Interview questions and Answers of Zscaler
Q1- What is Zscaler
Ans -
Zscaler provides the technology and expertise to guide and secure organizations on their digital transformation journeys. It help them move away from appliance-based network and security infrastructure models, replacing traditional inbound and outbound gateways with modern cloud-delivered services built for today’s business
Q2 — How many deployment models available -
Ans — We can deploy Zscaler using two methods -
1- IPSEC VPN
2- GRE Tunnel
1- IPSEC VPN -
The configuration of a VPN connection to the “Zscaler Cloud Security Platform”. The use of IPSec allows the use of dynamic WAN addresses on the client side
2- GRE Tunnel-
You can self provision your GRE tunnels to connect to the Zscaler service via the ZIA Admin Portal
Q3 — Difference between Tunnel 1.0 and Tunnel 2.0
Ans -
Tunnel 1.0 -
Z-Tunnel 1.0 forwards traffic to the Zscaler cloud via CONNECT requests, much like a traditional proxy. Version 1.0 sends all proxy-aware traffic or port 80/443 traffic to the Zscaler service, depending the forwarding profile configuration
Tunnel 2.0 -
Z-Tunnel 2.0 has a tunneling architecture that uses DTLS or TLS to send packets to the Zscaler service. Because of this, Z-Tunnel 2.0 is capable of sending all ports and protocols.
Use Tunnel 2.0 with below points-
1. Deploy Zscaler Client Connector 2.0.1 (and later) to your users.
2. Select Z-Tunnel 2.0 when configuring a forwarding profile with Tunnel mode and the packet filter driver is enabled.
3. Configure bypasses for Z-Tunnel 2.0 in Zscaler Client Connector profile. To learn more, see Best Practices for Adding Bypasses for Z-Tunnel 2.0.
Q4- what is CA in Zscaler
Ans -
The Zscaler Internet Access (ZIA) Central Authority (CA) is the brain and nervous system of a Zscaler cloud. It monitors the cloud and provides a central location for software and database updates, policy and configuration settings, and threat intelligence. The CA consists of one active server and two servers in passive standby mode. The active CA replicates data in real time to the two standby CAs, so any of them can become active at any time. Each server is hosted in a separate location to ensure fault tolerance.
Q5 — What is forwarding profile in Zscaler
Ans -
The forwarding profile tells Zscaler Client Connector how to treat traffic from your users’ systems in different network environments for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services
Define how Zscaler Client Connector treats traffic from your users’ systems for the ZIA service for On Trusted Network, VPN Trusted Network, Off Trusted Network, or Split VPN Trusted Network types.
→> Tunnel
→> Tunnel with Local Proxy
→> Enforce Proxy
→> None
Tunnel -
In Tunnel mode, the app tunnels traffic at the network (IP) layer. It captures user traffic by setting IP routes on user devices. The app forwards all port 80/443 traffic to the Zscaler service through a routing mode tunnel called the Zscaler Tunnel (Z-tunnel)
Tunnel with Local Proxy —
In Tunnel with Local Proxy mode, Zscaler Client Connector sets proxy settings on user devices so that all proxy-aware traffic is tunneled to Zscaler. The app does this by automatically installing a PAC file on the system to force all traffic to go to the local host.
Enforce Proxy —
The Enforce option is selected by default and cannot be changed. This option allows Zscaler Client Connector to enforce your proxy settings by monitoring for network changes and reapplying settings. Zscaler Client Connector also ensures that users cannot tamper with their proxy settings
· Automatically Detect Settings
· Use Automatic Configuration Scrips
· Use Proxy Server for Your LAN
Q6- What is PAC file in Zscaler ?
Ans -
A proxy auto-configuration (PAC) file is a text file that instructs a browser to forward traffic to a proxy server, instead of directly to the destination server. It contains JavaScript that specifies the proxy server and optionally, additional parameters that specify when and under what circumstances a browser forwards traffic to the proxy server. For example, a PAC file can specify on what days of the week or what hours of the day traffic is sent to a proxy, or for which domains and URLs traffic is not sent to a proxy.
Q- Difference Private Service Edges and Virtual Service Edges in zscaler
Ans- Zscaler can extend its patented cloud architecture to an organization’s premise by providing ZIA Private Service Edge (formerly Private ZEN or PZEN) and Virtual Service Edge (formerly Virtual ZEN or VZEN). These platforms are part of the Zscaler cloud and perform the same service as the ZIA Public Service Edge.
You can deploy Private Service Edges and Virtual Service Edges in locations that meet the following technical requirements:
- Locations with certain geopolitical requirements and regulations
- Locations that experience high latency when connecting to Public Service Edges
- Applications that require an organization’s IP address as the source IP address
- Users who need to see localized content
Q- What is Surrogate IP ?
Ans -
With Surrogate IP, a user can authenticate to the service in one web browser and will not have to authenticate again if they open another web browser or use non-browser applications
In certain deployments from known locations, you can enable the Zscaler surrogate IP service to map a user to a private IP address so it applies the user’s policies, instead of the location’s policies, to traffic that it cannot authenticate, which includes:
- Applications that do not support cookies, such as Google Earth and Skydrive
- HTTPS transactions that are not decrypted
- Transactions that use unknown user agents
If a user browses the internet from multiple private IP addresses, the surrogate IP service maps all the private IP addresses to the user. The service also associates the transactions with the user in the logs.
The surrogate IP service maps a private IP address to only one user at a time and retains the mapping until:
- The configured idle time ends
- The user logs out of a session or logs out of the Zscaler service
- Another user sends authenticated transactions from the same private IP address
Q- What is Source IP Anchoring in Zscaler ?
Ans —
Forwarding policies for Source IP Anchoring allow organizations to steer selective traffic processed by ZIA to the internal or external destination servers of their choice. This ensures that Zscaler secures the traffic and that the source IP address is the organization’s choice. The application traffic is forwarded through the intranet to the internal destination servers and through the internet to the external destination servers.
Find below point to details description of IP anchoring -
1 — Source IP Anchoring:
- Forwarding policies for Source IP Anchoring allow organizations to control the routing of specific traffic processed by Zscaler to internal or external destination servers based on their preferences.
- This ensures that Zscaler is responsible for securing the traffic, and organizations can choose the source IP address for the traffic.
2 — Routing Traffic:
- Application traffic is selectively forwarded through the intranet to internal destination servers and through the internet to external destination servers.
- This flexibility in routing is crucial when dealing with cloud applications or web services that have restrictions based on the source IP address of the traffic.
3- Access Restrictions:
- Some applications or services restrict access based on the source IP address, requiring traffic to originate from a pre-registered unique IP address associated with the organization.
- Examples include applications that deny access to traffic from unspecified IP addresses, including those from Zscaler data centers.
4 — — Challenges with Cloud Applications:
- Certain cloud applications or web services may have access restrictions based on geographic location (e.g., allowing access only from specific countries).
- Zscaler, in some cases, may not have a data center within the required geographic location, leading to potential access issues for users in that region.
5 — Security Gap and Solutions:
- Bypassing traffic from the Zscaler service to meet specific requirements can create security gaps.
- Alternatively, organizations can use Private Service Edge or Virtual Service Edge to address these challenges. These solutions likely involve leveraging Zscaler’s capabilities to overcome access restrictions and maintain security without compromising on compliance or application requirements.
Note:- The Source IP Anchoring feature is not supported with Virtual Service Edges.
More questions and answers visit our website- https://techclick.in
