SSE-Engineer Palo Alto Networks Security Service Edge Engineer Questions and Answers

When implementingAI Access Security,tagsare applied toGenerative AI applicationsto classify them assanctioned, tolerated, or unsanctioned. This allows organizations to enforcepolicy-based access controlover AI tools, ensuring that onlyapproved applicationsare accessible while restricting or monitoring usage ofuntrusted or high-risk AI platforms. This classification helps security teamsmanage AI-related risks and complianceeffectively.

SincePhase 1 of the IPSec tunnel is establishedbutPhase 2 traffic is not being received, theTunnel logsinStrata Logging Serviceshould be reviewed.Tunnel logsprovide visibility into IPSec tunnel establishment,Phase 2 negotiation, and any errors or dropped packets related to encrypted traffic. This will help identify whetherESP (Encapsulating Security Payload) traffic is being blocked, mismatched security associations (SAs) exist, or if there are other issues with Prisma Access responding to Phase 2-encrypted packets.

In Prisma Access's default routing mode, the service connections establish BGP sessions with the customer premises equipment (CPE) in the data centers. To ensure traffic destined for mobile users in a specific region (e.g., North America) traverses the service connection in that same region, you need to control the route advertisements.

Filtering out the mobile user pool prefixes from the other region on each service connection achieves this by:

Preventing the data center in one region from learning the specific mobile user prefixes of the other region.For example, the North American service connection would filter out the mobile user pool prefixes allocated to European users.

Ensuring that when a data center needs to send traffic to a mobile user, it will only see and use the route advertised by the service connection in the appropriate geographical region.This forces the traffic to enter the Prisma Access infrastructure through the intended regional service connection.

Let's analyze why the other options are incorrect based on official documentation regarding default routing mode:

A. Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.While BGP communities can be used for influencing routing decisions, in the context ofdefault routing modeand ensuring regional traffic flow, relying solely on the CPE to prefer community strings might not be the most robust or direct method to guarantee traffic traverses the correct regional service connection. The service connection itself needs to control the advertisement of prefixes.

C. Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region.The BGP MED (Multi-Exit Discriminator) attribute is primarily used to influence the path selectionbetweenautonomous systems (AS) or within the same AS at different entry points. In this scenario, where serviceconnections are advertising prefixes, filtering at the source (service connection) is a more direct and reliable way to ensure regional traffic flow than relying on the MED attribute on the CPE.

D. Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.BGP AS path prepending is a mechanism to make a path less desirable. While this could influence routing, it doesn't guarantee that traffic will always take the intended regional path. Filtering provides a more definitive control over which routes are advertised and learned.

Therefore, configuring each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center is the verified method to ensure traffic destined for mobile users traverses the service connection in the appropriate region when using Prisma Access in default routing mode.

InPrisma Access, configuring anotification profileallows engineers to receive alerts when IPSec tunnels experience downtime or instability. By definingspecific conditions for remote network IPSec tunnels, the notification profile ensures that the engineer is proactively informed abouttunnel failures, flapping, or degraded performance. This approach enables timely troubleshooting and minimizes disruptions for users relying on the IPSec tunnels.

When network routers appear multiple times with different IP addresses in IoT Security, it is likely because they have multiple interfaces with separate IPs. Merging these entries into a single device with multiple interfaces ensures that the system correctly identifies each router as a unique entity while maintaining visibility across all its interfaces. This approach prevents unnecessary duplicates, improves asset management, and enhances security monitoring.

Strata Copilotenhances the capabilities ofPrisma Access security teamsby providingAI-powered insights and recommendationsto help resolve security issues efficiently. It analyzessecurity events, misconfigurations, and alertsand offerscontextual guidancewithrecommended next stepsfor troubleshooting and improving security posture. This assists teams inquickly identifying and addressing security challengeswithout requiring deep manual investigation.

To meet the customer’s requirements, two separate Prisma Access instances should be deployed:

Instance 1should includemobile users, remote networks, and private accessfor internal connectivity. This ensures that mobile users can access the internet, data centers, and remote branch locations while enforcing security policies.

Instance 2should be configured withremote networks and private application accessfor B2B connections. This instance will restrict access to only the required internally developed applications using non-standard ports, ensuring that partners cannot access other corporate resources.

By usingspecific configuration scopes for different connection types, the security team can manage access to mobile users and branch locations, while the network team can manage B2B partner connections. This ensuresproper segmentation of management responsibilitieswhile maintaining security and compliance.

When the "Overlapping Subnets" checkbox is selected during the Remote Network onboarding process in Prisma Access, the deployment enables Private Application access using Prisma Access for Users(ZTNA or Private Access). This feature is designed to handle scenarios where multiple sites use the same IP subnet by leveraging NAT (Network Address Translation) and segmentation to avoid conflicts.

Since overlapping subnets can create routing challenges for direct remote network-to-remote network communication, Prisma Access does not support Remote Network-to-Remote Network or Mobile User communication in this case. Private application access is supported as Prisma Access correctly routes requests based on application-layer intelligence rather than IP-based routing.

