PSE-SASE-Topic-2
Question #: 36
Topic #: 1
How does the Palo Alto Networks secure access service edge (SASE) solution enable Zero Trust in a customer environment?
A. It stops attacks that use DNS for command and control or data theft.
B. It feeds threat intelligence into an automation engine for rapid and consistent protections.
C. It classifies sites based on content, features, and safety.
D. It continuously validates every stage of a digital interaction.
Selected Answer: D
Question #: 52
Topic #: 1
Which product allows advanced Layer 7 inspection, access control, threat detection and prevention?
A. Infrastructure as a Service (IaaS)
B. remote browser isolation
C. network sandbox
D. Firewall as a Service (FWaaS)
Selected Answer: D
Question #: 50
Topic #: 1
In which step of the Five-Step Methodology for implementing the Zero Trust model is the Kipling Method relevant?
A. Step 3: Architect a Zero Trust network
B. Step 5: Monitor and maintain the network
C. Step 4: Create the Zero Trust policy
D. Step 2: Map the transaction flows
Selected Answer: C
Question #: 37
Topic #: 1
Which two services are provided by Prisma Access Insights? (Choose two.)
A. summary overview screen of the health and performance of an organization’s entire Prisma Access environment
B. configuration of the on-premises firewall located behind the service-connection termination
C. detection of hard-to-find security issues via AI-based innovations to normalize, analyze, and stitch together an enterprise’s data
D. multiple dashboards for focused views of different deployments, the corresponding alerts, and the health status of the infrastructure
Selected Answer: AD
Question #: 33
Topic #: 1
Which element of a secure access service edge (SASE)-enabled network provides true integration of services, not service chains, with combined services and visibility for all locations, mobile users, and the cloud?
A. identity and network location
B. broad network-edge support
C. converged WAN edge and network security
D. cloud-native, cloud-based delivery
Selected Answer: C
Question #: 30
Topic #: 1
Which CLI command allows visibility into SD-WAN events such as path selection and path quality measurements?
A. >show sdwan connection all |
B. >show sdwan session distribution policy-name
C. >show sdwan path-monitor stats vif
D. >show sdwan event
Selected Answer: D
Question #: 28
Topic #: 1
Which connection method allows secure web gateway (SWG) access to internet-based SaaS applications using HTTP and HTTPS protocols?
A. GlobalProtect
B. Broker VM
C. explicit proxy
D. system-wide proxy
Selected Answer: C
Question #: 22
Topic #: 1
What can prevent users from unknowingly downloading potentially malicious file types from the internet?
A. Apply a File Blocking profile to Security policy rules that allow general web access.
B. Apply a Zone Protection profile to the untrust zone.
C. Assign an Antivirus profile to Security policy rules that deny general web access.
D. Assign a Vulnerability profile to Security policy rules that deny general web access.
Selected Answer: A
Question #: 15
Topic #: 1
How does SaaS Security Inline help prevent the data security risks of unsanctioned security-as-a-service (SaaS) application usage on a network?
A. It provides mobility solutions and/or large-scale virtual private network (VPN) capabilities.
B. It offers risk scoring, analytics, reporting, and Security policy rule authoring.
C. It provides built-in external dynamic lists (EDLs) that secure the network against malicious hosts.
D. It prevents credential theft by controlling sites to which users can submit their corporate credentials.
Selected Answer: B
Question #: 14
Topic #: 1
Which two prerequisites must an environment meet to onboard Prisma Access mobile users? (Choose two.)
A. Zoning must be configured to require a user ID for the mobile users trust zone.
B. Mapping of trust and untrust zones must be configured.
C. BGP must be configured so that service connection networks can be advertised to the mobile gateways.
D. Mobile user subnet and DNS portal name must be configured.
Selected Answer: BD
Question #: 9
Topic #: 1
Which component of the secure access service edge (SASE) solution provides complete session protection, regardless of whether a user is on or off the corporate network?
A. Zero Trust
B. threat prevention
C. single-pass architecture (SPA)
D. DNS Security
Selected Answer: A
Question #: 5
Topic #: 1
Which application gathers health telemetry about a device and its WiFi connectivity in order to help determine whether the device or the WiFi is the cause of any performance issues?
