SSE sebandra

A customer is implementing Prisma Access (SCM managed) to connect MUs, Branches, and B2B partners to their DCs. The solution must meet the following requirements: 1. The MUs must have internet filtering, DC connectivity, and RN connectivity to the branch locations. 2. The branches must have internet filtering and DC connectivity. 3. The B2B partner must only have access to specific data center internally developed apps running on non-standard ports. 4. The sec team must have access to manage the MU and access to branches. 5. The network team must have access to manage only the partner access. How should PA be implemented to meet the customer reqs?. Deploy Two Prisma Access instances - the first with MUs, RNs, and private access for all internal connection types, and the second with RNs and Private access app for B2B connections - and use Strata Multitenant Cloud Manager PA config scope to manage access. Deploy a PA instance with MUs, RNs, and private access for all connection types, and use the PA config scope to manage all access. Deploy two PA instances - the first with MUs, RNs, and private access for all internal connection types and the second with RNs and private app access for B2B connections - and use the specific config scope for the connection type to manage access. Deploy a PA instance with MUs, RNs, and Private access for all connection types, and use the specific config scope for the connection type to manage access.

A customer is implementing PA managed by SCM to connect MUs, branches, B2B partners to their data centers. The solution must meet these requirements: 1. The MUs must have internet filtering, DC connectivity, and remote site connectivity to the branch locations. 2. The branch locations must have internet filtering and DC connectivity. 3. The B2B partner connections must only have access to specific DC internally developed applications running on non-standard ports. 4. The sec team must have access to manage the MU and access to branch locations. 5. The network team must have access to manage only the partner access. How can the engineer configure MU and Branches to meet the requirements?. Use GP and RN to filter internet traffic and provide access to DC resources using SCs. use EP to filter internet traffic and provide access to DC resources using SCs. Use GP to filter internet traffic and provide access to DC resources using SCs. Use EP and RNs to filter internet traffic and provide access to DC resources using SCs.

A customer is impelmenting PA managed by SCM to connect MUs, branches, and B2B partners to their DCs. The solution must meet these requirements: 1. The MUs must have internet filtering, DC connectivity, and RN connectivity to the branch locations. 2. The branch locations must have internet filtering and DC connectivity. 3. The B2B partner connections must only have access to specific DC internally developed apps running on non-standard ports. 4. The sec team must have access to manage the MU and access to branch locations. 5. The network team must have access to manage only the partner access. Which two options will allow the engineer to support the reqs?. Configure the CPE with Static Routes pointing to Prisma Access Infrastructure and MU routes. Enable eBGP for dynamic routing and configure RNs. Configure RNs and define the branch IP subnets using Static Routes. Enable Remote Networks Advertise Default Route.

A customer is impelmenting PA managed by SCM to connect MUs, branches, and B2B partners to their DCs. The solution must meet these requirements: 1. The MUs must have internet filtering, DC connectivity, and RN connectivity to the branch locations. 2. The branch locations must have internet filtering and DC connectivity. 3. The B2B partner connections must only have access to specific DC internally developed apps running on non-standard ports. 4. The sec team must have access to manage the MU and access to branch locations. 5. The network team must have access to manage only the partner access. Which two components can be provisioned to enable DC connectivity over the internet?. ZTNA Connector. SD-WAN Connector. Service Connections. Colo-Connect.

Which two actions can a company with Prisma Access deployed take to use the Egress IP API to automate policy rule updates when the IP addresses used by Prisma Access change? (Choose two.). Configure a webhook to receive notifications of IP address changes. Copy the Egress IP API Key in the service infrastructure settings. Enable the Egress IP API endpoint in Prisma Access. Download a client certificate to authenticate tot he Egress IP API.

How can an engineer verify that only the intended changes will be applied when modifying Prisma Access policy configuration in Strata Cloud Manager (SCM)?. Review the SCM portal for blue circular indicators next to eachs configuration menu item and ensure only the intended areas of configuration have this indicator. Compare the candidate configuration and the most recent version under "Config Version Snapshots". Select the most recent job under Operations > Push Status to view the pending changes that would apply to Prisma Access. Open the push dialogue in SCM to preview all changes which would be pushed to Prisma Access.

When using the traffic replication feature in Prisma Access, where is the mirrored traffic directed for analysis?. Specified internal security appliance. Dedicated cloud storage location. Panorama. SCM.

When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?. Add the duplicate entries to the ignore list in IoT Security. Merge individual devices into a single device with multiple interfaces. Create a custom role to merge devices with the same hostname and operating system. Delete all duplicate devices, keeping only those discovered using their management IP addresses.

What is the impact of selecting the “Disable Server Response Inspection" checkbox after confirming that a Security policy rule has a threat protection profile configured?. Only HTTP traffic from the server to the client will bypass threat detection. The threat protection profile the "Disable Server Response Inspection" only for HTTP traffic from the server to the client. All traffic from the server to the client will bypass threat inspection. The threat protection profile will override the "Disable Server Response Inspection" for all traffic from the server to the client".

A company has a Prisma Access deployment for mobile users in North America and Europe. Service connections are deployed to the data centers on these continents, and the data centers are connected by private links. With default routing mode, which action will verify that traffic being delivered to mobile users traverses the service connection in the appropriate regions?. Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region. Configure each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center. Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region. Configure each service connection to prepend the BGP ASN five times for mobile user pool.

Based on the image below: (Log viewer with Server Name Indication google.com and showing Received fatal alert BadCertificate from Client) Which two. The client is misconfigured. Create a do not decrypt rule for the hostname "google.com". The server has pinned certificates. Create a do not decrypt rule for the hostname "certificate.godaddy.com".

How can a network sec team be granted full admin access to a tenant's config while restricting access to other tenants by using a role-based access control for Panorama Managed Prisma Access in a multitenant environment?. Create an access Domain and restrict access to only the DGs and templates for the Target Tenant. Create a custom role enabling all privileges within the specific tenant’s scope and assign it to the security team’s user accounts. Create a custom role with Device Group and Template privileges and assign it to the security team’s user accounts. Set the administrative accounts for the security team to the “Superuser” role.

An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications. What is a reason for this issue?. The rule was created with improper threat management settings. The rule was created in the wrong scope, affecting only GlobalProtect users instead of all users. The rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule. The rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

What will cause a connector to fail to establish a connection with the cloud gateway during the deployment of a new ZTNA Connector in a data center?. There is a misconfiguration in the DNS settings on the connector. The connector is deployed behind a double NAT. The connector is using a dynamic IP address. There is a high latency in the network connection.

Which feature will fetch user and group information to verify whether a group from the Cloud Identity Engine is present on a security processing node (SPN)?. SASE Health Dashboard. User Activity Insights. Prisma Access Locations. Region Activity Insights.

An engineer configures User-ID redistribution from an on-premises firewall connected to Prisma Access (Managed by Panorama) using a service connection. After committing the configuration, traffic from remote network connections is still not matching the correct user-based policies. Which two configurations need to be validated? (Choose two.). Ensure the Remote_Network_Template is selected when adding the User-ID Agent in Panorama. Confirm there is a Security policy configured in Prisma Access to allow the communication on port 5007. Confirm the Collector Pre-Shared Keys match between Prisma Access and the on-premises firewall. Ensure the Service_Conn_Template is selected when adding the User-ID Agent in Panorama.

What is the purpose of embargo rules in Prisma Access?. Rate-limiting connections originating from specific countries. Allowing traffic only from specific countries. Blocking connections from specific countries. Blocking traffic from Russia, China, and North Korea.

Strata Logging Service is configured to forward logs to an external syslog server; however, a month later, there is a disruption on the syslog server. Which action will send the missing logs to the external syslog server?. Configure a replay profile with the affected time range and associate it with the affected syslog server profile. Delete the affected syslog server profile and create a new one. Export the logs from Strata Logging Service, and then manually import them to the syslog server. Configure a log filter under the syslog server profile with the affected time range.

A large retailer has deployed all of its stores with the same IP address subnet. An engineer is onboarding these stores as Remote Networks in Prisma Access. While onboarding each store, the engineer selects the “Overlapping Subnets” checkbox. Which Remote Network flow is supported after onboarding in this scenario?. To private apps. To the internet. To remote networks. To mobile users.

An intern is tasked with changing the Anti-Spyware Profile used for security rules defined in the GlobalProtect folder. All security rules are using the Default Prisma Profile. The intern reports that the options are greyed out and cannot be modified when selecting the Default Prisma Profile. Based on the image below, which action will allow the intern to make the required modifications? (Image shows Config Scope: GP, Security Services Profile Groups, 3 default DPs and one called IT Group Profiles created under the the GP scope, the Default Prisma Profile has a green circle with 1 Days Unused counting). Request edit access for the GP Scope. Change the config scope to Prisma Access and modify the profile group. Create a new profile, because default profile groups cannot be modified. Modify the existing anti-spyware profile, because best-practice profiles cannot be removed from a group.

How can role-based access control (RBAC) for Prisma Access (Managed by Strata Cloud Manager) be used to grant each member of a security team full administrative access to manage the Security policy in a single tenant while restricting access to other tenants in a multitenant deployment?. Add the team to the Parent Tenant, select the Prisma Access Configuration Scope, and set the role to Security Administrator. Add the team to the Child Tenant, select All Apps & Services, and set the role to Security Administrator. Add the team to the Parent Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator. Add the team to the Child Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator.

An engineer configures a Security policy for traffic originating at branch locations in the Remote Networks configuration scope. After committing the configuration and reviewing the logs, the branch traffic is not matching the Security policy. Which statement explains the branch traffic behavior?. The source address was configured with an address object including the branch location prefixes. The source zone was configured as “Trust.”. The Security policy did not meet best practice standards and was automatically removed. The traffic is matching a Security policy in the Prisma Access configuration scope.

What is the flow impact of updating the Cloud Services plugin on existing traffic flows in Prisma Access?. They will experience latency during the plugin upgrade process. They will automatically terminate when the upgrade begins. They will be unaffected because the plugin upgrade is transparent to users. They will be unaffected only if Panorama is deployed in high availability (HA) mode.

Which overlay protocol must a customer premises equipment (CPE) device support when terminating a Partner Interconnect-based Colo-Connect in Prisma Access?. Geneve. IPSec. GRE. DTLS.

An engineer has configured IPSec tunnels for two remote network locations; however, users are experiencing intermittent connectivity issues across the tunnels. What action will allow the engineer to receive notifications when the IPSec tunnels are down or experiencing instability?. Create a new notification profile specifying conditions for remote network IPSec tunnels. Create a tunnel log notification rule to alert on specified remote network IPSec tunnel conditions. Set up the operational health dashboard to email alerts for remote Network IPSec tunnel issues. Select the IPSec tunnel monitoring and notifications checkbox when configuring the remote network IPSec tunnels.

Which two configurations must be enabled to allow App Acceleration for SaaS applications? (Choose two.). Acceleration agent for the client machines. QoS for user traffic. Trusted Root CA for the CA certificate. Forward Trust Certificate for the CA certificate.

Which two statements apply when a customer has a large branch office with employees who all arrive and log in within a five-minute time period? (Choose two.). DNS results are only cached for frequently used hostnames. Maximum pending TCP DNS requests is 64. Maximum number of TCP DNS retries is 3. DNS Results are cached for 300 seconds.

