When a large branch office experiences a high volume of employees logging in within a short time

frame, the following apply:

Maximum pending TCP DNS requests is 64 – This means that Prisma Access can queue up to 64

pending DNS requests over TCP before dropping additional requests. If more requests are received

simultaneously, some may fail or experience delays.

Maximum number of TCP DNS retries is 3 – If a DNS request fails over TCP, Prisma Access will

attempt to retry the request up to three times before failing over to another method or returning an

error.

User mapping learned from sources other than gateway authentication can cause intermittent access

issues if it conflicts with the expected user identity used in HIP-based policies. If the firewall is

associating the user with an outdated or incorrect mapping, traffic may not match the intended

security policies, leading to denials by the Catch-All Deny rule.

If the firewall loses user mapping due to missed HIP report checks, the user may temporarily lose

access to policies that require a valid Host Information Profile (HIP) match. When the VPN connection

is refreshed, the HIP check is re-initiated, restoring access until the issue repeats.

In Prisma Access's default routing mode, the service connections establish BGP sessions with the

customer premises equipment (CPE) in the data centers. To ensure traffic destined for mobile users

in a specific region (e.g., North America) traverses the service connection in that same region, you

need to control the route advertisements.

Filtering out the mobile user pool prefixes from the other region on each service connection achieves

this by:

Preventing the data center in one region from learning the specific mobile user prefixes of the other

region. For example, the North American service connection would filter out the mobile user pool

prefixes allocated to European users.

Ensuring that when a data center needs to send traffic to a mobile user, it will only see and use the

route advertised by the service connection in the appropriate geographical region. This forces the

traffic to enter the Prisma Access infrastructure through the intended regional service connection.

Let's analyze why the other options are incorrect based on official documentation regarding default

routing mode:

A . Configure BGP on the customer premises equipment (CPE) to prefer the assigned community

string attribute on the mobile user prefixes in its respective Prisma Access region. While BGP

communities can be used for influencing routing decisions, in the context of default routing mode

and ensuring regional traffic flow, relying solely on the CPE to prefer community strings might not be

the most robust or direct method to guarantee traffic traverses the correct regional service

connection. The service connection itself needs to control the advertisement of prefixes.

C . Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the

mobile user prefixes in its respective Prisma Access region. The BGP MED (Multi-Exit Discriminator)

attribute is primarily used to influence the path selection between autonomous systems (AS) or

within the same AS at different entry points. In this scenario, where service connections are

advertising prefixes, filtering at the source (service connection) is a more direct and reliable way to

ensure regional traffic flow than relying on the MED attribute on the CPE.

D . Configure each service connection to prepend the BGP ASN five times for mobile user pool

prefixes originating from the other region. BGP AS path prepending is a mechanism to make a path

less desirable. While this could influence routing, it doesn't guarantee that traffic will always take the

intended regional path. Filtering provides a more definitive control over which routes are advertised

and learned.

Therefore, configuring each service connection to filter out the mobile user pool prefixes from the

other region in the advertisements to the data center is the verified method to ensure traffic

destined for mobile users traverses the service connection in the appropriate region when using

Prisma Access in default routing mode.

When configuring Remote Browser Isolation (RBI) in Prisma Access (Managed by Strata Cloud

Manager) for mobile users, a URL access management profile must be created with the site access

action set to "Isolate". This profile is then applied to a Security policy to enforce isolation for specific

URLs. This ensures that web traffic to designated high-risk or untrusted sites is redirected to a

remote, secure browser instance, protecting endpoints from potential web-based threats.

The Cloud Dynamic User Group capability in Cloud Identity Engine enables the creation of Security

policies that use Entra ID (formerly Azure AD) attributes for user identification. This allows Prisma

Access to dynamically apply user-based security rules based on real-time Entra ID attributes,

ensuring that access policies adapt to user changes such as group membership, device compliance,

or role updates.

Palo Alto Networks documentation clearly states that when configuring the traffic replication feature

in Prisma Access, you must specify an internal security appliance as the destination for the mirrored

traffic. This appliance, typically a Palo Alto Networks next-generation firewall or a third-party security

tool, is responsible for receiving and analyzing the replicated traffic for various purposes like threat

analysis, troubleshooting, or compliance monitoring.

Let's analyze why the other options are incorrect based on official documentation:

B . Dedicated cloud storage location: While Prisma Access logs and other data might be stored in the

cloud, the mirrored traffic for real-time analysis is directly streamed to a designated security

appliance, not a passive storage location.

C . Panorama: Panorama is the centralized management system for Palo Alto Networks firewalls.

While Panorama can receive logs and manage the configuration of Prisma Access, it is not the direct

destination for real-time mirrored traffic intended for immediate analysis.

D . Strata Cloud Manager (SCM): Strata Cloud Manager is the platform used to configure and manage

Prisma Access. It facilitates the setup of traffic replication, including specifying the destination

appliance, but it does not directly receive or analyze the mirrored traffic itself.

Therefore, the mirrored traffic from the traffic replication feature in Prisma Access is directed to a

specified internal security appliance for analysis.

Selecting the “Disable Server Response Inspection” checkbox means that traffic flowing from the

server to the client will not be inspected for threats, even if a threat protection profile is applied to

the Security policy rule. This setting can reduce processing overhead but may expose the network to

threats embedded in server responses, such as malware or exploits.

A ZTNA Connector requires a stable and direct connection to the cloud gateway. When the connector

is deployed behind a double NAT (Network Address Translation), it can cause issues with reachability

and session establishment because the cloud gateway may not be able to properly identify and

communicate with the connector. Double NAT can interfere with secure tunneling, IP address

resolution, and authentication mechanisms, leading to connection failures. To resolve this, the

connector should be placed in a network segment with a single NAT or a public IP assignment.

When the "Overlapping Subnets" checkbox is selected during the Remote Network onboarding

process in Prisma Access, the deployment enables Private Application access using Prisma Access for

Users (ZTNA or Private Access). This feature is designed to handle scenarios where multiple sites use

the same IP subnet by leveraging NAT (Network Address Translation) and segmentation to avoid

conflicts.

Since overlapping subnets can create routing challenges for direct remote network-to-remote

network communication, Prisma Access does not support Remote Network-to-Remote Network or

Mobile User communication in this case. Private application access is supported as Prisma Access

correctly routes requests based on application-layer intelligence rather than IP-based routing.

This option ensures that SSL Decryption checks for mismatches between the Server Name Indication

(SNI) field in the TLS handshake and the Common Name (CN) or Subject Alternative Name (SAN) in

the server certificate. If a malicious user tries to bypass content filtering by spoofing the SNI while

using the real blocked website in the HTTP host header, this setting will detect the discrepancy and

block the session, preventing unauthorized access.