Palo Alto Networks SSE-Engineer Exam Practice Test Instant Access

Question 1

Where are tags applied to control access to Generative AI when implementing AI Access Security?

ATo Generative AI applications for identifying sanctioned, tolerated, or unsanctioned applications

BTo security rules for defining which types of Generative AI applications are allowed or blocked

CTo user devices for identifying and controlling which Generative AI applications they can access

DTo Generative AI URL categories for classifying trusted and untrusted Generative AI websites

Answer : A

When implementing AI Access Security, tags are applied to Generative AI applications to classify them as sanctioned, tolerated, or unsanctioned. This allows organizations to enforce policy-based access control over AI tools, ensuring that only approved applications are accessible while restricting or monitoring usage of untrusted or high-risk AI platforms. This classification helps security teams manage AI-related risks and compliance effectively.

Question 2

Based on the image below, which two statements describe the reason and action required to resolve the errors? (Choose two.)

AThe client is misconfigured.

BCreate a do not decrypt rule for the hostname ''google.com.''

CThe server has pinned certificates.

DCreate a do not decrypt rule for the hostname ''certificates.godaddy.com.''

Answer : B, C

The error messages indicate that Prisma Access is encountering certificate issues while attempting to decrypt traffic to 'google.com.' This suggests that the server has pinned certificates, meaning it does not allow man-in-the-middle (MITM) decryption by Prisma Access. Since pinned certificates prevent traffic decryption, a solution is to create a 'do not decrypt' rule for the hostname 'google.com.' This will allow traffic to flow without triggering certificate errors while maintaining secure communication with Google's servers.

Question 3

Which two configurations must be enabled to allow App Acceleration for SaaS applications? (Choose two.)

AAcceleration agent for the client machines

BQoS for user traffic

CTrusted Root CA for the CA certificate

DForward Trust Certificate for the CA certificate

Answer : C, D

To enable App Acceleration for SaaS applications in Prisma Access, the following configurations must be enabled:

Trusted Root CA for the CA certificate ensures that Prisma Access can validate and trust the SaaS application's certificates, allowing seamless inspection and acceleration of traffic without security warnings.

Forward Trust Certificate for the CA certificate enables SSL decryption for SaaS applications, allowing Prisma Access to optimize traffic and apply acceleration techniques while maintaining security policies.

Question 4

A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header.

Which option will prevent this form of attack?

AAdvanced Threat Prevention option to block ''Domain Fronting''

BAdvanced URL Filtering and block the ''Malicious Behavior'' category

CAdvanced URL Filtering and block ''SNI mismatch with Server Certificate (SAN/CN)''

DSSL Decryption to ''Block sessions on SNI mismatch with Server Certificate (SAN/CN)''

Answer : D

This option ensures that SSL Decryption checks for mismatches between the Server Name Indication (SNI) field in the TLS handshake and the Common Name (CN) or Subject Alternative Name (SAN) in the server certificate. If a malicious user tries to bypass content filtering by spoofing the SNI while using the real blocked website in the HTTP host header, this setting will detect the discrepancy and block the session, preventing unauthorized access.

Question 5

How can a senior engineer use Strata Cloud Manager (SCM) to ensure that junior engineers are able to create compliant policies while preventing the creation of policies that may result in security gaps?

AUse security checks under posture settings and set the action to ''deny'' for all checks that do not meet the compliance standards.

BConfigure role-based access controls (RBACs) for all junior engineers to limit them to creating policies in a disabled state, manually review the policies, and enable them using a senior engineer role.

CConfigure an auto tagging rule in SCM to trigger a Security policy review workflow based on a security rule tag, then instruct junior engineers to use this tag for all new Security policies.

DRun a Best Practice Assessment (BPA) at regular intervals and manually revert any policies not meeting company compliance standards.

Answer : A

By using security checks under posture settings in Strata Cloud Manager (SCM), the senior engineer can enforce policy compliance standards by automatically denying any security policy that does not align with best practices. This ensures that junior engineers can create policies while preventing configurations that might introduce security gaps. This proactive approach eliminates manual oversight and enforces compliance at the time of policy creation, reducing risk and ensuring consistent security enforcement.

Question 6

An engineer configures a Security policy for traffic originating at branch locations in the Remote Networks configuration scope. After committing the configuration and reviewing the logs, the branch traffic is not matching the Security policy.

Which statement explains the branch traffic behavior?

AThe source address was configured with an address object including the branch location prefixes.

BThe source zone was configured as ''Trust.''

CThe Security policy did not meet best practice standards and was automatically removed.

DThe traffic is matching a Security policy in the Prisma Access configuration scope.

Answer : D

In Prisma Access, security policies are evaluated based on their configuration scope. If the engineer configured a Security policy under the Remote Networks scope, but traffic from the branch locations is instead matching a Security policy under the Prisma Access configuration scope, the intended policy will not take effect. This happens because Prisma Access evaluates security rules based on the highest-level applicable configuration first, which can override more specific Remote Networks policies.

Question 7

A customer using Prisma Access (Managed by Panorama) wants to monitor traffic patterns across all remote networks and use Strata Logging Service to gather insights on network usage. An engineer notices that some network data is missing from the Application Command Center (ACC).

What should the engineer do to ensure complete data visibility?

AReconfigure the Prisma Access remote networks to log directly to Panorama instead of using Strata Logging Service.

BVerify that the Panorama web interface has been configured to aggregate logs from both the Panorama data and RN-SPNs.

CEnable the Use Data for Pre-Defined Reports' setting in the Logging and Reporting configuration on Panorama.

DEnsure that log forwarding profiles are applied to all Prisma Access policies and directed to Strata Logging Service.

Answer : D

For complete data visibility in Prisma Access (Managed by Panorama), log forwarding profiles must be applied to all security policies to ensure that traffic logs are correctly sent to Strata Logging Service. If log forwarding is missing or misconfigured, some traffic data may not appear in the Application Command Center (ACC), leading to incomplete insights. Verifying and correctly assigning log forwarding ensures that all relevant network activity is captured and available for analysis.

Palo Alto Networks Security Service Edge Engineer SSE-Engineer Exam Practice Test