Which statement applies when enabling multitenancy in Prisma Access (Managed by Panorama)?. Service connection licenses will be assigned only to the first tenant, and these service connections can be shared with the other tenants. A single tenant cannot consist solely of mobile users or solely of remote networks. Each tenant is allocated its own dedicated Prisma Access instances, with compute resources that are not shared across tenants. There is flexibility to manage different tenants using separate Panoramas, which allows for better organization and management of the multiple tenants.

A company has four branch offices between Canada Central and Canada East which use the same IPSec termination node and have QoS configured with customized bandwidth per site. An engineer wants to onboard a new branch office on the same IPSec termination node. What is the QoS behavior for the new branch office?. Automatically distributed to 25% for each site. Unallocated until manually assigned. Automatically distributed to 20% for each site. Cannot be added to existing QoS configuration.

A customer using Prisma Access (Managed by Panorama) wants to monitor traffic patterns across all remote networks and use Strata Logging Service to gather insights on network usage. An engineer notices that some network data is missing from the Application Command Center (ACC). What should the engineer do to ensure complete data visibility?. Reconfigure the Prisma Access remote networks to log directly to Panorama instead of using Strata Logging Service. Verify that the Panorama web interface has been configured to aggregate logs from both the Panorama data and RN-SPNs. Enable the “Use Data for Pre-Defined Reports” setting in the Logging and Reporting configuration on Panorama. Ensure that log forwarding profiles are applied to all Prisma Access policies and directed to Strata Logging Service.

How can a senior engineer use Strata Cloud Manager (SCM) to ensure that junior engineers are able to create compliant policies while preventing the creation of policies that may result in security gaps?. Use security checks under posture settings and set the action to “deny” for all checks that do not meet the compliance standards. Configure role-based access controls (RBACs) for all junior engineers to limit them to creating policies in a disabled state, manually review the policies, and enable them using a senior engineer role. Configure an auto tagging rule in SCM to trigger a Security policy review workflow based on a security rule tag, then instruct junior engineers to use this tag for all new Security policies. Run a Best Practice Assessment (BPA) at regular intervals and manually revert any policies not meeting company compliance standards.

Which policy configuration in Prisma Access Browser (PAB) will protect an organization from malicious BYOD and minimize the impact on the user experience?. One that blocks file exchange. One for session recording. One that blocks elements such as screen scrapers. One that allows access to applications with data masking or watermarking.

During a deployment of Prisma Access (Managed by Strata Cloud Manager) for mobile users, a SAML authentication type and authentication profile in the Cloud Identity Engine application is successfully created. Using this SAML authentication, what is a valid next step to configure authentication for mobile users?. Perform a full commit to Strata Cloud Manager so the Cloud Identity Engine profiles get synchronized from the application. Permit the Cloud Identity Engine service account RBAC access to the mobile user folder in Strata Cloud Manager. In Strata Cloud Manager, create a new authentication type of “Cloud Identity Engine.”. Create a SAML authentication profile in Strata Cloud Manager and link it to the Cloud Identity Engine profile.

After configuring domain-based split tunnel for zoom.us, how is expected behavior on the client machine confirmed?. Verify from the routing table. Enable dump level logs on GlobalProtect application. Verify zoom.us is resolved by the tunnel assigned DNS server. Ping zoom.us from the CLI.

Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as the source identification?. Entra ID Group Attribute. Attribute Group Mapping. Entra ID Cloud Group. Cloud Dynamic User Group.

An engineer deploys a new branch connected to Prisma Access. From the customer premises equipment (CPE) device at the branch, Phase 1 on the tunnel is established, but Phase 2-encrypted packets are not coming back from Prisma Access. Which Strata Logging Service log facility should the engineer review to determine why Phase 2-encrypted traffic is not being received?. Decrypt logs. System logs. Traffic logs. Tunnel logs.

When configuring Remote Browser Isolation (RBI) with Prisma Access (Managed by Strata Cloud Manager), which element is required to define the protected URLs for mobile users?. A URL access management profile with site access set to “Isolate” applied to a Security policy. A DNS Security profile applied to a Security policy with the action of “Isolate” for the target remote browser DNS categories. An RBI profile applied to the URL access management profile. A Security policy with the target URL categories and set the action to “Isolate”.

A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header. Which option will prevent this form of attack?. Advanced Threat Prevention option to block “Domain Fronting”. Advanced URL Filtering and block the “Malicious Behavior” category. Advanced URL Filtering and block “SNI mismatch with Server Certificate (SAN/CN)”. SSL Decryption to “Block sessions on SNI mismatch with Server Certificate (SAN/CN)”.

A user connected to Prisma Access reports that traffic intermittently is denied after matching a Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection restores the access. What are two reasons for this behavior? (Choose two.). “Collect HIP data” needs to be enabled in the configuration. User mapping is learned from sources other than gateway authentication. Firewall loses user mapping due to missed HIP report checks. HIP-enforced policy is scheduled for certain hours of the day.

Which feature can help address a customer concern about the length of time it takes to update their SaaS-allowed IP addresses while onboarding to Prisma Access?. Dynamic IP pooling. DNS-based load balancing. Traffic steering. Dedicated IP addresses.

Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications, threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?. Command Center. Log Viewer. Branch Site Monitor. SASE Health Dashboard.

In addition to creating a Security policy, how can an AI Access Security be used to prevent users from uploading financial information to ChatGPT?. Apply File Blocking to stop file uploads containing financial information. Configure an Enterprise DLP rule to block uploads containing financial information. Add the ChatGPT domains using URL Filtering to block uploads containing financial information. Apply a vulnerability profile to stop attempts to exploit system flaws or gain unauthorized.

Which statement is valid in relation to certificates used for GlobalProtect and pre-logon?. A public certificate authority (CA) must sign and validate all certificates used. The certificate used for pre-logon must include both Subject and Subject-Alt fields. Certificates must be deployed in the Machine Certificate Store. The GlobalProtect agent may be used to distribute pre-logon certificates.

What must be configured to accurately report an application's availability when onboarding a discovered application for ZTNA Connector?. icmp ping. https ping. tcp ping. udp ping.

All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager) using SAML authentication through the Cloud Identity Engine. Users report that after entering their credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal without successful authentication, and they receive this error message: Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request” Which action will identify the root cause of this error?. Verify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured. Examine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked. Verify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured. Review the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures.

An engineer has configured a new Remote Networks connection using BGP for route advertisements. The IPSec tunnel has been established, but the BGP peer is not up. Which two elements must the engineer validate to solve the issue? (Choose two.). Secret. MRAI Timers. Peer AS Number. Advertise Default Route Checkbox.

In an Explicit Proxy deployment where no agent can be used on the endpoint, which authentication method is supported with mobile users?. LDAP. Kerberos. SAMLD, SSO.

Which advanced AI-powered functionality does Strata Copilot provide to enhance the capabilities of Prisma Access security teams?. Real-time traffic analysis for automated threat prevention. Initial configuration of Prisma Access using a natural language interface. Customized guidance for resolving issues through recommended next steps. Automated remediation of misconfigured security policies.

Where are tags applied to control access to Generative AI when implementing AI Access Security?. To Generative AI applications for identifying sanctioned, tolerated, or unsanctioned applications. To security rules for defining which types of Generative AI applications are allowed or blocked. To user devices for identifying and controlling which Generative AI applications they can access. To Generative AI URL categories for classifying trusted and untrusted Generative AI websites.

How can an engineer use risk score customization in SaaS Security Inline to limit the use of unsanctioned SaaS applications by employees within a Security policy?. Lower the risk score of sanctioned applications and increase the risk score for unsanctioned applications. Increase the risk score for all SaaS applications to automatically block unwanted applications. Build an application filter using unsanctioned SaaS as the category. Build an application filter using unsanctioned SaaS as the characteristic.