Palo Alto Networks Security Service Edge Engineer v1.0

Page:    1 / 4   
Exam contains 50 questions
Expand All

How can a senior engineer use Strata Cloud Manager (SCM) to ensure that junior engineers are able to create compliant policies while preventing the creation of policies that may result in security gaps?

  • A. Use security checks under posture settings and set the action to “deny” for all checks that do not meet the compliance standards.
  • B. Configure role-based access controls (RBACs) for all junior engineers to limit them to creating policies in a disabled state, manually review the policies, and enable them using a senior engineer role.
  • C. Configure an auto tagging rule in SCM to trigger a Security policy review workflow based on a security rule tag, then instruct junior engineers to use this tag for all new Security policies.
  • D. Run a Best Practice Assessment (BPA) at regular intervals and manually revert any policies not meeting company compliance standards.


Answer : A

Which policy configuration in Prisma Access Browser (PAB) will protect an organization from malicious BYOD and minimize the impact on the user experience?

  • A. One that blocks file exchange
  • B. One for session recording
  • C. One that blocks elements such as screen scrapers
  • D. One that allows access to applications with data masking or watermarking


Answer : D

During a deployment of Prisma Access (Managed by Strata Cloud Manager) for mobile users, a SAML authentication type and authentication profile in the Cloud Identity Engine application is successfully created.
Using this SAML authentication, what is a valid next step to configure authentication for mobile users?

  • A. Perform a full commit to Strata Cloud Manager so the Cloud Identity Engine profiles get synchronized from the application.
  • B. Permit the Cloud Identity Engine service account RBAC access to the mobile user folder in Strata Cloud Manager.
  • C. In Strata Cloud Manager, create a new authentication type of “Cloud Identity Engine.”
  • D. Create a SAML authentication profile in Strata Cloud Manager and link it to the Cloud Identity Engine profile.


Answer : D

After configuring domain-based split tunnel for zoom.us, how is expected behavior on the client machine confirmed?

  • A. Verify from the routing table.
  • B. Enable dump level logs on GlobalProtect Application.
  • C. Verify zoom.us is resolved by the tunnel assigned DNS server.
  • D. Ping zoom.us from the CLI.


Answer : A

Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as the source identification?

  • A. Entra ID Group Attribute
  • B. Attribute Group Mapping
  • C. Entra ID Cloud Group
  • D. Cloud Dynamic User Group


Answer : D

An engineer deploys a new branch connected to Prisma Access. From the customer premises equipment (CPE) device at the branch, Phase 1 on the tunnel is established, but Phase 2-encrypted packets are not coming back from Prisma Access.
Which Strata Logging Service log facility should the engineer review to determine why Phase 2-encrypted traffic is not being received?

  • A. Decrypt logs
  • B. System logs
  • C. Traffic logs
  • D. Tunnel logs


Answer : D

When configuring Remote Browser Isolation (RBI) with Prisma Access (Managed by Strata Cloud Manager), which element is required to define the protected URLs for mobile users?

  • A. A URL access management profile with site access set to “Isolate” applied to a Security policy
  • B. A DNS Security profile applied to a Security policy with the action of “Isolate” for the target remote browser DNS categories
  • C. An RBI profile applied to the URL access management profile
  • D. A Security policy with the target URL categories and set the action to “Isolate”


Answer : A

A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header.
Which option will prevent this form of attack?

  • A. Advanced Threat Prevention option to block “Domain Fronting”
  • B. Advanced URL Filtering and block the “Malicious Behavior” category
  • C. Advanced URL Filtering and block “SNI mismatch with Server Certificate (SAN/CN)”
  • D. SSL Decryption to “Block sessions on SNI mismatch with Server Certificate (SAN/CN)”


Answer : D

A user connected to Prisma Access reports that traffic intermittently is denied after matching a Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection restores the access.
What are two reasons for this behavior? (Choose two.)

  • A. “Collect HIP data” needs to be enabled in the configuration.
  • B. User mapping is learned from sources other than gateway authentication.
  • C. Firewall loses user mapping due to missed HIP report checks.
  • D. HIP-enforced policy is scheduled for certain hours of the day.


Answer : BC

Which feature can help address a customer concern about the length of time it takes to update their SaaS-allowed IP addresses while onboarding to Prisma Access?

  • A. Dynamic IP pooling
  • B. DNS-based load balancing
  • C. Traffic steering
  • D. Dedicated IP addresses


Answer : D

Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications, threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?

  • A. Command Center
  • B. Log Viewer
  • C. Branch Site Monitor
  • D. SASE Health Dashboard


Answer : A

In addition to creating a Security policy, how can an AI Access Security be used to prevent users from uploading financial information to ChatGPT?

  • A. Apply File Blocking to stop file uploads containing financial information.
  • B. Configure an Enterprise DLP rule to block uploads containing financial information.
  • C. Add the ChatGPT domains using URL Filtering to block uploads containing financial information.
  • D. Apply a vulnerability profile to stop attempts to exploit system flaws or gain unauthorized access to financial systems.


Answer : B

Which statement is valid in relation to certificates used for GlobalProtect and pre-logon?

  • A. A public certificate authority (CA) must sign and validate all certificates used.
  • B. The certificate used for pre-logon must include both Subject and Subject-Alt fields.
  • C. Certificates must be deployed in the Machine Certificate Store.
  • D. The GlobalProtect agent may be used to distribute pre-logon certificates.


Answer : C

What must be configured to accurately report an application's availability when onboarding a discovered application for ZTNA Connector?

  • A. icmp ping
  • B. https ping
  • C. tcp ping
  • D. udp ping


Answer : C

All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager) using SAML authentication through the Cloud Identity Engine. Users report that after entering their credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal without successful authentication, and they receive this error message:
Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request”
Which action will identify the root cause of this error?

  • A. Verify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
  • B. Examine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked.
  • C. Verify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
  • D. Review the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures.


Answer : C

Page:    1 / 4   
Exam contains 50 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy