SSE-Engineer Questions and Answers

By usingsecurity checks under posture settingsinStrata Cloud Manager (SCM), the senior engineer can enforcepolicy compliance standardsbyautomatically denyingany security policy that does notalign with best practices. This ensures that junior engineers can create policies while preventing configurations that might introduce security gaps. This proactive approacheliminates manual oversightand enforces compliance at the time of policy creation, reducing risk and ensuring consistent security enforcement.

The error messages indicate that Prisma Access is encountering certificate issues while attempting to decrypt traffic to "google.com." This suggests that theserver has pinned certificates, meaning it does not allow man-in-the-middle (MITM) decryption by Prisma Access. Since pinned certificates prevent traffic decryption, a solution is tocreate a "do not decrypt" rule for the hostname "google.com."This will allow traffic to flow without triggering certificate errors while maintaining secure communication with Google's servers.

In Prisma Access's default routing mode, the service connections establish BGP sessions with the customer premises equipment (CPE) in the data centers. To ensure traffic destined for mobile users in a specific region (e.g., North America) traverses the service connection in that same region, you need to control the route advertisements.

Filtering out the mobile user pool prefixes from the other region on each service connection achieves this by:

Preventing the data center in one region from learning the specific mobile user prefixes of the other region.For example, the North American service connection would filter out the mobile user pool prefixes allocated to European users.

Ensuring that when a data center needs to send traffic to a mobile user, it will only see and use the route advertised by the service connection in the appropriate geographical region.This forces the traffic to enter the Prisma Access infrastructure through the intended regional service connection.

Let's analyze why the other options are incorrect based on official documentation regarding default routing mode:

A. Configure BGP on the customer premises equipment (CPE) to prefer the assigned community string attribute on the mobile user prefixes in its respective Prisma Access region.While BGP communities can be used for influencing routing decisions, in the context ofdefault routing modeand ensuring regional traffic flow, relying solely on the CPE to prefer community strings might not be the most robust or direct method to guarantee traffic traverses the correct regional service connection. The service connection itself needs to control the advertisement of prefixes.

C. Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the mobile user prefixes in its respective Prisma Access region.The BGP MED (Multi-Exit Discriminator) attribute is primarily used to influence the path selectionbetweenautonomous systems (AS) or within the same AS at different entry points. In this scenario, where serviceconnections are advertising prefixes, filtering at the source (service connection) is a more direct and reliable way to ensure regional traffic flow than relying on the MED attribute on the CPE.

D. Configure each service connection to prepend the BGP ASN five times for mobile user pool prefixes originating from the other region.BGP AS path prepending is a mechanism to make a path less desirable. While this could influence routing, it doesn't guarantee that traffic will always take the intended regional path. Filtering provides a more definitive control over which routes are advertised and learned.

Therefore, configuring each service connection to filter out the mobile user pool prefixes from the other region in the advertisements to the data center is the verified method to ensure traffic destined for mobile users traverses the service connection in the appropriate region when using Prisma Access in default routing mode.

SincePhase 1 of the IPSec tunnel is establishedbutPhase 2 traffic is not being received, theTunnel logsinStrata Logging Serviceshould be reviewed.Tunnel logsprovide visibility into IPSec tunnel establishment,Phase 2 negotiation, and any errors or dropped packets related to encrypted traffic. This will help identify whetherESP (Encapsulating Security Payload) traffic is being blocked, mismatched security associations (SAs) exist, or if there are other issues with Prisma Access responding to Phase 2-encrypted packets.

Palo Alto Networks documentation clearly states that when configuring the traffic replication feature in Prisma Access, you mustspecify an internal security applianceas the destination for the mirrored traffic. This appliance, typically a Palo Alto Networks next-generation firewall or a third-party security tool, is responsible for receiving and analyzing the replicated traffic for various purposes like threat analysis, troubleshooting, or compliance monitoring.

Let's analyze why the other options are incorrect based on official documentation:

B. Dedicated cloud storage location:While Prisma Access logs and other data might be stored in the cloud, themirrored trafficfor real-time analysis is directly streamed to a designated security appliance, not a passive storage location.

C. Panorama:Panorama is the centralized management system for Palo Alto Networks firewalls. While Panorama can receive logs and manage the configuration of Prisma Access, it is not the direct destination for real-time mirrored traffic intended for immediate analysis.  

D. Strata Cloud Manager (SCM):Strata Cloud Manager is the platform used to configure and manage Prisma Access. It facilitates the setup of traffic replication, including specifying the destination appliance, but it does not directly receive or analyze the mirrored traffic itself.  

Therefore, the mirrored traffic from the traffic replication feature in Prisma Access is directed to a specified internal security appliance for analysis.

When the "Overlapping Subnets" checkbox is selected during the Remote Network onboarding process in Prisma Access, the deployment enables Private Application access using Prisma Access for Users(ZTNA or Private Access). This feature is designed to handle scenarios where multiple sites use the same IP subnet by leveraging NAT (Network Address Translation) and segmentation to avoid conflicts.

Since overlapping subnets can create routing challenges for direct remote network-to-remote network communication, Prisma Access does not support Remote Network-to-Remote Network or Mobile User communication in this case. Private application access is supported as Prisma Access correctly routes requests based on application-layer intelligence rather than IP-based routing.

TheSASE Health Dashboardprovides visibility intouser and group synchronizationbetween theCloud Identity Engine and the Security Processing Nodes (SPNs). It allows administrators to verifywhether a group from the Cloud Identity Engine is properly fetched and available on the SPN for policy enforcement. This feature helps in troubleshooting identity-based access control issues and ensures thatuser group mappings are correctly applied within Prisma Access.

Strata Copilotenhances the capabilities ofPrisma Access security teamsby providingAI-powered insights and recommendationsto help resolve security issues efficiently. It analyzessecurity events, misconfigurations, and alertsand offerscontextual guidancewithrecommended next stepsfor troubleshooting and improving security posture. This assists teams inquickly identifying and addressing security challengeswithout requiring deep manual investigation.

InPrisma Access, configuring anotification profileallows engineers to receive alerts when IPSec tunnels experience downtime or instability. By definingspecific conditions for remote network IPSec tunnels, the notification profile ensures that the engineer is proactively informed abouttunnel failures, flapping, or degraded performance. This approach enables timely troubleshooting and minimizes disruptions for users relying on the IPSec tunnels.

ForGlobalProtect with pre-logon, certificates must beinstalled in the Machine Certificate Storeto ensure that authentication occursbefore user login. This allows the GlobalProtect client to establish aVPN connection before the user logs in, enabling access to corporate resources such as domain controllers and authentication services. Usingmachine certificatesensures secure authentication and eliminates dependency on user credentials at the pre-logon stage.