Palo Alto Networks SSE-Engineer Exam Practice Test Instant Access

Question 1

What is the impact of selecting the ''Disable Server Response Inspection'' checkbox after confirming that a Security policy rule has a threat protection profile configured?

AOnly HTTP traffic from the server to the client will bypass threat inspection.

BThe threat protection profile will override the 'Disable Server Response Inspection1 only for HTTP traffic from the server to the client.

CAll traffic from the server to the client will bypass threat inspection.

DThe threat protection profile will override the 'Disable Server Response Inspection1 for all traffic from the server to the client.

Answer : C

Selecting the ''Disable Server Response Inspection'' checkbox means that traffic flowing from the server to the client will not be inspected for threats, even if a threat protection profile is applied to the Security policy rule. This setting can reduce processing overhead but may expose the network to threats embedded in server responses, such as malware or exploits.

Question 2

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.

The solution must meet these requirements:

The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.

The branch locations must have internet filtering and data center connectivity.

The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.

The security team must have access to manage the mobile user and access to branch locations.

The network team must have access to manage only the partner access.

Which two options will allow the engineer to support the requirements? (Choose two.)

AConfigure the CPE with Static Routes pointing to Prisma Access Infrastructure and Mobile User routes.

BEnable eBGP for dynamic routing and configure RemoteNetworks.

CConfigure Remote Networks and define the branch IP subnets using Static Routes.

DEnable Remote Networks Advertise Default Route.

Answer : B, C

Enabling eBGP for dynamic routing and configuring Remote Networks ensures seamless connectivity between branch locations, mobile users, and the data center. eBGP allows Prisma Access to dynamically exchange routes with the Customer Premises Equipment (CPE), optimizing path selection without requiring manual updates. Configuring Remote Networks and defining branch IP subnets using static routes ensures controlled and segmented routing, aligning with security policies. This setup provides proper internet filtering, data center connectivity, and restricted access for B2B partners while keeping management responsibilities aligned.

Question 3

A company has four branch offices between Canada Central and Canada East which use the same IPSec termination node and have QoS configured with customized bandwidth per site. An engineer wants to onboard a new branch office on the same IPSec termination node.

What is the QoS behavior for the new branch office?

AAutomatically distributed to 25% for each site

BUnallocated until manually assigned

CAutomatically distributed to 20% for each site

DCannot be added to existing QoS configuration

Answer : B

When onboarding a new branch office to an existing IPSec termination node in Prisma Access, the QoS bandwidth is not automatically assigned. Instead, the newly added branch remains unallocated until the administrator manually assigns bandwidth within the QoS configuration settings. This ensures that customized bandwidth per site remains intact and allows for fine-tuned traffic management based on business needs.

Question 4

An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications.

What is a reason for this issue?

AThe rule was created with improper threat management settings.

BThe rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.

CThe rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.

DThe rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

Answer : D

Prisma Access applies security rules in a hierarchical order, where rules at higher levels take precedence over those at lower levels. If a more permissive rule is placed higher in the hierarchy, it may allow traffic before the restrictive Web Security rule is evaluated. To resolve this, the engineer should reorder the rules to ensure the restrictive Web Security rule is positioned higher in the hierarchy so it is applied before any broader or conflicting rules.

Question 5

After configuring domain-based split tunnel for zoom.us, how is expected behavior on the client machine confirmed?

AVerify from the routing table.

BEnable dump level logs on GlobalProtect Application.

CVerify zoom.us is resolved by the tunnel assigned DNS server.

DPing zoom.us from the CLI.

Answer : A

After configuring domain-based split tunneling for zoom.us, the expected behavior can be confirmed by checking the routing table on the client machine. If split tunneling is correctly configured, the traffic for zoom.us should be routed outside the GlobalProtect VPN tunnel, while other traffic follows the tunnel path. Reviewing the routing table ensures that only the intended traffic is excluded from the tunnel, confirming that the split tunnel configuration is working as expected.

Question 6

When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?

AAdd the duplicate entries to the ignore list in IoT Security.

BMerge individual devices into a single device with multiple interfaces.

CCreate a custom role to merge devices with the same hostname and operating system.

DDelete all duplicate devices, keeping only those discovered using their management IP addresses.

Answer : B

When network routers appear multiple times with different IP addresses in IoT Security, it is likely because they have multiple interfaces with separate IPs. Merging these entries into a single device with multiple interfaces ensures that the system correctly identifies each router as a unique entity while maintaining visibility across all its interfaces. This approach prevents unnecessary duplicates, improves asset management, and enhances security monitoring.

Question 7

What is the flow impact of updating the Cloud Services plugin on existing traffic flows in Prisma Access?

AThey will experience latency during the plugin upgrade process.

BThey will automatically terminate when the upgrade begins.

CThey will be unaffected because the plugin upgrade is transparent to users.

DThey will be unaffected only if Panorama is deployed in high availability (HA) mode.

Answer : C

Updating the Cloud Services plugin in Prisma Access does not disrupt existing traffic flows because the upgrade process is designed to be seamless and transparent. Prisma Access ensures high availability by maintaining active sessions and policies while applying the update in the background. This allows ongoing connections to continue without interruptions, minimizing impact on user experience.

Palo Alto Networks Security Service Edge Engineer SSE-Engineer Exam Practice Test