Free SSE-Engineer Sample Questions — Palo Alto Networks Security Service Edge Engineer

A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links. With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?

• A. Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region
• B. Configure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center
• C. Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region
• D. Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region

Which statement applies when enabling multitenancy in Prisma Access (Managed by Panorama)?

• A. Service connection licenses will be assigned only to the first tenant, and these service connections can be shared with the other tenants
• B. single tenant cannot consist solely of mobile users or solely of remote networks
• C. Each tenant is allocated its own dedicated Prisma Access instances, with compute resources that are not shared across tenants
• D. There is flexibility to manage different tenants using separate Panoramas, which allows for better organization and management of the multiple tenants

How can an engineer use risk score customization in SaaS Security Inline to limit the use of unsanctioned SaaS applications by employees within a Security policy?

• A. Lower the risk score of sanctioned applications and increase the risk score for unsanctioned applications
• B. Increase the risk score for all SaaS applications to automatically block unwanted applications
• C. Build an application filter using unsanctioned SaaS as the category
• D. Build an application filter using unsanctioned SaaS as the characteristic

An engineer configures a Security policy for traffic originating at branch locations in the Remote Networks configuration scope. After committing the configuration and reviewing the logs, the branch traffic is not matching the Security policy. Which statement explains the branch traffic behavior?

• A. The source address was configured with an address object including the branch location prefixes
• B. The source zone was configured as “Trust.”
• C. The Security policy did not meet best practice standards and was automatically removed
• D. The traffic is matching a Security policy in the Prisma Access configuration scope

What must be configured to accurately report an application's availability when onboarding a discovered application for ZTNA Connector?

• A. icmp ping
• B. https ping
• C. tcp ping
• D. udp ping

What will cause a connector to fail to establish a connection with the cloud gateway during the deployment of a new ZTNA Connector in a data center?

• A. There is a misconfiguration in the DNS settings on the connector
• B. The connector is deployed behind a double NAT
• C. The connector is using a dynamic IP address
• D. There is a high latency in the network connection

All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager) using SAML authentication through the Cloud Identity Engine. Users report that after entering their credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal without successful authentication, and they receive this error message: Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request” Which action will identify the root cause of this error?

• A. Verify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured
• B. Examine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked
• C. Verify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured
• D. Review the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures

What is the flow impact of updating the Cloud Services plugin on existing traffic flows in Prisma Access?

• A. They will experience latency during the plugin upgrade process
• B. They will automatically terminate when the upgrade begins
• C. They will be unaffected because the plugin upgrade is transparent to users
• D. They will be unaffected only if Panorama is deployed in high availability (HA) mode

Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as the source identification?

• A. Entra ID Group Attribute
• B. Attribute Group Mapping
• C. Entra ID Cloud Group
• D. Cloud Dynamic User Group

An engineer has configured a new Remote Networks connection using BGP for route advertisements. The IPSec tunnel has been established, but the BGP peer is not up. Which two elements must the engineer validate to solve the issue? (Choose two.)

• A. Secret
• B. MRAI Timers
• C. Peer AS Number
• D. Advertise Default Route Checkbox