Palo Alto Networks SSE Engineer
Q: 1
Which two statements apply when a customer has a large branch office with employees who all
arrive and log in within a five-minute time period? (Choose two.)
Options
Q: 2
A user connected to Prisma Access reports that traffic intermittently is denied after matching a
Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection
restores the access.
What are two reasons for this behavior? (Choose two.)
Options
Q: 3
A company has a Prisma Access deployment for mobile users in North America and Europe. Service
connections are deployed to the data centers on these continents, and the data centers are
connected by private links.
With default routing mode, which action will verify that traffic being delivered to mobile users
traverses the service connection in the appropriate regions?
Options
Q: 4
When configuring Remote Browser Isolation (RBI) with Prisma Access (Managed by Strata Cloud
Manager), which element is required to define the protected URLs for mobile users?
Options
Q: 5
Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as
the source identification?
Options
Q: 6
When using the traffic replication feature in Prisma Access, where is the mirrored traffic directed for
analysis?
Options
Q: 7
What is the impact of selecting the “Disable Server Response Inspection” checkbox after confirming
that a Security policy rule has a threat protection profile configured?
Options
Q: 8
What will cause a connector to fail to establish a connection with the cloud gateway during the
deployment of a new ZTNA Connector in a data center?
Options
Q: 9
A large retailer has deployed all of its stores with the same IP address subnet. An engineer is
onboarding these stores as Remote Networks in Prisma Access. While onboarding each store, the
engineer selects the “Overlapping Subnets” checkbox.
Which Remote Network flow is supported after onboarding in this scenario?
Options
Q: 10
A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI
and the correct website in the HTTP host header.
Which option will prevent this form of attack?
Options
Question 1 of 10
