-Tunnel 2.0 has a tunneling architecture that uses DTLS or TLS to send packets to the Zscaler service. Because of this, Z-Tunnel 2.0 is capable of sending all ports and protocols.

Use Tunnel 2.0 with below points-

1. Deploy Zscaler Client Connector 2.0.1 (and later) to your users.
2. Select Z-Tunnel 2.0 when configuring a forwarding profile with Tunnel mode and the packet filter driver is enabled.
3. Configure bypasses for Z-Tunnel 2.0 in Zscaler Client Connector profile. To learn more, see Best Practices for Adding Bypasses for Z-Tunnel 2.0.

Q4- what is CA in Zscaler 

Ans -

The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and nervous system of a Zscaler cloud. It monitors the cloud and provides a central location for software and database updates, policy and configuration settings, and threat intelligence. The CA consists of one active server and two servers in passive standby mode. The active CA replicates data in real time to the two standby CAs, so any of them can become active at any time. Each server is hosted in a separate location to ensure fault tolerance.

Q5 - What is forwarding profile in Zscaler 

Ans - 

The forwarding profile tells Zscaler Client Connector how to treat traffic from your users' systems in different network environments for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services

Define how Zscaler Client Connector treats traffic from your users' systems for the ZIA service for On Trusted Network, VPN Trusted Network, Off Trusted Network, or Split VPN Trusted Network types

-->> Tunnel

-->> Tunnel with Local Proxy

-->> Enforce Proxy

-->> None

Tunnel -

In Tunnel mode, the app tunnels traffic at the network (IP) layer. It captures user traffic by setting IP routes on user devices. The app forwards all port 80/443 traffic to the Zscaler service through a routing mode tunnel called the Zscaler Tunnel (Z-tunnel)

Tunnel with Local Proxy  --

In Tunnel with Local Proxy mode, Zscaler Client Connector sets proxy settings on user devices so that all proxy-aware traffic is tunneled to Zscaler. The app does this by automatically installing a PAC file on the system to force all traffic to go to the local host.

Enforce Proxy --

The Enforce option is selected by default and cannot be changed. This option allows Zscaler Client Connector to enforce your proxy settings by monitoring for network changes and reapplying settings. Zscaler Client Connector also ensures that users cannot tamper with their proxy settings

• Automatically Detect Settings
• Use Automatic Configuration Scrips

• Use Proxy Server for Your LAN

Q6-  What is PAC file in Zscaler 

Ans -

A proxy auto-configuration (PAC) file is a text file that instructs a browser to forward traffic to a proxy server, instead of directly to the destination server. It contains JavaScript that specifies the proxy server and optionally, additional parameters that specify when and under what circumstances a browser forwards traffic to the proxy server. For example, a PAC file can specify on what days of the week or what hours of the day traffic is sent to a proxy, or for which domains and URLs traffic is not sent to a proxy.

Q6 - What is Suggragate IP in Zscaler -

Ans - 

in some deployments from known locations, you can enable the Zscaler surrogate IP service to map a user to a private IP address so it applies the user's policies, instead of the location's policies, to traffic that it cannot authenticate

Below is the point to use Suggragate IP -

• Applications that do not support cookies, such as Google Earth and Skydrive
• HTTPS transactions that are not decrypted
• Transactions that use unknown user agents

Q 7 - What is Architecture of Zscaler 

Ans -

Zscaler operates the world's largest security-as-a-service (SaaS) cloud platform to provide the industry's only 100% cloud-delivered web and mobile security solution. The highly scalable, global, multi-cloud infrastructure features three key components: the Zscaler Central Authority, ZIA Public Service Edges (formerly Zscaler Enforcement Nodes or ZENs), and Nanolog clusters.

Q 8 - What is ZIA Public Service Edges

Ans - 

ZIA Public Service Edges are full-featured, inline internet security gateways that inspect all internet traffic bi-directionally for malware, and enforce security and compliance policies. An organization can forward its traffic to any ZIA Public Service Edge in the world or use the advanced geo-IP resolution capability of Zscaler to direct its users' traffic to the nearest ZIA Public Service Edge

Q9 - What is Nanolog clusters

Ans -

Nanolog clusters store transaction logs and provide reports. Each cluster consists of one active server and two servers in passive standby mode. The active Nanolog immediately replicates data to the other two servers, so any of them can become active at any time, with no data loss.

Q10 -  What is Zscaler Private Access (ZPA)

Ans -

The Zscaler Private Access (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access.

Q 11 - What is App connector

Ans -

Lightweight virtual machines (VM) that are installed in the data centers that host your servers and applications. They connect to ZPA Public Service Edges or ZPA Private Service Edges only to provide users access to applications in your data center, and do not accept inbound connections

Q 12 - What is ZIA 

Ans -

Zscaler Internet Access (ZIA) helps secure your internet and SaaS connections by delivering a complete secure stack as a service from the cloud. By moving security to a globally distributed cloud, Zscaler brings the Internet gateway closer to the user for a faster more secure experience

Q 13- What is Zscaler Client Connector -

Ans -

Installed on your users' devices, the Zscaler Client Connector connects to the ZPA cloud to enable granular, policy-based access to your organization’s internal resource

Zscaler Client Connector can also forward your users' traffic to the Zscaler cloud to secure their internet traffic

Q 14- How many authentication methods available in Zscaler.

The following table lists the benefits and requirements for the seven supported authentication methods

• Identity Federation Using SAML
• Kerberos Authentication
• Directory Server Synchronization
• Zscaler Authentication Bridge
• One-Time Link
• One-Time Token
• Passwords

Q15 -  which one first look URL filtering or Cloud App.

Ans -

By default, the Cloud App Control policy takes precedence over the URL Filtering policy

Q16 - What is Admin Rank in URL filtering

Ans -

Enter a value from 0-7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own.

Q17- What is the Know and Unknow location in Zscaler.

Ans-

When an organization forwards its traffic to the Zscaler service through a GRE or IPSec tunnel, Zscaler provisions your organization's IP addresses, its called know location.

rest of traffic treated as Uknow location.

When the Zscaler service receives traffic, it checks whether the traffic is from a known location (a location that is configured on the ZIA Admin Portal), or from an unknown location (remote user traffic). If the traffic is from a known location, the service processes the traffic based on the location settings. 

Example:-

 the service checks whether the location has authentication enabled and proceeds accordingly. It also applies any location policies that you configure and logs Internet activity by location

We will add more questions later