Palo Alto Networks SSE-Engineer Exam Practice Test Instant Access

Question 1

A company has four branch offices between Canada Central and Canada East which use the same IPSec termination node and have QoS configured with customized bandwidth per site. An engineer wants to onboard a new branch office on the same IPSec termination node.

What is the QoS behavior for the new branch office?

AAutomatically distributed to 25% for each site

BUnallocated until manually assigned

CAutomatically distributed to 20% for each site

DCannot be added to existing QoS configuration

Answer : B

When onboarding a new branch office to an existing IPSec termination node in Prisma Access, the QoS bandwidth is not automatically assigned. Instead, the newly added branch remains unallocated until the administrator manually assigns bandwidth within the QoS configuration settings. This ensures that customized bandwidth per site remains intact and allows for fine-tuned traffic management based on business needs.

Question 2

Which two actions can a company with Prisma Access deployed take to use the Egress IP API to automate policy rule updates when the IP addresses used by Prisma Access change? (Choose two.)

AConfigure a webhook to receive notifications of IP address changes.

BCopy the Egress IP API Key in the service infrastructure settings.

CEnable the Egress IP API endpoint in Prisma Access.

DDownload a client certificate to authenticate to the Egress IP API.

Answer : A, D

Configuring a webhook allows the company to receive real-time notifications when Prisma Access changes its egress IP addresses, ensuring that policy rules are updated automatically. Downloading a client certificate is necessary for authentication to the Egress IP API, allowing secure API access for retrieving updated IP addresses. These actions ensure that security policies remain effective without manual intervention.

Question 3

Which advanced AI-powered functionality does Strata Copilot provide to enhance the capabilities of Prisma Access security teams?

AReal-time traffic analysis for automated threat prevention

BInitial configuration of Prisma Access using a natural language interface

CCustomized guidance for resolving issues through recommended next steps

DAutomated remediation of misconfigured security policies

Answer : C

Strata Copilot enhances the capabilities of Prisma Access security teams by providing AI-powered insights and recommendations to help resolve security issues efficiently. It analyzes security events, misconfigurations, and alerts and offers contextual guidance with recommended next steps for troubleshooting and improving security posture. This assists teams in quickly identifying and addressing security challenges without requiring deep manual investigation.

Question 4

How can role-based access control (RBAC) for Prisma Access (Managed by Strata Cloud Manager) be used to grant each member of a security team full administrative access to manage the Security policy in a single tenant while restricting access to other tenants in a multitenant deployment?

AAdd the team to the Parent Tenant, select the Prisma Access Configuration Scope, and set the role to Security Administrator.

BAdd the team to the Child Tenant, select All Apps & Services, and set the role to Security Administrator.

CAdd the team to the Parent Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator.

DAdd the team to the Child Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator.

Answer : D

In a multitenant deployment, access control must be configured at the Child Tenant level to ensure that security administrators have full control over Security policy only within their assigned tenant while restricting access to other tenants. By selecting Prisma Access & NGFW Configuration, the assigned users gain full administrative access only for security policy management within the designated tenant, aligning with RBAC best practices for controlled access in Prisma Access Managed by Strata Cloud Manager.

Question 5

What is the impact of selecting the ''Disable Server Response Inspection'' checkbox after confirming that a Security policy rule has a threat protection profile configured?

AOnly HTTP traffic from the server to the client will bypass threat inspection.

BThe threat protection profile will override the 'Disable Server Response Inspection1 only for HTTP traffic from the server to the client.

CAll traffic from the server to the client will bypass threat inspection.

DThe threat protection profile will override the 'Disable Server Response Inspection1 for all traffic from the server to the client.

Answer : C

Selecting the ''Disable Server Response Inspection'' checkbox means that traffic flowing from the server to the client will not be inspected for threats, even if a threat protection profile is applied to the Security policy rule. This setting can reduce processing overhead but may expose the network to threats embedded in server responses, such as malware or exploits.

Question 6

A user connected to Prisma Access reports that traffic intermittently is denied after matching a Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection restores the access.

What are two reasons for this behavior? (Choose two.)

A'Collect HIP data' needs to be enabled in the configuration.

BUser mapping is learned from sources other than gateway authentication.

CFirewall loses user mapping due to missed HIP report checks.

DHIP-enforced policy is scheduled for certain hours of the day.

Answer : B, C

User mapping learned from sources other than gateway authentication can cause intermittent access issues if it conflicts with the expected user identity used in HIP-based policies. If the firewall is associating the user with an outdated or incorrect mapping, traffic may not match the intended security policies, leading to denials by the Catch-All Deny rule.

If the firewall loses user mapping due to missed HIP report checks, the user may temporarily lose access to policies that require a valid Host Information Profile (HIP) match. When the VPN connection is refreshed, the HIP check is re-initiated, restoring access until the issue repeats.

Question 7

When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?

AAdd the duplicate entries to the ignore list in IoT Security.

BMerge individual devices into a single device with multiple interfaces.

CCreate a custom role to merge devices with the same hostname and operating system.

DDelete all duplicate devices, keeping only those discovered using their management IP addresses.

Answer : B

When network routers appear multiple times with different IP addresses in IoT Security, it is likely because they have multiple interfaces with separate IPs. Merging these entries into a single device with multiple interfaces ensures that the system correctly identifies each router as a unique entity while maintaining visibility across all its interfaces. This approach prevents unnecessary duplicates, improves asset management, and enhances security monitoring.

Palo Alto Networks Security Service Edge Engineer SSE-Engineer Exam Practice Test