Palo Alto Networks SSE-Engineer Exam Questions - Real Practice Questions for Guaranteed Success

Question 1

How can a network security team be granted full administrative access to a tenant's configuration while restricting access to other tenants by using role-based access control (RBAC) for Panorama Managed Prisma Access in a multitenant environment?

ACreate an Access Domain and restrict access to only the Device Groups and Templates for the Target Tenant.

BCreate a custom role enabling all privileges within the specific tenant's scope and assign it to the security team's user accounts.

CCreate a custom role with Device Group and Template privileges and assign it to the security team's user accounts.

DSet the administrative accounts for the security team to the 'Superuser' role.

Correct : A

In a Panorama Managed Prisma Access multitenant environment, Access Domains provide granular role-based access control (RBAC). By defining an Access Domain, the network security team can be granted full administrative privileges for a specific tenant's configuration while ensuring they cannot access or modify other tenants. This method enforces proper segmentation and ensures compliance with multitenant security policies.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ACreate an Access Domain and restrict access to only the Device Groups and Templates for the Target Tenant.

BCreate a custom role enabling all privileges within the specific tenant's scope and assign it to the security team's user accounts.

CCreate a custom role with Device Group and Template privileges and assign it to the security team's user accounts.

DSet the administrative accounts for the security team to the 'Superuser' role.

0 / 1500

Question 2

An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications.

What is a reason for this issue?

AThe rule was created with improper threat management settings.

BThe rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.

CThe rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.

DThe rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

Correct : D

Prisma Access applies security rules in a hierarchical order, where rules at higher levels take precedence over those at lower levels. If a more permissive rule is placed higher in the hierarchy, it may allow traffic before the restrictive Web Security rule is evaluated. To resolve this, the engineer should reorder the rules to ensure the restrictive Web Security rule is positioned higher in the hierarchy so it is applied before any broader or conflicting rules.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AThe rule was created with improper threat management settings.

BThe rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.

CThe rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.

DThe rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

0 / 1500

Question 3

A large retailer has deployed all of its stores with the same IP address subnet. An engineer is onboarding these stores as Remote Networks in Prisma Access. While onboarding each store, the engineer selects the ''Overlapping Subnets'' checkbox.

Which Remote Network flow is supported after onboarding in this scenario?

ATo private applications

BTo the internet

CTo remote network

DTo mobile users

Correct : A

When the 'Overlapping Subnets' checkbox is selected during the Remote Network onboarding process in Prisma Access, the deployment enables Private Application access using Prisma Access for Users (ZTNA or Private Access). This feature is designed to handle scenarios where multiple sites use the same IP subnet by leveraging NAT (Network Address Translation) and segmentation to avoid conflicts.

Since overlapping subnets can create routing challenges for direct remote network-to-remote network communication, Prisma Access does not support Remote Network-to-Remote Network or Mobile User communication in this case. Private application access is supported as Prisma Access correctly routes requests based on application-layer intelligence rather than IP-based routing.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ATo private applications

BTo the internet

CTo remote network

DTo mobile users

0 / 1500

Question 4

An engineer has configured a new Remote Networks connection using BGP for route advertisements. The IPSec tunnel has been established, but the BGP peer is not up.

Which two elements must the engineer validate to solve the issue? (Choose two.)

ASecret

BMRAI Timers

CPeer AS Number

DAdvertise Default Route Checkbox

Correct : A, C

The BGP peer not coming up despite an established IPSec tunnel indicates a potential BGP configuration issue.

Secret -- If MD5 authentication is configured for BGP, both Prisma Access and the Customer Premises Equipment (CPE) must have the same secret (authentication key). A mismatch will prevent BGP from establishing a session.

Peer AS Number -- The Autonomous System (AS) number of the BGP peer must match what is expected on both sides of the connection. If the AS number is incorrect, the BGP session will fail to establish.

By verifying these elements, the engineer can troubleshoot and establish a successful BGP peering session over the IPSec tunnel.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ASecret

BMRAI Timers

CPeer AS Number

DAdvertise Default Route Checkbox

0 / 1500

Question 5

Which statement is valid in relation to certificates used for GlobalProtect and pre-logon?

AA public certificate authority (CA) must sign and validate all certificates used.

BThe certificate used for pre-logon must include both Subject and Subject-Alt fields.

CCertificates must be deployed in the Machine Certificate Store.

DThe GlobalProtect agent may be used to distribute pre-logon certificates.

Correct : C

For GlobalProtect with pre-logon, certificates must be installed in the Machine Certificate Store to ensure that authentication occurs before user login. This allows the GlobalProtect client to establish a VPN connection before the user logs in, enabling access to corporate resources such as domain controllers and authentication services. Using machine certificates ensures secure authentication and eliminates dependency on user credentials at the pre-logon stage.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AA public certificate authority (CA) must sign and validate all certificates used.

BThe certificate used for pre-logon must include both Subject and Subject-Alt fields.

CCertificates must be deployed in the Machine Certificate Store.

DThe GlobalProtect agent may be used to distribute pre-logon certificates.

0 / 1500

Master Palo Alto Networks SSE-Engineer Exam with Reliable Practice Questions

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users: