TTechclick ⚡ XP 0% All lessons
Zscaler · ZIA · TroubleshootingInteractive · L1 / L2 / L3

Troubleshooting Zscaler ZIA — Watch the Break, Find the Fix in 12 Minutes

A user pings you: "internet slow", "this site is blocked", "I keep getting certificate errors". Skip the four-hour ticket. Pick the symptom below, watch the request fail at the exact stage, then run the diagnose → fix → verify playbook a senior engineer would.

📅 2026-05-30 · ⏱ 12 min · 4 live demos · 14 scenarios · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

ZIA troubleshooting the AI-era way — pick a symptom, watch the broken request light up the exact failure stage, and get the diagnose-fix-verify playbook for traffic forwarding, SSL inspection, policy and tunnels in 12 minutes instead of a 4-hour ticket.

🎯 By the end you will be able to

Read as:

Pick the symptom — jump straight to it

1

Not Protected

ip.zscaler.com says unprotected. PAC / forwarding-profile / tunnel issues.

 2

SSL & Cert Errors

"Your connection is not private" after inspection. Root cert + pinned apps.

 3

Blocked / Auth

Legit site blocked, SAML login looping, DNS resolving wrong.

 4

Tunnels & Speed

GRE / IPSec down, wrong data center, bandwidth throttling.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A user's ip.zscaler.com shows their ISP's IP, not Zscaler's. Where do you look first?

Answered in Path 1 — Not Protected. (Spoiler: forwarding, not policy.)

2. After turning on SSL inspection, a banking app stops working but the browser is fine. Why?

Answered in Path 2 — SSL & Cert Errors.

3. A Cloud App Control rule allows Facebook; a URL Filtering rule blocks it. What does the user see?

Answered in Path 3 — Blocked / Auth. Precedence trips up everyone once.

Most engineers think…

"If a site is broken behind Zscaler, it's a policy problem — go open URL Filtering."

Wrong, and that wrong instinct is exactly why ZIA tickets drag on. The real first question is always: is the traffic even reaching Zscaler? A huge share of "Zscaler broke it" tickets are forwarding, certificate, or tunnel problems — the policy is innocent. This lesson rewires that instinct: follow the request, find where it dies, fix that stage.

The one mental model that solves 90% of ZIA tickets

Every user request walks the same path. Memorise the order and you can place any symptom on it:

Device → traffic forwarding (PAC / ZCC / GRE / IPSec) → ZIA Service Edge → authentication → SSL inspection → policy (Firewall, DNS, URL & Cloud App) → internet.

When something breaks, the request died at exactly one of these stages. Your whole job is to find which one. The biggest mistake is jumping to the last stage (policy) when the request never got past the first (forwarding).

👉 So far: requests flow through forwarding → edge → auth → inspection → policy. Next, the architecture diagram so you can point at the stage a ticket is stuck on.
Figure 1 — The ZIA request path (where each failure lives)
A left-to-right architecture diagram. A user device forwards traffic by PAC, ZCC, GRE or IPSec to a ZIA Service Edge, which runs authentication, then SSL inspection, then the policy stack of Cloud Firewall, DNS Control and URL and Cloud App Control, before reaching the internet. Red labels mark the typical failure at each stage. Follow the request — find where it dies User device laptop / mobile Forwarding PAC · ZCC · GRE · IPSec ✗ "Not protected" Authentication SAML · Kerberos ✗ Login loop SSL inspection decrypt · re-sign ✗ Cert error / pinning Policy stack — Cloud Firewall → DNS Control → URL & Cloud App Control ✗ Legit site blocked · precedence confusion · DNS resolves wrong 🌐 Internet (protected) Underlay also matters: a wrong data center / sub-cloud or a saturated bandwidth class adds latency without "breaking" anything.
Print this path. When a ticket lands, ask "which box did the request die in?" before touching any policy.

The four ways traffic reaches ZIA

A forwarding problem is the #1 cause of "not protected". You can only fix it if you know which method this user is on. Tap each card.

📄
PAC file
tap to flip

Browser/ZCC reads a JS file that says which requests go to a Zscaler edge. Typos or proxyPort 0 silently bypass it. So what: test the PAC URL first.

💻
ZCC
tap to flip

Zscaler Client Connector — the agent. Tunnels traffic per the forwarding + app profile. So what: most roaming-user issues are a ZCC state, not a policy.

