PSE SASE Professional

Study Guide
MAY 2022

PSE SASE Professional by Palo Alto Networks

Table of Contents
How to Use This Study Guide 6
What Has Changed in This Study Guide 6

About the SASE Exam 6

Exam Format 6
How to Take This Exam 7
Disclaimer 7

Audience and Qualifications 7

Skills Required 7

Recommended Training 7

Domain 1: Business Value 8

1.1 Describe the complete secure access service edge (SASE) model 8
1.1.1 Defining SASE 8
1.1.2 Establish how the SASE model helps enable Zero Trust in a customer environment 9
1.1.3 References 10
1.2 Define the technical business value of SASE 10
1.2.1 Describe the of agility, availability and scalability of SASE 10
1.2.2 Explain the value of SASE as a shared-ownership model 11
1.2.3 Compare and contrast Prisma SASE solutions with point products 12
1.2.4 References 12
1.3 Define the technical business value of Autonomous Digital Experience Management
(ADEM) within the SASE model 12
1.3.1 Define end-to-end visibility across the entire SASE service delivery path 12
1.3.2 Explain the business value of ADEM as it pertains to the simplification of
troubleshooting 14
1.3.3 References 16
1.4 Sample Questions 17

Domain 2: Competitive Differentiators 18

2.1 Explain the value Palo Alto Networks SASE architecture provides in contrast to its
competitors 18
2.1.1 Describe the advantages an inline SASE solution has over a proxy SASE solution 18
2.1.2 Describe the advantages a unified approach has over multiple point products 19
2.1.3 Describe the advantages a dedicated cloud infrastructure has over a shared cloud
infrastructure 19
2.1.4 Describe the advantages next-generation SD-WAN has over legacy SD-WAN solutions 21
2.1.5 References 22
2.2 Explain how Palo Alto Networks SASE metrics autonomously drive network and security
behaviors 23
2.2.1 Explain improved user experience based on actionable, end-to-end, real-time
analytics 23

PSE SASE Professional by Palo Alto Networks 2

 2.2.2 Explain how the SASE solution uses network and application metrics to enhance the
user experience 23
2.2.3 Explain how connection visibility using path analysis differentiates the Palo Alto
Networks SASE solution from its competitors 26
2.2.4 References 26
2.3 Sample Questions 27

Domain 3: Architecture and Planning 28

3.1 The Palo Alto Networks SASE Architecture 28
3.1.1 Demonstrate understanding of the components of the Palo Alto Networks Prisma SASE
solution 28
3.1.2 How the Palo Alto Networks Prisma SASE solution enables Zero Trust in a customer
environment 28
3.1.3 References 29
3.2 Demonstrate understanding of Prisma Access architecture 29
3.2.1 Define Prisma Access architecture for service connections 29
3.2.2 Define Prisma Access architecture for remote networks 30
3.2.3 Define Prisma Access architecture for mobile users 32
3.2.4 Explain the consistency of cloud-delivered security services (CDSS) across
the platform 35
3.2.5 References 37
3.3 Demonstrate understanding of Prisma SD-WAN architecture 37
3.3.1 How the network delivers performance and reliability at scale 37
3.3.2 How CloudBlades provide integration into the application ecosystem 38
3.3.3 Key components of Prisma SD-WAN 39
3.3.4 How Prisma SD-WAN delivers resiliency across all paths and network configurations 40
3.3.5 References 41
3.4 Demonstrate understanding of software as a service (SaaS) security architecture 41
3.4.1 Explain how Palo Alto Networks SaaS Inline Security and App-ID cloud engine (ACE) are
key components in any SASE architecture 41
3.4.2 Define Palo Alto Networks SaaS API Security architecture in a SASE solution 43
3.4.3 Explain how SaaS Security integrates with the rest of the SASE architecture 45
3.4.4 References 46
3.5 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE
solution 46
3.5.1 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE
solution for mobile users 46
3.5.2 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE
solution for networks 47
3.5.3 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE
solution for SD-WAN 48
3.5.4 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE
solution for SaaS 48
3.5.5 References 49
3.6 Sample Questions 50

