Summer Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Palo Alto Networks Security Service Edge Engineer Question and Answers

Palo Alto Networks Security Service Edge Engineer

Last Update Jul 14, 2026
Total Questions : 68

We are offering FREE SSE-Engineer Paloalto Networks exam questions. All you do is to just go and sign up. Give your details, prepare SSE-Engineer free exam questions and then go for complete pool of Palo Alto Networks Security Service Edge Engineer test questions that will help you more.

SSE-Engineer pdf

SSE-Engineer PDF

$36.75  $104.99
SSE-Engineer Engine

SSE-Engineer Testing Engine

$43.75  $124.99
SSE-Engineer PDF + Engine

SSE-Engineer PDF + Testing Engine

$57.75  $164.99
Questions 1

Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications, threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?

Options:

A.  

Command Center

B.  

Log Viewer

C.  

Branch Site Monitor

D.  

SASE Health Dashboard

Discussion 0
Questions 2

Which two actions can a company with Prisma Access deployed take to use the Egress IP API to automate policy rule updates when the IP addresses used by Prisma Access change? (Choose two.)

Options:

A.  

Configure a webhook to receive notifications of IP address changes.

B.  

Copy the Egress IP API Key in the service infrastructure settings.

C.  

Enable the Egress IP API endpoint in Prisma Access.

D.  

Download a client certificate to authenticate to the Egress IP API.

Discussion 0
Questions 3

An administrator needs to enforce access to all applications via Prisma Access Browser (PAB) for unmanaged or non-compliant devices. Configuration of which two enforcement actions will ensure all access to applications only happens through PAB? (Choose two.)

Options:

A.  

For SSO-enabled applications, configure Enforce SSO.

B.  

Use Account Protection for non SSO-enabled applications.

C.  

Use the PAB Extension to redirect traffic through Prisma Access.

D.  

Use Device Posture to allow or block traffic.

Discussion 0
Questions 4

A financial institution needs to prevent employees from easily moving textual information from secure financial portals accessed using Prisma Access Browser (PAB) directly into other applications on their workstations. The goal is to stop the practice of selecting data within the browser and then inserting that selected content into external documents or programs. Which PAB control should be configured to disable this particular method of data transference?

Options:

A.  

Data loss prevention (DLP)

B.  

Data Transfer

C.  

Clipboard

D.  

Webpage Data Masking

Discussion 0
Questions 5

How can an engineer use risk score customization in SaaS Security Inline to limit the use of unsanctioned SaaS applications by employees within a Security policy?

Options:

A.  

Lower the risk score of sanctioned applications and increase the risk score for unsanctioned applications.

B.  

Increase the risk score for all SaaS applications to automatically block unwanted applications.

C.  

Build an application filter using unsanctioned SaaS as the category.

D.  

Build an application filter using unsanctioned SaaS as the characteristic.

Discussion 0
Questions 6

Based on the image below, which two statements describe the reason and action required to resolve the errors? (Choose two.)

Options:

A.  

The client is misconfigured.

B.  

Create a do not decrypt rule for the hostname " google.com. "

C.  

The server has pinned certificates.

D.  

Create a do not decrypt rule for the hostname " certificates.godaddy.com. "

Discussion 0
Questions 7

Which two statements apply when a customer has a large branch office with employees who all arrive and log in within a five-minute time period? (Choose two.)

Options:

A.  

DNS results are only cached for frequently used hostnames.

B.  

Maximum pending TCP DNS requests is 64.

C.  

Maximum number of TCP DNS retries is 3.

D.  

DNS results are cached for 300 seconds.

Discussion 0
Questions 8

A large retailer has deployed all of its stores with the same IP address subnet. An engineer is onboarding these stores as Remote Networks in Prisma Access. While onboarding each store, the engineer selects the " Overlapping Subnets " checkbox. Which Remote Network flow is supported after onboarding in this scenario?

Options:

A.  

To private applications

B.  

To the internet

C.  

To remote network

D.  

To mobile users

Discussion 0
Questions 9

An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications. What is a reason for this issue?

Options:

A.  

The rule was created with improper threat management settings.

B.  

The rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.

C.  

The rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.

D.  

The rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

Discussion 0
Questions 10

Which two configurations must be enabled to allow App Acceleration for SaaS applications? (Choose two.)

Options:

A.  

Acceleration agent for the client machines

B.  

QoS for user traffic

C.  

Trusted Root CA for the CA certificate

D.  

Forward Trust Certificate for the CA certificate

Discussion 0
Questions 11

What is the flow impact of updating the Cloud Services plugin on existing traffic flows in Prisma Access?

Options:

A.  

They will experience latency during the plugin upgrade process.

B.  

They will automatically terminate when the upgrade begins.

C.  

