Zscaler ZDTA Questions Answers

Device posture must be re-evaluated regularly because endpoint state can change after access is granted. The maximum default frequency tested here is fifteen minutes, which gives Zscaler a relatively current view of compliance conditions. Option A (15 minutes) is correct because posture profile evaluation can occur every fifteen minutes by default.

Why the other options are incorrect:

B. 2 minutes: Two minutes would create much more frequent posture evaluation than the default maximum cadence. The tested default maximum frequency is fifteen minutes.

C. 5 minutes: Five minutes is more frequent than the default maximum posture-profile evaluation cadence. The tested value is fifteen minutes.

D. 10 minutes: Ten minutes is still shorter than the default maximum posture-profile evaluation cadence. The correct default maximum is fifteen minutes.

Posture Profiles provide the richest device-trust signal for sensitive private application access. They can evaluate checks such as certificate trust, domain join, process/file presence, encryption, OS characteristics, and other endpoint-security conditions. Option D (Posture Profiles) is correct because a posture profile measures device trust more completely than a single client type, group attribute, or trusted-network flag.

Why the other options are incorrect:

A. Client Type: Client Type tells ZPA what kind of client is connecting; it is much less complete than a posture profile for device trust.

B. SCIM User Attributes: SCIM provisions and synchronizes users, groups, and attributes between an identity provider and Zscaler.

C. Trusted Network: Trusted Network detection decides whether the device is on a known corporate network using signals such as DNS servers, search domains, gateways, or hostname resolution.

The requirement is tenant-aware SaaS enforcement. ZIA Cloud Application Control can distinguish between the approved corporate instance of an application and a user's personal or unauthorized instance. This is stronger than simple URL filtering because the domain may be the same while the tenant, account, or application activity differs. Option B (Cloud application control) is correct because Cloud App Control is the ZIA control plane used to apply SaaS-specific rules, including tenant restrictions and sanctioned-versus-unsanctioned application decisions.

Why the other options are incorrect:

A. Out-of-band CASB: Out-of-band CASB works through SaaS APIs to inspect or remediate content already sitting inside cloud applications.

C. URL filtering with SSL inspection: URL Filtering controls web destinations by category, URL, risk, and action such as allow, block, caution, or isolate.

D. Endpoint DLP: Endpoint DLP governs local device channels such as USB, print, clipboard, and files in use.

Intermediate CA rotation reduces exposure if a certificate were mishandled and keeps the inspection trust chain short-lived. Zscaler's rotation model for intermediate CA certificates uses a short validity window rather than long-lived static certificates. Option C (Certificates are rotated every seven days and have a 14-day expiration) is correct because the tested rotation policy is seven-day rotation with a fourteen-day expiration.

Why the other options are incorrect:

A. Certificates are rotated every 90 days and have a 180-day expiration: Ninety-day rotation and 180-day expiration would leave intermediate certificates active much longer than the Zscaler inspection model described here.

B. Lifetime certificates have no expiration date: Lifetime certificates would never expire, which is the opposite of good inspection-certificate hygiene. Zscaler uses short-lived intermediate certificates.

D. Certificates are issued dynamically and expire in 24 hours: A 24-hour expiration would be unnecessarily short and is not the documented intermediate CA timing in this exam item.