PSE SASE Professional by Palo Alto Networks 3

Domain 4: Demonstration and Evaluation 52
4.1 Demonstrate use cases for mobile users and remote networks 52
4.1.1 Demonstrate use cases for mobile users 52
4.1.2 Demonstrate use cases for remote networks 52
4.1.3 Describe a secure web gateway (SWG) 52
4.1.4 Explain how App-ID and User-ID are used to create policy 53
4.1.5 Explain how ADEM and device insights are applied 57
4.1.6 References 60
4.2 Demonstrate use cases for SD-WAN 61
4.2.1 Describe the value of the application-based metrics 61
4.2.2 Explain how application metrics are used in path selection 65
4.2.3 Demonstrate how to onboard a Prisma SD-WAN site to interact with Prisma Access 67
4.2.4 Describe how to use, map, and understand the SD-WAN topology 70
4.2.5 Explain the value of WAN Clarity Reports 72
4.2.6 References 73
4.3 Sample Questions 73

Domain 5: Network Security Best Practices 75

5.1 Define the Palo Alto Networks best practice methodology for using a Zero Trust
approach to network security 75
5.1.1 Identify best practice for eliminating implicit user trust, regardless of user location 75
5.1.2 Identify best practice for eliminating implicit trust within applications 75
5.1.3 Identify best practice for eliminating implicit trust of infrastructure 76
5.1.4 References 76
5.2 Execute a Proof of Concept (POC) for remote networks use cases 76
5.2.1 Explain customer sensitive data discovery as defined in the Zero Trust model 76
5.2.2 Define which users, applications and infrastructure are accessing data 78
5.2.3 Define a customer's architecture in a Zero Trust network 78
5.2.4 Define Zero Trust policies and controls 78
5.2.5 Explain how Palo Alto Networks validates each transaction in a Zero Trust model 79
5.2.6 References 79
5.3 Identify best practices for implementing Secure Sockets Layer (SSL) decryption 79
5.3.1 Explain customer sensitive data discovery as defined in the Zero Trust model 79
5.3.2 Explain the value of SSL default decryption exclusion lists 82
5.3.3 Identify the decryption deployment methods 83
5.3.4 References 86
5.4 Sample Questions 86

Appendix A: Answers to Sample Questions 88

Appendix B: What’s Different in This Study Guide 93

Continuing Your Learning Journey with Palo Alto Networks 94

PSE SASE Professional by Palo Alto Networks 4

How to Use This Study Guide
Welcome to the Palo Alto Networks® PSE: SASE Professional Study Guide. The purpose
of this guide is to help you prepare for your Palo Alto Networks Systems Engineer: Secure Access
Service Edge (SASE) Professional exam, abbreviated as PSE: SASE Professional.

You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.

About the PSE: SASE Professional Exam

The PSE: SASE Professional certification validates the knowledge, skills, and abilities required of an
individual who helps organizations embrace cloud and mobility by providing network and network
security services from the cloud. PSE: SASE Professional certified individuals have learned how
Prisma Access and Prisma SD-WAN provide a complete cloud-delivered solution to fit the needs of
an evolved organization.

More information is available from the Palo Alto Networks Loop page at:
https://theloop.paloaltonetworks.com/loop/se-pse-certifications-page-for-se-leaders?contentV1Fallb
ack=true

PSE: SASE technical documentation for partners is located at:

https://beacon.paloaltonetworks.com/student/path/1028979-palo-alto-networks-systems-engineer-
pse-sase-professional?sid=d30ad317-c1aa-4793-bfa4-504b4f2abd33&sid_i=0

For employees, technical documentation can be found here:

https://paloaltonetworks.exceedlms.com/student/path/1031599-palo-alto-networks-systems-enginee
r-pse-sase-professional?sid=bb6820d6-2814-4a09-ab65-8e043da0e0b7&sid_i=10

Exam Format

The exam format is 60 multiple-choice questions. Candidates will have five minutes to complete
the Non-Disclosure Agreement, 80 minutes (1 hour, 20 minutes) to complete the exam questions,
and five minutes to complete an exit survey.

The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in
the following table.

Exam Domain Weight (%)

Business Value 12%

Competitive Differentiators 15%

PSE SASE Professional by Palo Alto Networks 5

 Architecture and Planning 30%

Demonstration and Evaluation 21%

Network Security Best Practices 22%

TOTAL 100%

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks.

To register for the PSE Professional exams on the Pearson VUE website, candidates need to add one
of the following private access codes:
1. PSE-PAC (if you are taking the exam at a testing center)
2. PSE-OP (if you are taking the exam at home or in the office)

Full instructions on how to schedule the exam can be found at:

https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/marketing/docs/pse-exam-ins
tructions.pdf.