🛣
GRE
tap to flip

Router-based tunnel from a branch edge to the nearest ZIA VIP. No encryption. So what: needs a registered public IP + L7 health check, or the location goes dark.

🔐
IPSec
tap to flip

Encrypted IKEv2 tunnel using VPN credentials (FQDN + PSK). So what: a wrong PSK or unmapped VPN credential = tunnel never establishes for that location.

① "I'm not protected" — traffic isn't reaching ZIA

This is where every ZIA shift starts. The single source of truth is ip.zscaler.com — it tells the user whether their traffic is going through Zscaler at all. Healthy traffic lands on a Public Service Edge; broken forwarding never gets there.

▶ Watch forwarding work — then break

Sneha at a Bengaluru branch opens a website. Press Play for the healthy path, then Break it to see the PAC proxyPort 0 trap.

① DEVICE10.20.30.45 opens portal.example.com:443
② PAC EVALPAC returns PROXY gateway.zscaler.net:443 — a Zscaler edge on an accepted port
③ ZIA EDGERequest lands on the nearest Public Service Edge → location recognised
④ VERIFYip.zscaler.com shows company name + "You are protected"
Press Play to step through the healthy forwarding path. Then press Break it.

Symptom

Sneha at Infosys reports "Zscaler isn't applying my policies". ip.zscaler.com shows her ISP's public IP, not Zscaler's, and no company name.

Likely cause

Traffic isn't being forwarded. A PAC typo, a return "DIRECT" for her destination, a proxy port set to 0 (ZIA only accepts web requests on 80, 443, 9400, 9480, 9443), or ZCC is paused/in a captive-portal state.

Diagnosis

Open the PAC URL directly in the browser and read the return statement. Confirm a Zscaler edge + an accepted port. Then check ZCC.

ZCC tray → Notifications → "Service Status: ON" + "Internet Security: ON"
Fix

Correct the PAC return (no proxyPort 0, no stray DIRECT for her host). If ZCC is paused or stuck behind a captive portal, restart the service / re-authenticate.

Verify

Reload ip.zscaler.com — it must show your company name and a Zscaler data-center IP.

CLI — test the PAC return on the user's machine (macOS/Linux)
curl -s "https://pac..net//pac" | grep -i "PROXY\|DIRECT"
Expected output
return "PROXY gateway.zscaler.net:443; PROXY gateway.zscaler.net:80";
# BAD: a line like  return "PROXY gateway.zscaler.net:0"  → port 0 = traffic NOT accepted
# BAD: a blanket    return "DIRECT"                       → bypasses Zscaler entirely

Symptom

Whole branch in Pune shows "Try Again" at ip.zscaler.com — traffic reaches Zscaler but no user identity is attached.

Likely cause

The "Try Again" message means authentication is disabled for the registered Location — common on GRE/IPSec branches where the location was created with auth off.

DiagnosisAdministration → Locations → [branch] → Enable Authentication

Cross-check the egress IP is registered to this Location (sub-location ranges included), or users hit the default un-authenticated location.

Fix

Enable Authentication on the Location (and Surrogate IP if you want IP-to-user mapping for non-browser apps).

Verify

ip.zscaler.com now shows the authenticated user; Web Insights logs carry the username instead of "unauthenticated".

ZIA Troubleshooting Simulator PAC / Forwarding Lab
Quick check · Q1 of 10

A user's PAC file returns PROXY gateway.zscaler.net:0. Their ip.zscaler.com shows the ISP IP. What's happening?

Correct: a. ZIA Public Service Edges accept web requests only on 80, 443, 9400, 9480 and 9443. Port 0 in a PAC return means the proxy never accepts the traffic, so it leaks out direct. This is a top PAC typo — always test the PAC URL before touching any policy.

Pause & Predict

SSL inspection is about to enter the picture. Before you read on: when ZIA decrypts HTTPS, what does the user's browser actually receive instead of the website's real certificate? Type your guess.

Answer: ZIA acts as a forward proxy and generates a certificate on the fly, signed by Zscaler's intermediate/root CA. The browser must trust that root — if it doesn't, you get "Your connection is not private". That's the whole basis of Path 2.

② SSL inspection breaks a site — cert errors & pinning

To inspect HTTPS, ZIA decrypts the traffic, then re-signs it with the Zscaler CA and re-encrypts to the client. Two things break this: the device doesn't trust the Zscaler root, or the app refuses any cert but the real one (certificate pinning).

▶ Watch SSL inspection — and the cert break

Rahul at TCS opens his bank. Play the working flow, then Break it to see what a missing root cert does.

① CLIENT HELLOBrowser → ZIA: "I want bank.example.com"
② ZIA ↔ SERVERZIA opens its own TLS to the bank, validates the bank's real cert
③ RE-SIGNZIA mints a cert for bank.example.com signed by the Zscaler root CA
④ CLIENT TRUSTBrowser trusts the Zscaler root → 🔒 padlock, no warning
Press Play for the healthy inspection flow. Then press Break it.

Symptom

Random users at Wipro get "Your connection is not private / NET::ERR_CERT_AUTHORITY_INVALID" on many HTTPS sites after SSL inspection was enabled.

Likely cause

The Zscaler root certificate isn't installed/trusted on those devices (missing from the OS/browser trust store, or a browser using its own store like Firefox).

Diagnosis

Click the cert in the browser — issuer reads "Zscaler". Then check the machine's trust store for the Zscaler root.

Administration → SSL Inspection → download the Zscaler Root Certificate
Fix

Push the Zscaler root to all device trust stores via MDM/GPO. For Firefox/Java apps that use their own store, import it there too (or set Firefox security.enterprise_roots.enabled = true).

Verify

Reload an inspected site — padlock is clean and the issuer shows the Zscaler CA, no warning.

Symptom

Browser sites are fine, but the bank's desktop app, MS Teams, Dropbox, or a remote-support agent fails to connect only when on Zscaler.

Likely cause

Certificate pinning. The app ships its expected server cert and rejects Zscaler's re-signed cert — so inspection breaks it even though the root is trusted.

Diagnosis

The break happens only for that app, only with inspection on. Web Insights shows the app's domains with TLS handshake failures.

Analytics → Web Insights → Logs → filter on the app domain
Fix

Add the app's domains to the SSL Inspection bypass (Do Not Inspect) list. Zscaler maintains recommended bypass categories for known pinned apps — start there before bypassing manually.

Policy → SSL Inspection → Do Not Inspect rules
Verify

App reconnects; the bypassed domains appear in logs as "SSL not inspected" rather than handshake-failed.

The trap behind a "fix"

Don't reflexively bypass huge URL categories to make a pinned app work — you carve a hole where malware can ride in un-inspected. Bypass the specific app domains (or use Zscaler's curated pinned-app list), keep everything else inspected. A wide bypass is how a "quick fix" becomes next quarter's incident.

Quick check · Q2 of 10

A banking desktop app fails only with SSL inspection on, but every browser site works fine and the Zscaler root is trusted. Best fix?

Correct: b. The clean root + browser-works-but-app-fails pattern is classic certificate pinning. Bypass only the app's domains. Disabling inspection globally (c) blinds you everywhere; reinstalling the root (a) wouldn't matter since browsers already work.

③ Site blocked, DNS wrong, or login looping

Traffic reaches ZIA and inspects fine, but a legit site is blocked or the user can't log in. Now — and only now — you look at policy and auth.

Pause & Predict

A user says "Facebook is blocked but my URL rule says block it — wait, it's actually open". Before reading the scenario: which policy family decided this, and does URL Filtering even get a vote? Type your guess.

Answer: Cloud App Control decided it. It runs before URL Filtering — so an allow there means URL Filtering never gets to apply its block. The log's "Reason" column will name the Cloud App rule, not your URL rule.
Figure 2 — Symptom → first-check decision tree
A decision tree. Start: site or app not working. First branch on whether ip.zscaler.com shows protected. If not protected, check forwarding. If protected, branch on the symptom: certificate error goes to root cert or pinning; site blocked goes to policy and precedence; login looping goes to authentication and IdP bypass; slow goes to data center or bandwidth. "It's broken behind Zscaler" — start here ip.zscaler.com → protected? NO YES FORWARDING PAC port · ZCC state · tunnel · location auth What's the symptom? 🔒 Cert error All sites → root cert missing One app → pinning → bypass 🚫 Legit site blocked Check Web Insights "Reason" Cloud App Control beats URL Filtering 🔑 Login loop IdP traffic inspected by mistake Exempt IdP URL from inspection 😴 Just slow (not broken)? → wrong data center / sub-cloud · bandwidth class throttle Golden rule: never debug policy until ip.zscaler.com confirms the traffic is actually protected.
Walk it top-down. The first branch — protected or not — saves you from debugging the wrong half of the stack.

Symptom

Priya can reach Facebook even though there's a URL Filtering rule that blocks it. The block "isn't working".

Likely cause

Precedence. By default Cloud App Control runs before URL Filtering. A Cloud App rule that allows Facebook stops ZIA from ever applying the URL Filtering block.

DiagnosisAnalytics → Web Insights → Logs → "Policy Action" + "Reason" column shows which policy decided
Fix

Either block Facebook in the Cloud App Control rule, or enable Allow Cascading to URL Filtering in Advanced Settings so URL Filtering still applies after a Cloud App allow.

Verify

Re-request the site; the log "Reason" now shows the URL Filtering block rule by name.

Symptom

Aditya is stuck in a SAML login loop — he authenticates, gets bounced back to the IdP, never lands. Started after SSL inspection went enterprise-wide.

Likely cause

The IdP authentication traffic is being inspected/forwarded into Zscaler instead of going direct, breaking the SAML assertion round-trip.

Diagnosis

Confirm the IdP host appears in Web Insights — it shouldn't be inspected at all.

Analytics → Web Insights → filter on the IdP host (e.g. *.okta.com)
Fix

Create a custom URL category for the IdP host and add it to the SSL Inspection exemption so authentication goes direct, un-inspected.

Verify

SAML completes in one round-trip; the IdP domains show as "not inspected" in logs.

Symptom

An internal site resolves to the wrong IP (or fails to resolve) only when users are on Zscaler.

Likely cause

A DNS Control rule is sending the query to Zscaler's Trusted Resolver instead of the enterprise resolver, so internal/split-horizon names don't resolve.

DiagnosisPolicy → DNS Control → check the resolver/DNS Gateway in the matching rule
Fix

Route internal domains to your enterprise resolver (or a custom DNS Gateway) via a higher-priority DNS Control rule. Keep external lookups on the Trusted Resolver.

Verify

nslookup intranet.example.com returns the correct internal IP; DNS Insights shows the right resolver used.

Symptom

Meena can browse fine but every file upload to a partner portal fails or hangs only on Zscaler.

Likely cause

File Type Control or a DLP rule is blocking the upload by true file type (MIME sniff), or the file exceeds the inspected-size limit, so it's quarantined/blocked.

DiagnosisAnalytics → Web Insights → filter the user → Reason = "File Type Blocked" / "DLP"
Fix

Allow that file type for the destination, or add a scoped DLP/File-Type exception for the trusted partner domain. Don't blanket-allow the type for everyone.

Verify

Upload completes; the log Reason flips from "File Type Blocked" to "Allowed".

Symptom

A user sees a Zscaler "caution" / "you've used your time quota" page on a site that worked this morning.

Likely cause

A URL Filtering rule with a Caution action (user must acknowledge) or a time-quota / bandwidth-quota on the category they've now exhausted.

DiagnosisPolicy → URL & Cloud App Control → find the matching rule → check Action + Quota
Fix

If the caution/quota is unintended, change the action to Allow or raise/remove the quota for that group. If intended, it's working as designed — explain it to the user.

Verify

Re-request the site — no caution page; log Reason shows the Allow rule.

Verify it worked — the log that ends the argument

Whatever you changed, the truth is in the logs. Open Analytics → Web Insights → Logs, filter on the user + last hour, and read the Reason column — it names the exact rule that allowed or blocked the flow. If "Reason" disagrees with what you expected, your mental model of the policy order is wrong, not the firewall.

CLI — confirm DNS resolves through the right resolver from the user box
nslookup intranet.example.com
dig +short portal.example.com
Expected output
Server:   100.64.x.x        # enterprise/Trusted Resolver, NOT a random public one
Address:  100.64.x.x#53
Name:     intranet.example.com
Address:  172.16.40.12       # correct internal IP — split-horizon resolved right
Quick check · Q3 of 10

A Cloud App Control rule allows LinkedIn; a URL Filtering rule blocks it. Default ZIA behaviour: what does the user get, and why?

Correct: b. Cloud App Control evaluates first. An allow there means URL Filtering is skipped — so the user reaches LinkedIn. To make the block stick, either block in Cloud App Control or enable "Allow Cascading to URL Filtering" in Advanced Settings.

Pause & Predict

A whole branch on a GRE tunnel suddenly loses internet, but ZCC roaming users in the same city are fine. Where is the break — device, policy, or underlay? Predict before you read Path 4.