TheBGP peernot coming up despite anestablished IPSec tunnelindicates a potentialBGP configuration issue.

Secret– IfMD5 authenticationis configured for BGP, both Prisma Access and theCustomer Premises Equipment (CPE)must have thesame secret (authentication key). A mismatch will prevent BGP from establishing a session.

Peer AS Number– TheAutonomous System (AS) numberof the BGP peer must match what is expected on both sides of the connection. If the AS number is incorrect, the BGP session will fail to establish.

By verifying these elements, the engineer can troubleshoot and establish a successfulBGP peering sessionover theIPSec tunnel.

Palo Alto Networks best practices and the behavior of Strata Cloud Manager (SCM) dictate thatpredefined or default objects, including profile groups like "Default Prisma Profile," cannot be directly modified.These default objects serve as baseline configurations and are often locked to prevent accidental or unintended changes that could impact the overall security posture.

The intern's experience of the options being greyed out when selecting "Default Prisma Profile" is a direct indication of this immutability of default objects.

Therefore, the correct action is to:

Create a new Profile Group:The intern should create a new profile group within the appropriate configuration scope (likely GlobalProtect, given the task).

Configure the new Profile Group:In this new profile group, the intern can select the desired Anti-Spyware Profile (which might be an existing custom profile or a new one they create).

Modify Security Rules:The security rules currently using the "Default Prisma Profile" in the GlobalProtect folder need to be modified to use this newly created profile group.

Let's analyze why the other options are incorrect based on official documentation:

A. Request edit access for the GlobalProtect scope.While having the correct scope permissions is necessary for makinganychanges within GlobalProtect, it will not override the inherent immutability of default objects like "Default Prisma Profile." Edit access will allow the intern to create new objects and modify rules, but not directly edit the default profile group.

B. Change the configuration scope to Prisma Access and modify the profile group.The image shows that "Default Prisma Profile" has a "Location" of "Prisma Access." However, even within the Prisma Access scope, default profile groups are generally not directly editable. The issue is not the scope but the fact that it's a default object.

D. Modify the existing anti-spyware profile, because best-practice profiles cannot be removed from a group.The question is about changing theprofile group, not the individual Anti-Spyware Profile. While "best-practice" profiles might be part of default groups, the core issue is the inability to modify thedefault groupitself. Creating a new group allows the intern to choose which Anti-Spyware Profile to include.

In summary, the fundamental principle in Palo Alto Networks management is that default objects are typically read-only to ensure a consistent and predictable baseline. To make changes, you need to create custom objects.

When the "Overlapping Subnets" checkbox is selected during the Remote Network onboarding process in Prisma Access, the deployment enables Private Application access using Prisma Access for Users(ZTNA or Private Access). This feature is designed to handle scenarios where multiple sites use the same IP subnet by leveraging NAT (Network Address Translation) and segmentation to avoid conflicts.

Since overlapping subnets can create routing challenges for direct remote network-to-remote network communication, Prisma Access does not support Remote Network-to-Remote Network or Mobile User communication in this case. Private application access is supported as Prisma Access correctly routes requests based on application-layer intelligence rather than IP-based routing.

SaaS Security Inline allows engineers to customize the risk scores assigned to different SaaS applications based on various factors. By manipulating these risk scores, you can influence how these applications are treated within Security policies.

To limit the use of unsanctioned SaaS applications:

Lower the risk score of sanctioned applications:This makes them less likely to trigger policies designed to restrict high-risk activities.

Increase the risk score of unsanctioned applications:This elevates their perceived risk, making them more likely to be caught by Security policies configured to block or limit access based on risk score thresholds.

Then, you would create Security policies that take action (e.g., block access, restrict features) based on these adjusted risk scores. For example, a policy could be configured to block access to any SaaS application with a risk score above a certain threshold, which would primarily target the unsanctioned applications with their inflated scores.

Let's analyze why the other options are incorrect based on official documentation:

B. Increase the risk score for all SaaS applications to automatically block unwanted applications.Increasing the risk score forallSaaS applications, including sanctioned ones, would lead to unintended blocking and disruption of legitimate business activities. Risk score customization is intended for differentiation, not a blanket increase.

C. Build an application filter using unsanctioned SaaS as the category.While creating an application filter based on the "unsanctioned SaaS" category is a valid way to identify these applications, it directly filters based on the category itself, not the risk score. Risk score customization provides a more nuanced approach where you can define thresholds and potentially allow some low-risk activities within unsanctioned applications while blocking higher-risk ones.

D. Build an application filter using unsanctioned SaaS as the characteristic.Similar to option C, using "unsanctioned SaaS" as a characteristic in an application filter allows you to directly target these applications. However, it doesn't leverage the risk score customization feature to control access based on a graduated level of risk.

Therefore, the most effective way to use risk score customization to limit unsanctioned SaaS application usage is by lowering the risk scores of sanctioned applications and increasing the risk scores of unsanctioned ones, and then building Security policies that act upon these adjusted risk scores.