Paloalto Networks SSE-Engineer Palo Alto Networks Security Service Edge Engineer Exam Practice Test

When a large branch office experiences a high volume of employees logging in within a short time frame, the following apply:

Maximum pending TCP DNS requests is 64– This means that Prisma Access can queue up to 64 pending DNS requests over TCP before dropping additional requests. If more requests are received simultaneously, some may fail or experience delays.

Maximum number of TCP DNS retries is 3– If a DNS request fails over TCP, Prisma Access will attempt to retry the request up to three times before failing over to another method or returning an error.

To enable App Acceleration for SaaS applications in Prisma Access, the following configurations must be enabled:

Trusted Root CA for the CA certificate ensures that Prisma Access can validate and trust the SaaS application's certificates, allowing seamless inspection and acceleration of traffic without security warnings.

Forward Trust Certificate for the CA certificate enables SSL decryption for SaaS applications, allowing Prisma Access to optimize traffic and apply acceleration techniques while maintaining security policies.

To meet the customer’s requirements, two separate Prisma Access instances should be deployed:

Instance 1should includemobile users, remote networks, and private accessfor internal connectivity. This ensures that mobile users can access the internet, data centers, and remote branch locations while enforcing security policies.

Instance 2should be configured withremote networks and private application accessfor B2B connections. This instance will restrict access to only the required internally developed applications using non-standard ports, ensuring that partners cannot access other corporate resources.

By usingspecific configuration scopes for different connection types, the security team can manage access to mobile users and branch locations, while the network team can manage B2B partner connections. This ensuresproper segmentation of management responsibilitieswhile maintaining security and compliance.

After configuringdomain-based split tunnelingforzoom.us, the expected behavior can be confirmed by checking therouting table on the client machine. If split tunneling is correctly configured, the traffic forzoom.usshould be routedoutsidethe GlobalProtect VPN tunnel, while other traffic follows the tunnel path. Reviewing the routing table ensures thatonly the intended traffic is excluded from the tunnel, confirming that the split tunnel configuration is working as expected.

When implementingAI Access Security,tagsare applied toGenerative AI applicationsto classify them assanctioned, tolerated, or unsanctioned. This allows organizations to enforcepolicy-based access controlover AI tools, ensuring that onlyapproved applicationsare accessible while restricting or monitoring usage ofuntrusted or high-risk AI platforms. This classification helps security teamsmanage AI-related risks and complianceeffectively.

SincePhase 1 of the IPSec tunnel is establishedbutPhase 2 traffic is not being received, theTunnel logsinStrata Logging Serviceshould be reviewed.Tunnel logsprovide visibility into IPSec tunnel establishment,Phase 2 negotiation, and any errors or dropped packets related to encrypted traffic. This will help identify whetherESP (Encapsulating Security Payload) traffic is being blocked, mismatched security associations (SAs) exist, or if there are other issues with Prisma Access responding to Phase 2-encrypted packets.

Ensuring that theRemote_Network_Templateis selected when adding the User-ID Agent in Panorama is crucial because User-ID information must be associated with the correctRemote Networkconfiguration for policies to apply properly. Additionally, theService_Conn_Templatemust be selected when adding the User-ID Agent in Panorama, as theservice connectionis responsible for distributing User-ID mappings between theon-premises firewall and Prisma Access. If either of these configurations is incorrect, the user information will not be properly mapped, and traffic will not match user-based policies.

By usingsecurity checks under posture settingsinStrata Cloud Manager (SCM), the senior engineer can enforcepolicy compliance standardsbyautomatically denyingany security policy that does notalign with best practices. This ensures that junior engineers can create policies while preventing configurations that might introduce security gaps. This proactive approacheliminates manual oversightand enforces compliance at the time of policy creation, reducing risk and ensuring consistent security enforcement.

Embargo rules inPrisma Accessare designed toblock traffic from specific countriesthat are subject to regulatory or policy-based restrictions. These rules help organizations enforce compliance bypreventing inbound and outbound connectionsto or from regions that may pose security risks or arerestricted due to legal or geopolitical reasons. They are commonly used toalign with government sanctions and corporate security policies.

After successfully creating aSAML authentication type and authentication profileinCloud Identity Engine, the next step is toconfigure a corresponding SAML authentication profile in Strata Cloud Managerand link it to theCloud Identity Engine profile. This ensures thatPrisma Access (Managed by Strata Cloud Manager)can authenticate mobile users using the configured SAML identity provider (IdP), enabling seamless user authentication and access control.

InPrisma Access Browser (PAB), allowing access to applications while enforcingdata masking or watermarkingprovides security forBYOD (Bring Your Own Device)users without heavily impacting the user experience.Data maskingensures that sensitive information isobscured, reducing the risk of data leakage, whilewatermarkingcan deter unauthorized screenshots or data exfiltration. This approachbalances security and usability, allowing users to work efficiently while protecting corporate data.

InPrisma Access, security policies are evaluated based on theirconfiguration scope. If the engineer configured aSecurity policyunder theRemote Networks scope, but traffic from the branch locations is instead matching aSecurity policy under the Prisma Access configuration scope, the intended policy will not take effect. This happens becausePrisma Access evaluates security rules based on the highest-level applicable configuration first, which can override more specific Remote Networks policies.

In aPanorama Managed Prisma Access multitenant environment,Access Domainsprovide granularrole-based access control (RBAC). By defining anAccess Domain, the network security team can be granted full administrative privileges for aspecific tenant's configurationwhile ensuring theycannot access or modify other tenants. This method enforces proper segmentation andensures compliance with multitenant security policies.

When configuringRemote Browser Isolation (RBI)inPrisma Access (Managed by Strata Cloud Manager)for mobile users, aURL access management profilemust be created with thesite access action set to "Isolate". This profile is thenapplied to a Security policyto enforce isolation for specific URLs. This ensures thatweb traffic to designated high-risk or untrusted sitesisredirected to a remote, secure browser instance, protecting endpoints from potential web-based threats.

SaaS Security Inline allows engineers to customize the risk scores assigned to different SaaS applications based on various factors. By manipulating these risk scores, you can influence how these applications are treated within Security policies.

To limit the use of unsanctioned SaaS applications:

Lower the risk score of sanctioned applications:This makes them less likely to trigger policies designed to restrict high-risk activities.

Increase the risk score of unsanctioned applications:This elevates their perceived risk, making them more likely to be caught by Security policies configured to block or limit access based on risk score thresholds.

Then, you would create Security policies that take action (e.g., block access, restrict features) based on these adjusted risk scores. For example, a policy could be configured to block access to any SaaS application with a risk score above a certain threshold, which would primarily target the unsanctioned applications with their inflated scores.

Let's analyze why the other options are incorrect based on official documentation:

B. Increase the risk score for all SaaS applications to automatically block unwanted applications.Increasing the risk score forallSaaS applications, including sanctioned ones, would lead to unintended blocking and disruption of legitimate business activities. Risk score customization is intended for differentiation, not a blanket increase.

C. Build an application filter using unsanctioned SaaS as the category.While creating an application filter based on the "unsanctioned SaaS" category is a valid way to identify these applications, it directly filters based on the category itself, not the risk score. Risk score customization provides a more nuanced approach where you can define thresholds and potentially allow some low-risk activities within unsanctioned applications while blocking higher-risk ones.

D. Build an application filter using unsanctioned SaaS as the characteristic.Similar to option C, using "unsanctioned SaaS" as a characteristic in an application filter allows you to directly target these applications. However, it doesn't leverage the risk score customization feature to control access based on a graduated level of risk.

Therefore, the most effective way to use risk score customization to limit unsanctioned SaaS application usage is by lowering the risk scores of sanctioned applications and increasing the risk scores of unsanctioned ones, and then building Security policies that act upon these adjusted risk scores.