Answer: The underlay/transport — the GRE tunnel for that location. ZCC users tunnel independently, so they're unaffected. A location-wide outage that spares roaming users almost always means the tunnel (GRE/IPSec) for that location is down, not a policy.

④ Tunnels down & everything slow

Branch offices forward via GRE or IPSec tunnels from their edge router/firewall. When a tunnel drops, the whole location loses protected internet. A L7 health check keeps the path verified. "Slow" is different — usually a wrong data center or a saturated bandwidth class.

▶ Watch a GRE tunnel health-check — then fail

A Hyderabad branch edge keeps the tunnel alive with an L7 health check. Play healthy, then Break it.

① REGISTERBranch public IP is registered to the ZIA Location
② TUNNEL UPGRE/IPSec built to the nearest ZIA VIP
③ HEALTH CHECKL7 probe keeps the path verified, auto-fails over if a VIP dies
④ PROTECTEDAll branch users egress through ZIA
Press Play for a healthy tunnel. Then press Break it to see the failure mode.

Symptom

A whole branch loses internet. The GRE/IPSec tunnel for that location shows down.

Likely cause

For IPSec: wrong/expired VPN credential (FQDN + PSK) or the credential isn't mapped to the Location. For GRE: the branch public egress IP isn't registered, or the upstream ISP dropped the path / MTU fragmentation.

DiagnosisAdministration → VPN Credentials & Locations → confirm credential ↔ location mapping

On the branch edge, check IKE/SA state and the tunnel keepalive; verify the registered IP matches the actual egress IP.

Fix

Re-enter the correct PSK / map the VPN credential to the Location; register the real public IP; lower the tunnel MTU to avoid fragmentation. Let the L7 health check re-establish.

Verify

Tunnel state shows up/established on both the edge and ZIA; branch users pass ip.zscaler.com again.

CLI — check IPSec tunnel state on the branch edge (vendor-neutral pattern)
show vpn ike-sa gateway ZIA-PRIMARY
show vpn ipsec-sa tunnel ZIA-PRIMARY
Expected output
IKE-SA  ZIA-PRIMARY   state: established   role: initiator   auth: PSK
IPSec-SA ZIA-PRIMARY  state: active        bytes-in: 482M   bytes-out: 511M
# DOWN signs: state "init"/"down", repeated rekey, or bytes stuck at 0 = PSK / mapping / MTU

Symptom

A Mumbai office complains everything is slow on Zscaler. Nothing is "blocked" — it just lags.

Likely cause

Users are landing on a distant data center / wrong sub-cloud, adding round-trip latency, or a bandwidth class is throttling.

Diagnosis

Check which data center the user lands on at ip.zscaler.com; compare to the nearest one. Review the bandwidth class limits.

Policy → Bandwidth Control + the ZIA Performance Troubleshooting Runbook
Fix

Correct the sub-cloud/data-center selection (geolocation of the egress IP, or sub-cloud mapping) so users hit the nearest edge; raise or re-scope the bandwidth class limit for the throttled app.

Verify

Latency drops; the user now lands on the nearby data center, and the bandwidth class no longer caps the priority app.

Symptom

Only one floor / VLAN of an office is unprotected; the rest of the same location is fine.

Likely cause

That subnet's egress IP isn't covered by a sub-location range, so those users fall through to the default un-authenticated location.

DiagnosisAdministration → Locations → [office] → Sub-Locations → check the IP range covers that VLAN
Fix

Add/extend the sub-location range to include the floor's egress IPs, mapped to the right policy and auth settings.

Verify

Those users now pass ip.zscaler.com with the correct location + identity.

Symptom

An app gets ERR_CONNECTION_RESET / a sudden 4xx only on Zscaler — intermittent, no clean cert error.

Likely cause

The flow is hitting a policy reset (firewall/IPS block returning RST) or it expects a dedicated proxy port / transparent path the device isn't using.

DiagnosisAnalytics → Web Insights / Firewall Insights → Reason for the reset (IPS, Firewall, or SSL handshake)
Fix

If IPS/firewall reset is a false positive, scope an exception for that app. If it needs a dedicated proxy port vs transparent forwarding, align the forwarding profile to the documented port.

Verify

Resets stop; the log Reason no longer shows an IPS/firewall block on the app's flows.

Cheat-sheet flips — symptom → first check

These four cover the bulk of your tickets. Tap to reveal the first thing to look at.

🛡
"Not protected"
tap

First check: ip.zscaler.com → then the PAC return + ZCC state. "Try Again" = location auth off. So what: it's forwarding, not policy.

🔒
Cert error
tap

All sites → Zscaler root not trusted. One app → pinning → bypass that app's domains. So what: read the issuer first.

🚫
Legit site blocked
tap

First check: Web Insights "Reason" column. Remember Cloud App Control beats URL Filtering by default. So what: the log names the deciding rule.

🐢
Just slow
tap

Check the data center at ip.zscaler.com + bandwidth class. So what: "slow" is underlay, not a broken policy.

Figure 3 — The inspection pipeline & where it fails
A linear pipeline left to right: forwarding, authentication, SSL inspection, Cloud Firewall, DNS Control, URL and Cloud App Control, then internet. Under each stage a red note states the typical failure that happens there. Each stage has one classic failure — learn the pairing Forwarding PAC/ZCC/tunnel port 0 / DIRECT Auth SAML/Kerberos IdP inspected SSL inspect decrypt/re-sign root / pinning Firewall 5-tuple + app port blocked DNS Control resolver pick wrong resolver URL & App category + app precedence: Cloud App beats URL Filtering 🌐 Internet A block at any stage ends the flow. Map the symptom to the stage, fix that stage, re-test.
The red note under each box is its signature failure. Match a ticket's symptom to the stage, and you've already narrowed the cause.
Quick check · Q4 of 10

An entire IPSec-tunnel branch loses internet at 2pm. ZCC roaming users in the same city are unaffected. Where do you look first?

Correct: c. A location-wide outage that spares roaming ZCC users points squarely at the branch transport — the tunnel and its VPN-credential/location mapping. Policy and inspection would hit roaming users too.
Figure 4 — ZIA first-check cheat-sheet (screenshot this)
A grid of six cheat-sheet tiles. Each tile pairs a symptom with the very first thing to check: not protected to ip.zscaler.com and PAC/ZCC; certificate error to the cert issuer; site blocked to Web Insights Reason; login loop to IdP inspection exemption; tunnel down to VPN credential and health check; slow to data center and bandwidth. A footer states the golden rule. Symptom → first check (the one card to keep) 🛡 "Not protected" → ip.zscaler.com first → PAC port (no :0) + ZCC state "Try Again" = location auth off 🔒 Certificate error All sites → Zscaler root not trusted One app → pinning → bypass it read the cert issuer first 🚫 Legit site blocked → Web Insights "Reason" Cloud App Control beats URL Filtering by default 🔑 Login loop IdP traffic getting inspected → exempt IdP host from SSL inspection (go direct) 🛣 Tunnel / location down → VPN credential ↔ location → registered IP + health check roaming users fine = transport 🐢 "Slow", not broken → data center @ ip.zscaler.com → bandwidth class throttle it's underlay, not policy GOLDEN RULE Confirm "protected" at ip.zscaler.com BEFORE you debug any policy. Then map symptom → stage → fix that stage. ZIA web ports: 80 · 443 · 9400 · 9480 · 9443 | log of truth: Analytics → Web Insights → "Reason" column
Six symptoms, six first-checks, one golden rule. Screenshot this — it's the card you'll glance at mid-ticket.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Zscaler Help docs + community Q&A, scoped to ZIA troubleshooting. For a live prod issue, paste your Web Insights export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which ports does a ZIA Public Service Edge accept web requests on?

Correct: a. ZIA edges accept web traffic on 80, 443, 9400, 9480 and 9443. A PAC return pointing at any other port (e.g. :0) means the traffic isn't accepted and effectively bypasses Zscaler.
Q6 · Apply

Karthik's whole location shows "Try Again" at ip.zscaler.com — traffic reaches Zscaler but no user identity is attached. What do you enable?

Correct: a. "Try Again" at ip.zscaler.com is the documented signal that authentication is disabled for the registered Location. Enable it (and Surrogate IP for non-browser apps) so user identity attaches to the flow.
Q7 · Apply

After enterprise-wide SSL inspection, users hit a SAML login loop. What's the correct change?

Correct: b. Authentication traffic to the IdP must go direct, un-inspected. Create a custom URL category for the IdP host and add it to the SSL inspection exemption. Disabling inspection globally (a) is the over-correction everyone reaches for — don't.
Q8 · Analyze

Every browser HTTPS site shows a cert warning on a fleet of new laptops, issuer "Zscaler". Browsers on older laptops are fine. Root cause?

Correct: c. "All sites + issuer Zscaler + only the new build affected" is the missing-root-cert signature. Push the Zscaler root to those trust stores via MDM/GPO. Pinning (a) would break one app, not every site; a PAC typo (d) would mean "not protected", not a cert warning.
Q9 · Analyze

A URL Filtering rule blocks a SaaS app, yet users still reach it. Web Insights "Reason" names a Cloud App Control allow rule. What's going on?

Correct: d. By default Cloud App Control runs first; an allow there means URL Filtering is skipped. The "Reason" column is telling you the truth — fix the precedence, not the URL rule. Enable "Allow Cascading to URL Filtering" or move the block into Cloud App Control.
Q10 · Evaluate

An engineer proposes "fix the pinned-app failures by bypassing the whole Finance and Banking URL category from SSL inspection". Sound design for a 5,000-user bank?

Correct: a. Pinning is per-app, so the fix is per-domain — not a whole category. A category-wide bypass at a bank is exactly the un-inspected hole attackers want. Scope tightly; keep everything else decrypted and inspected.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why must IdP authentication traffic go direct (un-inspected) through ZIA? Then compare to the expert version.

Expert version: SSL inspection sits in the middle of the TLS session and re-signs certs. SAML/OIDC assertions and the IdP's own TLS are sensitive to that interception — re-signing breaks the trust/round-trip, so the login bounces forever. Exempting the IdP host from inspection lets auth complete cleanly, then everything else stays inspected. If your answer mentioned "inspection breaks the auth handshake / assertion", you've got it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

ZIA Service Edge
The Zscaler cloud node (Public Service Edge) that proxies and inspects a user's traffic.
ip.zscaler.com
Zscaler's "am I protected?" page — shows your egress IP, data center, and company name if traffic is going through ZIA.
PAC file
Proxy Auto-Config — a JavaScript file the browser/ZCC reads to decide which requests go to a Zscaler edge vs direct.
ZCC
Zscaler Client Connector — the endpoint agent that forwards and authenticates traffic per the forwarding + app profile.
SSL inspection
ZIA decrypts HTTPS, re-signs it with the Zscaler CA, re-encrypts to the client — required for payload-aware controls.
Certificate pinning
An app embedding its expected server cert and rejecting any other — including a proxy's re-signed cert.
Cloud App Control
The policy family that classifies SaaS apps; by default it is evaluated before URL Filtering.
VPN credential
The FQDN + pre-shared key that authenticates an IPSec tunnel and is mapped to a Location.
Surrogate IP
Maps an authenticated user to their device IP so non-browser apps inherit identity without re-auth.

📚 Sources

  1. Zscaler Help — PAC Files / Using PAC Files / Verifying a User's Traffic is Being Forwarded to the Zscaler Service. help.zscaler.com
  2. Zscaler Help — Recommended URL & Cloud App Control Policy (Cloud App Control precedence + Allow Cascading to URL Filtering). help.zscaler.com
  3. Zscaler Help — Configuring IPSec VPN Tunnel · Configuring GRE Tunnels · Best Practices for Deploying GRE Tunnels · About VPN Credentials. help.zscaler.com
  4. Zscaler Help — Bandwidth Control & Classes · ZIA Performance Troubleshooting Runbook · Policy Reasons. help.zscaler.com
  5. Zscaler Community (Zenith) — "Zscaler root certificate not installed" browser errors, SSL pinning bypass (ConnectWise / ChatGPT / Apple), Deny-All at end of URL/Cloud App policy. community.zscaler.com
  6. Zscaler ZIA & ZCC Deployment / Troubleshooting Guides — auth traffic must go direct to IdP; PAC proxyPort 0 trap; SSL exemption for IdP host.
  7. Zscaler Client Connector App Release Summary (2025/2026) — ZCC 4.6.x DNS-resolution + VPN-gateway-port retry fixes. help.zscaler.com
  8. Zscaler ZDTA Certification Exam Guide (2025/2026) — Connectivity & Platform Services (traffic forwarding, TLS inspection) objectives.

What's next?

You can now place any ZIA ticket on the request path and fix the stage that died. Next, go deeper on the policy stack itself — how Cloud Firewall, DNS Control, URL Filtering and IPS chain together inside one SSE hop.

Next · ZIA Security Controls Deep-Dive → Practice on exam.techclick.in →