Palo Alto Networks SSE-Engineer Exam Questions Instant Access

Question 1

Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications, threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?

ACommand Center

BLog Viewer

CBranch Site Monitor

DSASE Health Dashboard

Answer : A

The Command Center within Strata Cloud Manager (SCM) provides a centralized view of applications, threats, and user insights across both NGFW (Next-Generation Firewall) and Prisma Access simultaneously. This feature enables the operations team to monitor branch locations, analyze security events, and detect anomalies in real time, offering a comprehensive visibility and threat intelligence interface for proactive network and security management.

Question 2

Strata Logging Service is configured to forward logs to an external syslog server; however, a month later, there is a disruption on the syslog server.

Which action will send the missing logs to the external syslog server?

AConfigure a replay profile with the affected time range and associate it with the affected syslog server profile.

BDelete the affected syslog server profile and create a new one.

CExport the logs from Strata Logging Service, and then manually import them to the syslog server.

DConfigure a log filter under the syslog server profile with the affected time range.

Answer : A

The Strata Logging Service allows log replay, which enables resending logs that were not successfully forwarded to an external syslog server due to disruptions. By configuring a replay profile with the affected time range and associating it with the syslog server profile, Prisma Access will resend the missing logs, ensuring that all relevant data is restored in the external logging system. This approach is the most efficient and automated way to recover missing logs.

Question 3

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.

The solution must meet these requirements:

The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.

The branch locations must have internet filtering and data center connectivity.

The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.

The security team must have access to manage the mobile user and access to branch locations.

The network team must have access to manage only the partner access.

How can the engineer configure mobile users and branch locations to meet the requirements?

AUse GlobalProtect and Remote Networks to filter internet traffic and provide access to data center resources using service connections.

BUse Explicit Proxy to filter internet traffic and provide access to data center resources using service connections.

CUse GlobalProtect to filter internet traffic and provide access to data center resources using service connections.

DUse Explicit Proxy and Remote Networks to filter internet traffic and provide access to data center resources using service connections.

Answer : A

To meet the customer's requirements, GlobalProtect and Remote Networks should be used as follows:

GlobalProtect: This enables secure access for mobile users, ensuring internet filtering, data center connectivity, and access to branch locations.

Remote Networks: This is used to provide security and connectivity for branch locations, ensuring internet filtering and data center access.

Service Connections: These allow both mobile users and branch locations to securely connect to the data center for internal resources.

This configuration ensures that mobile users and branch locations can securely access the internet while maintaining a segregated and secure connection to internal resources. It also aligns with Prisma Access's best practices for security enforcement, traffic filtering, and centralized management.

Question 4

Which two statements apply when a customer has a large branch office with employees who all arrive and log in within a five-minute time period? (Choose two.)

ADNS results are only cached for frequently used hostnames.

BMaximum pending TCP DNS requests is 64.

CMaximum number of TCP DNS retries is 3.

DDNS results are cached for 300 seconds.

Answer : B, C

When a large branch office experiences a high volume of employees logging in within a short time frame, the following apply:

Maximum pending TCP DNS requests is 64 -- This means that Prisma Access can queue up to 64 pending DNS requests over TCP before dropping additional requests. If more requests are received simultaneously, some may fail or experience delays.

Maximum number of TCP DNS retries is 3 -- If a DNS request fails over TCP, Prisma Access will attempt to retry the request up to three times before failing over to another method or returning an error.

Question 5

An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications.

What is a reason for this issue?

AThe rule was created with improper threat management settings.

BThe rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.

CThe rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.

DThe rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

Answer : D

Prisma Access applies security rules in a hierarchical order, where rules at higher levels take precedence over those at lower levels. If a more permissive rule is placed higher in the hierarchy, it may allow traffic before the restrictive Web Security rule is evaluated. To resolve this, the engineer should reorder the rules to ensure the restrictive Web Security rule is positioned higher in the hierarchy so it is applied before any broader or conflicting rules.

Question 6

How can a network security team be granted full administrative access to a tenant's configuration while restricting access to other tenants by using role-based access control (RBAC) for Panorama Managed Prisma Access in a multitenant environment?

ACreate an Access Domain and restrict access to only the Device Groups and Templates for the Target Tenant.

BCreate a custom role enabling all privileges within the specific tenant's scope and assign it to the security team's user accounts.

CCreate a custom role with Device Group and Template privileges and assign it to the security team's user accounts.

DSet the administrative accounts for the security team to the 'Superuser' role.

Answer : A

In a Panorama Managed Prisma Access multitenant environment, Access Domains provide granular role-based access control (RBAC). By defining an Access Domain, the network security team can be granted full administrative privileges for a specific tenant's configuration while ensuring they cannot access or modify other tenants. This method enforces proper segmentation and ensures compliance with multitenant security policies.

Question 7

An engineer deploys a new branch connected to Prisma Access. From the customer premises equipment (CPE) device at the branch, Phase 1 on the tunnel is established, but Phase 2-encrypted packets are not coming back from Prisma Access.

Which Strata Logging Service log facility should the engineer review to determine why Phase 2-encrypted traffic is not being received?

ADecrypt logs

BSystem logs

CTraffic logs

DTunnel logs

Answer : D

Since Phase 1 of the IPSec tunnel is established but Phase 2 traffic is not being received, the Tunnel logs in Strata Logging Service should be reviewed. Tunnel logs provide visibility into IPSec tunnel establishment, Phase 2 negotiation, and any errors or dropped packets related to encrypted traffic. This will help identify whether ESP (Encapsulating Security Payload) traffic is being blocked, mismatched security associations (SAs) exist, or if there are other issues with Prisma Access responding to Phase 2-encrypted packets.

Palo Alto Networks Security Service Edge Engineer SSE-Engineer Exam Questions