A. data loss prevention (DLP)
B. remote browser isolation (RBI)
C. Cortex Data Lake
D. GlobalProtect
Selected Answer: D
Question #: 11
Topic #: 1
In the aggregate model, how are bandwidth allocations and interface tags applied beginning in Prisma Access 1.8?
A. License bandwidth is allocated to a CloudGenix controller; interface tags are set with a compute region.
B. License bandwidth is allocated to a compute region; interface tags are set with a CloudGenix controller.
C. License bandwidth is allocated to a compute region; interface tags are set with a Prisma Access location.
D. License bandwidth is allocated to a Prisma Access location; interface tags are set with a compute region.
Selected Answer: C
Question #: 1
Topic #: 1
A customer currently uses a third-party proxy solution for client endpoints and would like to migrate to Prisma Access to secure mobile user internet-bound traffic.
Which recommendation should the Systems Engineer make to this customer?
A. With the explicit proxy license add-on, set up GlobalProtect.
B. With the mobile user license, set up explicit proxy.
C. With the explicit proxy license, set up a service connection.
D. With the mobile user license, set up a corporate access node.
Selected Answer: B
Question #: 65
Topic #: 1
What are two benefits provided to an organization using a secure web gateway (SWG)? (Choose two.)
A. VPNs remain connected, reducing user risk exposure.
B. Security policies for making internet access safer are enforced.
C. Access to inappropriate websites or content is blocked based on acceptable use policies.
D. An encrypted challenge-response mechanism obtains user credentials from the browser.
Selected Answer: BC
Question #: 64
Topic #: 1
Which product enables organizations to open unknown files in a sandbox environment and scan them for malware or other threats?
A. network sandbox
B. SD-WAN
C. cloud access security broker (CASB)
D. remote browser isolation
Selected Answer: A
Question #: 59
Topic #: 1
In an SD-WAN deployment, what allows customers to modify resources in an automated fashion instead of logging on to a central controller or using command-line interface (CLI) to manage all their configurations?
A. dynamic user group (DUG)
B. DNS server
C. application programming interface (API)
D. WildFire
Selected Answer: C
Question #: 57
Topic #: 1
Which statement describes the data loss prevention (DLP) add-on?
A. It prevents phishing attacks by controlling the sites to which users can submit valid corporate credentials.
B. It employs automated policy enforcement to allow trusted behavior with a new Device-ID policy construct.
C. It is a centrally delivered cloud service with unified detection policies that can be embedded in existing control points.
D. It enables data sharing with third-party tools such as security information and event management (SIEM) systems.
Selected Answer: C
Question #: 55
Topic #: 1
What allows enforcement of policies based on business intent, enables dynamic path selection, and provides visibility into performance and availability for applications and networks?
A. Identity Access Management (IAM) methods
B. Firewall as a Service (FWaaS)
C. Instant-On Network (ION) devices
D. Cloud Access Security Broker (CASB)
Selected Answer: C
Question #: 53
Topic #: 1
What is a key benefit of CloudBlades?
A. automation of UI workflow without any code development and deployment of Prisma SD-WAN ION devices
B. utilization of near real-time analysis to detect previously unseen, targeted malware and advanced persistent threats
C. identification of port-based rules so they can be converted to application-based rules without compromising application availability
D. configuration of the authentication source once instead of for each authentication method used
Selected Answer: A
Question #: 49
Topic #: 1
Which type of access allows unmanaged endpoints to access secured on-premises applications?
A. manual external gateway
B. secure web gateway (SWG)
C. GlobalProtect VPN for remote access
D. Prisma Access Clientless VPN
Selected Answer: D
Question #: 47
Topic #: 1
How does the secure access service edge (SASE) security model provide cost savings to organizations?
A. The single platform reduces costs compared to buying and managing multiple point products.
B. The compact size of the components involved reduces overhead costs, as less physical space is needed.
C. The content inspection integration allows third-party assessment, which reduces the cost of contract services.
D. The increased complexity of the model over previous products reduces IT team staffing costs.
Selected Answer: A
Question #: 46
Topic #: 1
In which step of the Five-Step Methodology for implementing the Zero Trust model are the services most valuable to the company defined?
