Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
Scrum
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. SSE-Engineer

Free SSE-Engineer Exam Braindumps (page: 4)

Page 3 of 14
PDF with 50 Questions

What is the impact of selecting the "Disable Server Response Inspection" checkbox after confirming that a Security policy rule has a threat protection profile configured?

  1. Only HTTP traffic from the server to the client will bypass threat inspection.
  2. The threat protection profile will override the 'Disable Server Response Inspection1 only for HTTP traffic from the server to the client.
  3. All traffic from the server to the client will bypass threat inspection.
  4. The threat protection profile will override the 'Disable Server Response Inspection1 for all traffic from the server to the client.

Answer(s): C

Explanation:

Selecting the "Disable Server Response Inspection" checkbox means that traffic flowing from the server to the client will not be inspected for threats, even if a threat protection profile is applied to the Security policy rule. This setting can reduce processing overhead but may expose the network to threats embedded in server responses, such as malware or exploits.



A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links.
With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?

  1. Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.
  2. Configure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center.
  3. Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region.
  4. Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.

Answer(s): B

Explanation:

In Prisma Access's default routing mode, the service connections establish BGP sessions with the customer premises equipment (CPE) in the data centers. To ensure traffic destined for mobile users in a specific region (e.g., North America) traverses the service connection in that same region, you need to control the route advertisements.
Filtering out the mobile user pool prefixes from the other region on each service connection achieves this by:
Preventing the data center in one region from learning the specific mobile user prefixes of the other region. For example, the North American service connection would filter out the mobile user pool prefixes allocated to European users.
Ensuring that when a data center needs to send traffic to a mobile user, it will only see and use the route advertised by the service connection in the appropriate geographical region. This forces the traffic to enter the Prisma Access infrastructure through the intended regional service connection. Let's analyze why the other options are incorrect based on official documentation regarding default routing mode:
A . Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.
While BGP communities can be used for influencing routing decisions, in the context of default routing mode and ensuring regional traffic flow, relying solely on the CPE to prefer community strings might not be the most robust or direct method to guarantee traffic traverses the correct regional service connection. The service connection itself needs to control the advertisement of prefixes. C . Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region. The BGP MED (Multi-Exit Discriminator) attribute is primarily used to influence the path selection between autonomous systems (AS) or within the same AS at different entry points. In this scenario, where service connections are advertising prefixes, filtering at the source (service connection) is a more direct and reliable way to ensure regional traffic flow than relying on the MED attribute on the CPE. D . Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region. BGP AS path prepending is a mechanism to make a path less desirable.
While this could influence routing, it doesn't guarantee that traffic will always take the intended regional path. Filtering provides a more definitive control over which routes are advertised and learned.
Therefore, configuring each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center is the verified method to ensure traffic destined for mobile users traverses the service connection in the appropriate region when using Prisma Access in default routing mode.



Based on the image below, which two statements describe the reason and action required to resolve the errors? (Choose two.)

  1. The client is misconfigured.
  2. Create a do not decrypt rule for the hostname "google.com."
  3. The server has pinned certificates.
  4. Create a do not decrypt rule for the hostname "certificates.godaddy.com."

Answer(s): B,C

Explanation:

The error messages indicate that Prisma Access is encountering certificate issues while attempting to decrypt traffic to "google.com." This suggests that the server has pinned certificates, meaning it does not allow man-in-the-middle (MITM) decryption by Prisma Access. Since pinned certificates prevent traffic decryption, a solution is to create a "do not decrypt" rule for the hostname "google.com." This will allow traffic to flow without triggering certificate errors while maintaining secure communication with Google's servers.



How can a network security team be granted full administrative access to a tenant's configuration while restricting access to other tenants by using role-based access control (RBAC) for Panorama Managed Prisma Access in a multitenant environment?

  1. Create an Access Domain and restrict access to only the Device Groups and Templates for the Target Tenant.
  2. Create a custom role enabling all privileges within the specific tenant's scope and assign it to the security team's user accounts.
  3. Create a custom role with Device Group and Template privileges and assign it to the security team's user accounts.
  4. Set the administrative accounts for the security team to the "Superuser" role.

Answer(s): A

Explanation:

In a Panorama Managed Prisma Access multitenant environment, Access Domains provide granular role-based access control (RBAC). By defining an Access Domain, the network security team can be granted full administrative privileges for a specific tenant's configuration while ensuring they cannot access or modify other tenants. This method enforces proper segmentation and ensures compliance with multitenant security policies.






Post your Comments and Discuss Palo Alto Networks SSE-Engineer exam with other Community members: