Paloalto Networks SSE-Engineer Palo Alto Networks Security Service Edge Engineer Exam Practice Test

Prisma Access applies security rules in a hierarchical order, where rules at higher levels take precedence over those at lower levels. If a more permissive rule is placed higher in the hierarchy, it may allow traffic before the restrictive Web Security rule is evaluated. To resolve this, the engineer shouldreorder the rules to ensure the restrictive Web Security rule is positioned higher in the hierarchyso it is applied before any broader or conflicting rules.

When onboarding a discovered application forZTNA Connector, configuring aTCP pingallows Prisma Access to accurately report the application'savailability.TCP ping(also known as aTCP connection check) verifies whether the application's service port isopen and responsive, ensuring that the application is reachable before allowing user connections. This method is more reliable thanICMP ping, as many cloud and SaaS applicationsblock ICMP trafficfor security reasons.

When network routers appear multiple times with different IP addresses in IoT Security, it is likely because they have multiple interfaces with separate IPs. Merging these entries into a single device with multiple interfaces ensures that the system correctly identifies each router as a unique entity while maintaining visibility across all its interfaces. This approach prevents unnecessary duplicates, improves asset management, and enhances security monitoring.

Selecting the“Disable Server Response Inspection”checkbox means that traffic flowingfrom the server to the clientwillnot be inspectedfor threats, even if a threat protection profile is applied to the Security policy rule. This setting can reduce processing overhead but may expose the network to threats embedded in server responses, such as malware or exploits.

TheCommand CenterwithinStrata Cloud Manager (SCM)provides acentralized view of applications, threats, and user insightsacross bothNGFW (Next-Generation Firewall) and Prisma Accesssimultaneously. This feature enables theoperations teamto monitorbranch locations, analyzesecurity events, and detect anomalies in real time, offering acomprehensive visibility and threat intelligence interfacefor proactive network and security management.

TheStrata Logging Serviceallowslog replay, which enables resending logs that were not successfully forwarded to an external syslog server due to disruptions. By configuring areplay profilewith the affected time range and associating it with thesyslog server profile, Prisma Access will resend the missing logs, ensuring that all relevant data is restored in the external logging system. This approach is the most efficient and automated way to recover missing logs.

This option ensures thatSSL Decryptionchecks for mismatches between theServer Name Indication (SNI) fieldin the TLS handshake and theCommon Name (CN) or Subject Alternative Name (SAN) in the server certificate. If a malicious user tries to bypass content filtering by spoofing theSNI while using the real blocked website in the HTTP host header, this setting will detect the discrepancy andblock the session, preventing unauthorized access.

When onboarding a new branch office to anexisting IPSec termination nodeinPrisma Access, theQoS bandwidth is not automatically assigned. Instead, the newly added branchremains unallocateduntil the administratormanually assigns bandwidthwithin theQoS configuration settings. This ensures thatcustomized bandwidth per siteremains intact and allows forfine-tuned traffic managementbased on business needs.

When a large branch office experiences a high volume of employees logging in within a short time frame, the following apply:

Maximum pending TCP DNS requests is 64– This means that Prisma Access can queue up to 64 pending DNS requests over TCP before dropping additional requests. If more requests are received simultaneously, some may fail or experience delays.

Maximum number of TCP DNS retries is 3– If a DNS request fails over TCP, Prisma Access will attempt to retry the request up to three times before failing over to another method or returning an error.

SaaS Security Inline allows engineers to customize the risk scores assigned to different SaaS applications based on various factors. By manipulating these risk scores, you can influence how these applications are treated within Security policies.

To limit the use of unsanctioned SaaS applications:

Lower the risk score of sanctioned applications:This makes them less likely to trigger policies designed to restrict high-risk activities.

Increase the risk score of unsanctioned applications:This elevates their perceived risk, making them more likely to be caught by Security policies configured to block or limit access based on risk score thresholds.

Then, you would create Security policies that take action (e.g., block access, restrict features) based on these adjusted risk scores. For example, a policy could be configured to block access to any SaaS application with a risk score above a certain threshold, which would primarily target the unsanctioned applications with their inflated scores.

Let's analyze why the other options are incorrect based on official documentation:

B. Increase the risk score for all SaaS applications to automatically block unwanted applications.Increasing the risk score forallSaaS applications, including sanctioned ones, would lead to unintended blocking and disruption of legitimate business activities. Risk score customization is intended for differentiation, not a blanket increase.

C. Build an application filter using unsanctioned SaaS as the category.While creating an application filter based on the "unsanctioned SaaS" category is a valid way to identify these applications, it directly filters based on the category itself, not the risk score. Risk score customization provides a more nuanced approach where you can define thresholds and potentially allow some low-risk activities within unsanctioned applications while blocking higher-risk ones.

D. Build an application filter using unsanctioned SaaS as the characteristic.Similar to option C, using "unsanctioned SaaS" as a characteristic in an application filter allows you to directly target these applications. However, it doesn't leverage the risk score customization feature to control access based on a graduated level of risk.

Therefore, the most effective way to use risk score customization to limit unsanctioned SaaS application usage is by lowering the risk scores of sanctioned applications and increasing the risk scores of unsanctioned ones, and then building Security policies that act upon these adjusted risk scores.

The error messages indicate that Prisma Access is encountering certificate issues while attempting to decrypt traffic to "google.com." This suggests that theserver has pinned certificates, meaning it does not allow man-in-the-middle (MITM) decryption by Prisma Access. Since pinned certificates prevent traffic decryption, a solution is tocreate a "do not decrypt" rule for the hostname "google.com."This will allow traffic to flow without triggering certificate errors while maintaining secure communication with Google's servers.

Palo Alto Networks best practices and the behavior of Strata Cloud Manager (SCM) dictate thatpredefined or default objects, including profile groups like "Default Prisma Profile," cannot be directly modified.These default objects serve as baseline configurations and are often locked to prevent accidental or unintended changes that could impact the overall security posture.

The intern's experience of the options being greyed out when selecting "Default Prisma Profile" is a direct indication of this immutability of default objects.

Therefore, the correct action is to:

Create a new Profile Group:The intern should create a new profile group within the appropriate configuration scope (likely GlobalProtect, given the task).

Configure the new Profile Group:In this new profile group, the intern can select the desired Anti-Spyware Profile (which might be an existing custom profile or a new one they create).

Modify Security Rules:The security rules currently using the "Default Prisma Profile" in the GlobalProtect folder need to be modified to use this newly created profile group.

Let's analyze why the other options are incorrect based on official documentation:

A. Request edit access for the GlobalProtect scope.While having the correct scope permissions is necessary for makinganychanges within GlobalProtect, it will not override the inherent immutability of default objects like "Default Prisma Profile." Edit access will allow the intern to create new objects and modify rules, but not directly edit the default profile group.

B. Change the configuration scope to Prisma Access and modify the profile group.The image shows that "Default Prisma Profile" has a "Location" of "Prisma Access." However, even within the Prisma Access scope, default profile groups are generally not directly editable. The issue is not the scope but the fact that it's a default object.

D. Modify the existing anti-spyware profile, because best-practice profiles cannot be removed from a group.The question is about changing theprofile group, not the individual Anti-Spyware Profile. While "best-practice" profiles might be part of default groups, the core issue is the inability to modify thedefault groupitself. Creating a new group allows the intern to choose which Anti-Spyware Profile to include.

In summary, the fundamental principle in Palo Alto Networks management is that default objects are typically read-only to ensure a consistent and predictable baseline. To make changes, you need to create custom objects.

The"400 Bad Request"error when attemptingSAML authenticationthrough theCloud Identity Engine (CIE)suggests amisconfiguration in the SAML metadata. This typically occurs when theendpoint URLs, certificates, or entity IDsdo not match betweenCloud Identity Engine and the IdP portal. To resolve this, verify that:

TheSAML metadatauploaded toCloud Identity Enginematches theconfiguration from the IdP.

TheACS (Assertion Consumer Service) URL, Entity ID, and certificateare correctly set.

There are no incorrect or expired certificates in theCloud Identity Engine and IdP configuration.

By ensuring theSAML metadatais properly configured inboth systems, authentication should proceed without errors.

When configuringRemote Browser Isolation (RBI)inPrisma Access (Managed by Strata Cloud Manager)for mobile users, aURL access management profilemust be created with thesite access action set to "Isolate". This profile is thenapplied to a Security policyto enforce isolation for specific URLs. This ensures thatweb traffic to designated high-risk or untrusted sitesisredirected to a remote, secure browser instance, protecting endpoints from potential web-based threats.

To enable App Acceleration for SaaS applications in Prisma Access, the following configurations must be enabled:

Trusted Root CA for the CA certificate ensures that Prisma Access can validate and trust the SaaS application's certificates, allowing seamless inspection and acceleration of traffic without security warnings.

Forward Trust Certificate for the CA certificate enables SSL decryption for SaaS applications, allowing Prisma Access to optimize traffic and apply acceleration techniques while maintaining security policies.