A. Step 2: Map the transaction flows
B. Step 4: Create the Zero Trust policy
C. Step 5: Monitor and maintain the network
D. Step 1: Define the protect surface
Selected Answer: D
Question #: 45
Topic #: 1
The Cortex Data Lake sizing calculator for Prisma Access requires which three values as inputs? (Choose three.)
A. throughput of remote networks purchased
B. cloud-managed or Panorama-managed deployment
C. retention period for the logs to be stored
D. number of log-forwarding destinations
E. number of mobile users purchased
Selected Answer: ACE
Question #: 34
Topic #: 1
How does a secure web gateway (SWG) protect users from web-based threats while still enforcing corporate acceptable use policies?
A. Users are mapped via server logs for login events and syslog messages from authenticating services.
B. It uses a cloud-based machine learning (ML)-powered web security engine to perform ML-based inspection of web traffic in real-time.
C. It prompts the browser to present a valid client certificate to authenticate the user.
D. Users access the SWG, which then connects the user to the website while still performing security measures.
Selected Answer: D
Question #: 6
Topic #: 1
What is a differentiator between the Palo Alto Networks secure access service edge (SASE) solution and competitor solutions?
A. path analysis
B. playbooks
C. ticketing systems
D. inspections
Selected Answer: A
Question #: 4
Topic #: 1
Which product continuously monitors each segment from the endpoint to the application and identifies baseline metrics for each application?
A. App-ID Cloud Engine (ACE)
B. Autonomous Digital Experience Management (ADEM)
C. CloudBlades
D. WildFire
Selected Answer: B
Question #: 2
Topic #: 1
What is a benefit of deploying secure access service edge (SASE) with a secure web gateway (SWG) over a SASE solution without a SWG?
A. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down.
B. It prepares the keys and certificates required for decryption, creating decryption profiles and policies, and configuring decryption port mirroring.
C. Protection is offered in the cloud through a unified platform for complete visibility and precise control over web access while enforcing security policies that protect users from hostile websites.
D. It creates tunnels that allow users and systems to connect securely over a public network as if they were connecting over a local area network (LAN).
Selected Answer: C
Question #: 60
Topic #: 1
Which App Response Time metric is the measure of network latency?
A. Round Trip Time (RTT)
B. Server Response Time (SRT)
C. Network Transfer Time (NTTn)
D. UDP Response Time (UDP-TRT)
Selected Answer: A
Question #: 23
Topic #: 1
Text of question will be provided later…A. It applies configuration changes and provides credential management, role-based controls, and a playbook repository.
B. It provides customized forms to collect and validate necessary parameters from the requester.
C. It natively ingests, normalizes, and integrates granular data across the security infrastructure at nearly half the cost of legacy security products attempting to solve the problem.
D. It provides IT teams with single-pane visibility that leverages endpoint, simulated, and real-time user traffic data to provide the most complete picture of user traffic flows possible.
Selected Answer: D
Question #: 35
Topic #: 1
Which two services are part of the Palo Alto Networks cloud-delivered security services (CDSS) package? (Choose two.)
A. virtual desktop infrastructure (VDI)
B. Internet of Things (IoT) Security
C. Advanced URL Filtering (AURLF)
D. security information and event management (SIEM)
Selected Answer: BC
Question #: 58
Topic #: 1
In which step of the Five-Step Methodology for implementing the Zero Trust model does inspection and logging of all traffic take place?
A. Step 4: Create the Zero Trust policy
B. Step 3: Architect a Zero Trust network
C. Step 1: Define the protect surface
D. Step 5: Monitor and maintain the network
Selected Answer: D
Question #: 32
Topic #: 1
What are three ways the secure access service edge (SASE) model can help an organization? (Choose three.)
A. cost savings
B. data protection
C. increased licensing requirements
D. increased performance
E. decreased reliance on best practices
Selected Answer: ABD
Question #: 24
Topic #: 1
How can a network engineer export all flow logs and security actions to a security information and event management (SIEM) system?
A. Enable syslog on the Instant-On Network (ION) device.
B. Use a zone-based firewall to export directly through application program interface (API) to the SIEM.
C. Enable Simple Network Management Protocol (SNMP) on the Instant-On Network (ION) device.
D. Use the centralized flow data-export tool built into the controller.
Selected Answer: A