They will be unaffected because the plugin upgrade is transparent to users.

D.  

They will be unaffected only if Panorama is deployed in high availability (HA) mode.

Discussion 0
Questions 12

A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to-business (B2B) partners to their data centers. [Same scenario as above.] Which two options will allow the engineer to support the requirements? (Choose two.)

Options:

A.  

Configure the CPE with Static Routes pointing to Prisma Access Infrastructure and Mobile User routes.

B.  

Enable eBGP for dynamic routing and configure Remote Networks.

C.  

Configure Remote Networks and define the branch IP subnets using Static Routes.

D.  

Enable Remote Networks Advertise Default Route.

Discussion 0
Questions 13

In an Explicit Proxy deployment where no agent can be used on the endpoint, which authentication method is supported with mobile users?

Options:

A.  

LDAP

B.  

Kerberos

C.  

SAML

D.  

SSO

Discussion 0
Questions 14

A user connected to Prisma Access reports that traffic intermittently is denied after matching a Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection restores the access. What are two reasons for this behavior? (Choose two.)

Options:

A.  

" Collect HIP data " needs to be enabled in the configuration.

B.  

User mapping is learned from sources other than gateway authentication.

C.  

Firewall loses user mapping due to missed HIP report checks.

D.  

HIP-enforced policy is scheduled for certain hours of the day.

Discussion 0
Questions 15

Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as the source identification?

Options:

A.  

Entra ID Group Attribute

B.  

Attribute Group Mapping

C.  

Entra ID Cloud Group

D.  

Cloud Dynamic User Group

Discussion 0
Questions 16

During a deployment of Prisma Access (Managed by Strata Cloud Manager) for mobile users, a SAML authentication type and authentication profile in the Cloud Identity Engine application is successfully created. Using this SAML authentication, what is a valid next step to configure authentication for mobile users?

Options:

A.  

Perform a full commit to Strata Cloud Manager so the Cloud Identity Engine profiles get synchronized from the application.

B.  

Permit the Cloud Identity Engine service account RBAC access to the mobile user folder in Strata Cloud Manager.

C.  

In Strata Cloud Manager, create a new authentication type of " Cloud Identity Engine. "

D.  

Create a SAML authentication profile in Strata Cloud Manager and link it to the Cloud Identity Engine profile.

Discussion 0
Questions 17

Secure Inbound Access has been configured to allow access to an RDP application at a branch location, as shown in the image below. After a successful commit, return traffic from the application is not reaching the internet user. What is causing the return traffic to fail?

Options:

A.  

The Remote Network Security policy source zone is configured as " Untrust. "

B.  

Source NAT is enabled, but the branch location ' s CPE does not have a route back to the Service Endpoint Address of the Inbound Access Remote Network Node.

C.  

The " Allow inbound flows to other Remote Networks over the Prisma Access backbone " checkbox is selected.

D.  

Source NAT is enabled, but the branch location ' s CPE does not have a route back to the eBGP Router ID of the Inbound Access Remote Network Node.

Discussion 0
Questions 18

A customer using Prisma Access (Managed by Panorama) wants to monitor traffic patterns across all remote networks and use Strata Logging Service to gather insights on network usage. An engineer notices that some network data is missing from the Application Command Center (ACC). What should the engineer do to ensure complete data visibility?

Options:

A.  

Reconfigure the Prisma Access remote networks to log directly to Panorama instead of using Strata Logging Service.

B.  

Verify that the Panorama web interface has been configured to aggregate logs from both the Panorama data and RN-SPNs.

C.  

Enable the " Use Data for Pre-Defined Reports " setting in the Logging and Reporting configuration on Panorama.

D.  

Ensure that log forwarding profiles are applied to all Prisma Access policies and directed to Strata Logging Service.

Discussion 0
Questions 19

A company is migrating from NGFW-hosted Global Protect to Prisma Access Mobile Users. The authentication method will change from LDAP with Windows Active Directory Domain Controllers to SAML with Microsoft Entra ID. After configuring and applying the SAML Authentication Profile to the Mobile Users configuration, the migrated group-based Security policies are no longer functioning. Which User-ID setting must be updated for the group-based Security policies to begin functioning?

Options:

A.  

Configure a redistribution profile to send user-to-group mapping from the Global Protect firewalls to Prisma Access.

B.  

Migrate group mapping to Cloud Identity Engine using an agent to query the Windows Active Directory Domain Controllers.

C.  

Modify the group mapping settings by updating the User Attributes to include " userPrincipalName. "

D.  

Change the SAML Authentication profile Username Modifier to %USERDOMAIN%\%USERINPUT%.

Discussion 0
Questions 20

A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links. With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?

Options:

A.  

Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.

B.  

Configure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center.

C.  

Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region.

D.  

Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.

Discussion 0