palo alto networks SSE-ENGINEER Exam Questions
Questions for the SSE-ENGINEER were updated on : Dec 01 ,2025
Page 1 out of 4. Viewing questions 1-15 out of 50
Question 1
How can an engineer use risk score customization in SaaS Security Inline to limit the use of
unsanctioned SaaS applications by employees within a Security policy?
- A. Lower the risk score of sanctioned applications and increase the risk score for unsanctioned applications.
- B. Increase the risk score for all SaaS applications to automatically block unwanted applications.
- C. Build an application filter using unsanctioned SaaS as the category.
- D. Build an application filter using unsanctioned SaaS as the characteristic.
Answer:
A
Explanation:
SaaS Security Inline allows engineers to customize the risk scores assigned to different SaaS
applications based on various factors. By manipulating these risk scores, you can influence how these
applications are treated within Security policies.
To limit the use of unsanctioned SaaS applications:
Lower the risk score of sanctioned applications: This makes them less likely to trigger policies
designed to restrict high-risk activities.
Increase the risk score of unsanctioned applications: This elevates their perceived risk, making them
more likely to be caught by Security policies configured to block or limit access based on risk score
thresholds.
Then, you would create Security policies that take action (e.g., block access, restrict features) based
on these adjusted risk scores. For example, a policy could be configured to block access to any SaaS
application with a risk score above a certain threshold, which would primarily target the
unsanctioned applications with their inflated scores.
Let's analyze why the other options are incorrect based on official documentation:
B . Increase the risk score for all SaaS applications to automatically block unwanted applications.
Increasing the risk score for all SaaS applications, including sanctioned ones, would lead to
unintended blocking and disruption of legitimate business activities. Risk score customization is
intended for differentiation, not a blanket increase.
C . Build an application filter using unsanctioned SaaS as the category. While creating an application
filter based on the "unsanctioned SaaS" category is a valid way to identify these applications, it
directly filters based on the category itself, not the risk score. Risk score customization provides a
more nuanced approach where you can define thresholds and potentially allow some low-risk
activities within unsanctioned applications while blocking higher-risk ones.
D . Build an application filter using unsanctioned SaaS as the characteristic. Similar to option C, using
"unsanctioned SaaS" as a characteristic in an application filter allows you to directly target these
applications. However, it doesn't leverage the risk score customization feature to control access
based on a graduated level of risk.
Therefore, the most effective way to use risk score customization to limit unsanctioned SaaS
application usage is by lowering the risk scores of sanctioned applications and increasing the risk
scores of unsanctioned ones, and then building Security policies that act upon these adjusted risk
scores.
Question 2
Where are tags applied to control access to Generative AI when implementing AI Access Security?
- A. To Generative AI applications for identifying sanctioned, tolerated, or unsanctioned applications
- B. To security rules for defining which types of Generative AI applications are allowed or blocked
- C. To user devices for identifying and controlling which Generative AI applications they can access
- D. To Generative AI URL categories for classifying trusted and untrusted Generative AI websites
Answer:
A
Explanation:
When implementing AI Access Security, tags are applied to Generative AI applications to classify
them as sanctioned, tolerated, or unsanctioned. This allows organizations to enforce policy-based
access control over AI tools, ensuring that only approved applications are accessible while restricting
or monitoring usage of untrusted or high-risk AI platforms. This classification helps security teams
manage AI-related risks and compliance effectively.
Question 3
Which advanced AI-powered functionality does Strata Copilot provide to enhance the capabilities of
Prisma Access security teams?
- A. Real-time traffic analysis for automated threat prevention
- B. Initial configuration of Prisma Access using a natural language interface
- C. Customized guidance for resolving issues through recommended next steps
- D. Automated remediation of misconfigured security policies
Answer:
C
Explanation:
Strata Copilot enhances the capabilities of Prisma Access security teams by providing AI-powered
insights and recommendations to help resolve security issues efficiently. It analyzes security events,
misconfigurations, and alerts and offers contextual guidance with recommended next steps for
troubleshooting and improving security posture. This assists teams in quickly identifying and
addressing security challenges without requiring deep manual investigation.
Question 4
In an Explicit Proxy deployment where no agent can be used on the endpoint, which authentication
method is supported with mobile users?
- A. LDAP
- B. Kerberos
- C. SAML
- D. SSO
Answer:
C
Explanation:
In an Explicit Proxy deployment where no agent can be used on the endpoint, SAML (Security
Assertion Markup Language) is the supported authentication method for mobile users. SAML allows
authentication via an Identity Provider (IdP) without requiring an agent on the endpoint, making it
ideal for web-based authentication in cloud and remote access environments. It enables Single Sign-
On (SSO) and secure authentication without direct integration with LDAP or Kerberos, which typically
require an agent or local network presence.
Question 5
An engineer has configured a new Remote Networks connection using BGP for route advertisements.
The IPSec tunnel has been established, but the BGP peer is not up.
Which two elements must the engineer validate to solve the issue? (Choose two.)
- A. Secret
- B. MRAI Timers
- C. Peer AS Number
- D. Advertise Default Route Checkbox
Answer:
A, C
Explanation:
The BGP peer not coming up despite an established IPSec tunnel indicates a potential BGP
configuration issue.
Secret – If MD5 authentication is configured for BGP, both Prisma Access and the Customer Premises
Equipment (CPE) must have the same secret (authentication key). A mismatch will prevent BGP from
establishing a session.
Peer AS Number – The Autonomous System (AS) number of the BGP peer must match what is
expected on both sides of the connection. If the AS number is incorrect, the BGP session will fail to
establish.
By verifying these elements, the engineer can troubleshoot and establish a successful BGP peering
session over the IPSec tunnel.
Question 6
All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager)
using SAML authentication through the Cloud Identity Engine. Users report that after entering their
credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal
without successful authentication, and they receive this error message:
Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request”
Which action will identify the root cause of this error?
- A. Verify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
- B. Examine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked.
- C. Verify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
- D. Review the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures.
Answer:
C
Explanation:
The "400 Bad Request" error when attempting SAML authentication through the Cloud Identity
Engine (CIE) suggests a misconfiguration in the SAML metadata. This typically occurs when the
endpoint URLs, certificates, or entity IDs do not match between Cloud Identity Engine and the IdP
portal. To resolve this, verify that:
The SAML metadata uploaded to Cloud Identity Engine matches the configuration from the IdP.
The ACS (Assertion Consumer Service) URL, Entity ID, and certificate are correctly set.
There are no incorrect or expired certificates in the Cloud Identity Engine and IdP configuration.
By ensuring the SAML metadata is properly configured in both systems, authentication should
proceed without errors.
Question 7
What must be configured to accurately report an application's availability when onboarding a
discovered application for ZTNA Connector?
- A. icmp ping
- B. https ping
- C. tcp ping
- D. udp ping
Answer:
C
Explanation:
When onboarding a discovered application for ZTNA Connector, configuring a TCP ping allows Prisma
Access to accurately report the application's availability. TCP ping (also known as a TCP connection
check) verifies whether the application's service port is open and responsive, ensuring that the
application is reachable before allowing user connections. This method is more reliable than ICMP
ping, as many cloud and SaaS applications block ICMP traffic for security reasons.
Question 8
Which statement is valid in relation to certificates used for GlobalProtect and pre-logon?
- A. A public certificate authority (CA) must sign and validate all certificates used.
- B. The certificate used for pre-logon must include both Subject and Subject-Alt fields.
- C. Certificates must be deployed in the Machine Certificate Store.
- D. The GlobalProtect agent may be used to distribute pre-logon certificates.
Answer:
C
Explanation:
For GlobalProtect with pre-logon, certificates must be installed in the Machine Certificate Store to
ensure that authentication occurs before user login. This allows the GlobalProtect client to establish
a VPN connection before the user logs in, enabling access to corporate resources such as domain
controllers and authentication services. Using machine certificates ensures secure authentication
and eliminates dependency on user credentials at the pre-logon stage.
Question 9
In addition to creating a Security policy, how can an AI Access Security be used to prevent users from
uploading financial information to ChatGPT?
- A. Apply File Blocking to stop file uploads containing financial information.
- B. Configure an Enterprise DLP rule to block uploads containing financial information.
- C. Add the ChatGPT domains using URL Filtering to block uploads containing financial information.
- D. Apply a vulnerability profile to stop attempts to exploit system flaws or gain unauthorized access to financial systems.
Answer:
B
Explanation:
Palo Alto Networks AI Access Security integrates with Enterprise Data Loss Prevention (DLP)
capabilities to control sensitive data within AI applications like ChatGPT. The most effective way to
prevent users from uploading financial information is to:
Define an Enterprise DLP rule: This rule would be configured to identify content that matches
patterns or keywords associated with financial information (e.g., credit card numbers, bank account
details, tax identifiers, financial statements).
Apply the DLP rule to the AI Access Security policy: This policy would be specifically configured to
inspect traffic to and from ChatGPT. When the DLP rule detects a user attempting to upload content
containing financial information, it can take a defined action, such as blocking the upload.
Let's analyze why the other options are incorrect based on official documentation:
A . Apply File Blocking to stop file uploads containing financial information. While File Blocking can
prevent the upload of certain file types, it is not content-aware. It cannot inspect the content of a file
to determine if it contains financial information. Therefore, it's not a granular or effective solution for
this specific requirement.
C . Add the ChatGPT domains using URL Filtering to block uploads containing financial information.
URL Filtering controls access to specific websites or categories of websites. While you could
potentially block access to ChatGPT entirely, it does not provide the capability to inspect the content
being uploaded to a permitted domain and prevent the transfer of sensitive financial data.
D . Apply a vulnerability profile to stop attempts to exploit system flaws or gain unauthorized access
to financial systems. Vulnerability profiles are designed to detect and prevent attempts to exploit
known security vulnerabilities in systems. They are not designed to inspect the content of user
uploads for sensitive data like financial information. While important for overall security, they do not
directly address the requirement of preventing financial data uploads to ChatGPT.
Therefore, configuring an Enterprise DLP rule within AI Access Security is the correct and most
effective method to prevent users from uploading financial information to ChatGPT by inspecting the
content of the uploads.
Question 10
Which feature within Strata Cloud Manager (SCM) allows an operations team to view applications,
threats, and user insights for branch locations for both NGFW and Prisma Access simultaneously?
- A. Command Center
- B. Log Viewer
- C. Branch Site Monitor
- D. SASE Health Dashboard
Answer:
A
Explanation:
The Command Center within Strata Cloud Manager (SCM) provides a centralized view of
applications, threats, and user insights across both NGFW (Next-Generation Firewall) and Prisma
Access simultaneously. This feature enables the operations team to monitor branch locations,
analyze security events, and detect anomalies in real time, offering a comprehensive visibility and
threat intelligence interface for proactive network and security management.
Question 11
Which feature can help address a customer concern about the length of time it takes to update their
SaaS-allowed IP addresses while onboarding to Prisma Access?
- A. Dynamic IP pooling
- B. DNS-based load balancing
- C. Traffic steering
- D. Dedicated IP addresses
Answer:
C
Explanation:
When onboarding to Prisma Access, using Dedicated IP addresses helps address concerns about the
time required to update SaaS-allowed IP lists. With dedicated egress IPs, the customer receives fixed,
predictable IP addresses that do not change dynamically. This eliminates the need to frequently
update SaaS providers' allowlists, ensuring seamless access to cloud applications without
interruptions due to IP address changes.
Question 12
A user connected to Prisma Access reports that traffic intermittently is denied after matching a
Catch-All Deny rule at the bottom and bypassing HIP-based policies. Refreshing VPN connection
restores the access.
What are two reasons for this behavior? (Choose two.)
- A. "Collect HIP data' needs to be enabled in the configuration.
- B. User mapping is learned from sources other than gateway authentication.
- C. Firewall loses user mapping due to missed HIP report checks.
- D. HIP-enforced policy is scheduled for certain hours of the day.
Answer:
B, C
Explanation:
User mapping learned from sources other than gateway authentication can cause intermittent access
issues if it conflicts with the expected user identity used in HIP-based policies. If the firewall is
associating the user with an outdated or incorrect mapping, traffic may not match the intended
security policies, leading to denials by the Catch-All Deny rule.
If the firewall loses user mapping due to missed HIP report checks, the user may temporarily lose
access to policies that require a valid Host Information Profile (HIP) match. When the VPN connection
is refreshed, the HIP check is re-initiated, restoring access until the issue repeats.
Question 13
A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI
and the correct website in the HTTP host header.
Which option will prevent this form of attack?
- A. Advanced Threat Prevention option to block “Domain Fronting”
- B. Advanced URL Filtering and block the “Malicious Behavior” category
- C. Advanced URL Filtering and block “SNI mismatch with Server Certificate (SAN/CN)”
- D. SSL Decryption to “Block sessions on SNI mismatch with Server Certificate (SAN/CN)”
Answer:
D
Explanation:
This option ensures that SSL Decryption checks for mismatches between the Server Name Indication
(SNI) field in the TLS handshake and the Common Name (CN) or Subject Alternative Name (SAN) in
the server certificate. If a malicious user tries to bypass content filtering by spoofing the SNI while
using the real blocked website in the HTTP host header, this setting will detect the discrepancy and
block the session, preventing unauthorized access.
Question 14
When configuring Remote Browser Isolation (RBI) with Prisma Access (Managed by Strata Cloud
Manager), which element is required to define the protected URLs for mobile users?
- A. A URL access management profile with site access set to “Isolate” applied to a Security policy
- B. A DNS Security profile applied to a Security policy with the action of “Isolate” for the target remote browser DNS categories
- C. An RBI profile applied to the URL access management profile
- D. A Security policy with the target URL categories and set the action to “Isolate”
Answer:
A
Explanation:
When configuring Remote Browser Isolation (RBI) in Prisma Access (Managed by Strata Cloud
Manager) for mobile users, a URL access management profile must be created with the site access
action set to "Isolate". This profile is then applied to a Security policy to enforce isolation for specific
URLs. This ensures that web traffic to designated high-risk or untrusted sites is redirected to a
remote, secure browser instance, protecting endpoints from potential web-based threats.
Question 15
An engineer deploys a new branch connected to Prisma Access. From the customer premises
equipment (CPE) device at the branch, Phase 1 on the tunnel is established, but Phase 2-encrypted
packets are not coming back from Prisma Access.
Which Strata Logging Service log facility should the engineer review to determine why Phase 2-
encrypted traffic is not being received?
- A. Decrypt logs
- B. System logs
- C. Traffic logs
- D. Tunnel logs
Answer:
D
Explanation:
Since Phase 1 of the IPSec tunnel is established but Phase 2 traffic is not being received, the Tunnel
logs in Strata Logging Service should be reviewed. Tunnel logs provide visibility into IPSec tunnel
establishment, Phase 2 negotiation, and any errors or dropped packets related to encrypted traffic.
This will help identify whether ESP (Encapsulating Security Payload) traffic is being blocked,
mismatched security associations (SAs) exist, or if there are other issues with Prisma Access
responding to Phase 2-encrypted packets.