Weekend Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Palo Alto Networks Security Service Edge Engineer Question and Answers

Palo Alto Networks Security Service Edge Engineer

Last Update Sep 20, 2025
Total Questions : 50

We are offering FREE SSE-Engineer Paloalto Networks exam questions. All you do is to just go and sign up. Give your details, prepare SSE-Engineer free exam questions and then go for complete pool of Palo Alto Networks Security Service Edge Engineer test questions that will help you more.

SSE-Engineer pdf

SSE-Engineer PDF

$36.75  $104.99
 Add to Cart
SSE-Engineer Engine

SSE-Engineer Testing Engine

$43.75  $124.99
 Add to Cart
SSE-Engineer PDF + Engine

SSE-Engineer PDF + Testing Engine

$57.75  $164.99
 Add to Cart
Questions 1

An engineer configures User-ID redistribution from an on-premises firewall connected to Prisma Access (Managed by Panorama) using a service connection. After committing the configuration, traffic from remote network connections is still not matching the correct user-based policies.

Which two configurations need to be validated? (Choose two.)

Options:

A.  

Ensure the Remote_Network_Template is selected when adding the User-ID Agent in Panorama.

B.  

Confirm there is a Security policy configured in Prisma Access to allow the communication on port 5007.

C.  

Confirm the Collector Pre-Shared Keys match between Prisma Access and the on-premises firewall.

D.  

Ensure the Service_Conn_Template is selected when adding the User-ID Agent in Panorama.

Discussion 0
Questions 2

Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications, threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?

Options:

A.  

Command Center

B.  

Log Viewer

C.  

Branch Site Monitor

D.  

SASE Health Dashboard

Discussion 0
Questions 3

A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header.

Which option will prevent this form of attack?

Options:

A.  

Advanced Threat Prevention option to block “Domain Fronting”

B.  

Advanced URL Filtering and block the “Malicious Behavior” category

C.  

Advanced URL Filtering and block “SNI mismatch with Server Certificate (SAN/CN)”

D.  

SSL Decryption to “Block sessions on SNI mismatch with Server Certificate (SAN/CN)”

Discussion 0
Questions 4

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to- business (B2B) partners to their data centers.

The solution must meet these requirements:

The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations.

The branch locations must have internet filtering and data center connectivity.

The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports.

The security team must have access to manage the mobile user and access to branch locations.

The network team must have access to manage only the partner access.

Which two options will allow the engineer to support the requirements? (Choose two.)

Options:

A.  

Configure the CPE with Static Routes pointing to Prisma Access Infrastructure and Mobile User routes.

B.  

Enable eBGP for dynamic routing and configure RemoteNetworks.

C.  

Configure Remote Networks and define the branch IP subnets using Static Routes.

D.  

Enable Remote Networks Advertise Default Route.

Discussion 0
Questions 5

An intern is tasked with changing the Anti-Spyware Profile used for security rules defined in the GlobalProtect folder. All security rules are using the Default Prisma Profile. The intern reports that the options are greyed out and cannot be modified when selecting the Default Prisma Profile.

Based on the image below, which action will allow the intern to make the required modifications?

Options:

A.  

Request edit access for the GlobalProtect scope.

B.  

Change the configuration scope to Prisma Access and modify the profile group.

C.  

Create a new profile, because default profile groups cannot be modified.

D.  

Modify the existing anti-spyware profile, because best-practice profiles cannot be removed from a group.

Discussion 0
Questions 6

What is the impact of selecting the “Disable Server Response Inspection” checkbox after confirming that a Security policy rule has a threat protection profile configured?

Options:

A.  

Only HTTP traffic from the server to the client will bypass threat inspection.

B.  

The threat protection profile will override the 'Disable Server Response Inspection1 only for HTTP traffic from the server to the client.

C.  

All traffic from the server to the client will bypass threat inspection.

D.  

The threat protection profile will override the 'Disable Server Response Inspection1 for all traffic from the server to the client.

Discussion 0
Questions 7

A user connected to Prisma Access reports that traffic intermittently is denied after matching a Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection restores the access.

What are two reasons for this behavior? (Choose two.)

Options:

A.  

"Collect HIP data' needs to be enabled in the configuration.

B.  

User mapping is learned from sources other than gateway authentication.

C.  

Firewall loses user mapping due to missed HIP report checks.

D.  

HIP-enforced policy is scheduled for certain hours of the day.

Discussion 0
Questions 8

When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?

Options:

A.  

Add the duplicate entries to the ignore list in IoT Security.

B.  

Merge individual devices into a single device with multiple interfaces.

C.  

Create a custom role to merge devices with the same hostname and operating system.

D.  

Delete all duplicate devices, keeping only those discovered using their management IP addresses.

Discussion 0
Questions 9

Which overlay protocol must a customer premises equipment (CPE) device support when terminating a Partner Interconnect-based Colo-Connect in Prisma Access?

Options:

A.  

Geneve

B.  

IPSec

C.  

GRE

D.  

DTLS

Discussion 0
Questions 10

An engineer configures a Security policy for traffic originating at branch locations in the Remote Networks configuration scope. After committing the configuration and reviewing the logs, the branch traffic is not matching the Security policy.

Which statement explains the branch traffic behavior?

Options:

A.  

The source address was configured with an address object including the branch location prefixes.

B.  

The source zone was configured as “Trust.”

C.  

The Security policy did not meet best practice standards and was automatically removed.

D.  

The traffic is matching a Security policy in the Prisma Access configuration scope.

Discussion 0
Questions 11

How can an engineer use risk score customization in SaaS Security Inline to limit the use of unsanctioned SaaS applications by employees within a Security policy?

Options:

A.  

Lower the risk score of sanctioned applications and increase the risk score for unsanctioned applications.

B.  

Increase the risk score for all SaaS applications to automatically block unwanted applications.

C.  

Build an application filter using unsanctioned SaaS as the category.

D.  

Build an application filter using unsanctioned SaaS as the characteristic.

Discussion 0
Questions 12

Which statement is valid in relation to certificates used for GlobalProtect and pre-logon?

Options:

A.  

A public certificate authority (CA) must sign and validate all certificates used.

B.  

The certificate used for pre-logon must include both Subject and Subject-Alt fields.

C.  

Certificates must be deployed in the Machine Certificate Store.

D.  

The GlobalProtect agent may be used to distribute pre-logon certificates.

Discussion 0
Questions 13

In an Explicit Proxy deployment where no agent can be used on the endpoint, which authentication method is supported with mobile users?

Options:

A.  

LDAP

B.  

Kerberos

C.  

SAML

D.  

SSO

Discussion 0
Questions 14

A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links.

With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?

Options:

A.  

Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.

B.  

Configure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center.

C.  

Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region.

D.  

Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.

Discussion 0
Questions 15

Which feature can help address a customer concern about the length of time it takes to update their SaaS-allowed IP addresses while onboarding to Prisma Access?

Options:

A.  

Dynamic IP pooling

B.  

DNS-based load balancing

C.  

Traffic steering

D.  

Dedicated IP addresses

Discussion 0