Disclaimer

This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.

Audience and Qualifications

This exam is designed for individuals with the following job roles:
● Pre-sales Engineers
● Systems Engineers / Solutions Architects
● Global System Integrator Engineers
● Customer Success Engineers
● Consulting / Specialist Systems Engineers

Skills Required

● You can effectively and independently position the Palo Alto Networks SASE solution.
● You can match common SASE use cases to customer requirements.
● You can overcome customer technical objections, up to and including showcasing feature
functionality.
● You can communicate the security and networking leverage provided by combining the
Strata platform with the Palo Alto Networks SASE solution.

PSE SASE Professional by Palo Alto Networks 6

 ● You have six months Palo Alto Networks SE field experience with mentoring.
● You have five years of experience with Network Security in a Pre-Sales or Post-Sales Engineer
role.
● You have experience with cybersecurity products.
● You have experience with cloud platforms and SaaS applications.
● You have passed the PSE: SASE Associate exam (strongly recommended).

Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● PSE Foundation
● PSE SASE Associate
● SE Boot Camp (internal only)

PSE SASE Professional by Palo Alto Networks 7

Domain 1: Business Value
1.1 Describe the complete secure access service edge (SASE) model

1.1.1 Defining SASE

Secure access service edge, or SASE (pronounced “sassy”), is an emerging cybersecurity concept
that Gartner, a leading research and advisory firm, first described in their August 2019 report The
Future of Network Security in the Cloud and expanded upon in their 2021 Strategic Roadmap for
SASE Convergence.

Before diving into the specifics of SASE, it’s important to understand a bit of background on this
new term. Existing network approaches and technologies simply no longer provide the levels of
security and access control that digital organizations need. These organizations demand
immediate, uninterrupted access for their users no matter where they are located. With an increase
in remote users and software-as-a-service (SaaS) applications, data moving from the data center to
cloud services, and more traffic going to public cloud services and branch offices than back to the
data center, the need for a new approach to network security has risen.

SASE is the convergence of wide area networking, or WAN, and network security services like CASB,
FWaaS and Zero Trust, into a single, cloud-delivered service model. According to Gartner, “SASE
capabilities are delivered as a service based upon the identity of the entity, real-time context,
enterprise security/compliance policies and continuous assessment of risk/trust throughout the
sessions. Identities of entities can be associated with people, groups of people (branch offices),
devices, applications, services, IoT systems or edge computing locations.”

Gartner expects that, “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE,
up from less than 1% at year-end 2018.” A SASE architecture identifies users and devices, applies
policy-based security, and delivers secure access to the appropriate application or data. This
approach allows organizations to apply secure access no matter where their users, applications or
devices are located.

The SASE security model can help your organization in several ways:

● Flexibility: With a cloud-based infrastructure, you can implement and deliver security
services such as threat prevention, web filtering, sandboxing, DNS security, credential theft
prevention, data loss prevention and next-generation firewall policies.
● Cost savings: Instead of buying and managing multiple point products, utilizing a single
platform will dramatically reduce your costs and IT resources.
● Reduced complexity: You can simplify your IT infrastructure by minimizing the number of
security products your IT team has to manage, update and maintain, thereby consolidating
your security stack into a cloud-based network security service model.
● Increased performance: With a cloud infrastructure, you can easily connect to wherever
resources are located. Access to apps, the internet and corporate data is available globally.
● Zero Trust: A Zero Trust approach to the cloud removes trust assumptions when users,
devices and applications connect. A SASE solution will provide complete session protection,
regardless of whether a user is on or off the corporate network.

PSE SASE Professional by Palo Alto Networks 8

 ● Threat prevention: With full content inspection integrated into a SASE solution, you benefit
from more security and visibility into your network.
● Data protection: Implementing data protection policies within a SASE framework helps
prevent unauthorized access and abuse of sensitive data.

1.1.2 Establish how the SASE model helps enable Zero Trust in a customer environment

Zero Trust is a security strategy that completely eliminates the concept of trust from a network and
requires content inspection before granting access to a company’s network and data. Forrester
Research, a leading industry research firm, says that a Zero Trust solution must:

● Ensure all resources can be securely accessed, regardless of their location

● Leverage a least-privileged access strategy and strictly enforce access control
● Inspect and log all traffic

As organizations adopt cloud-based software, the way they apply security needs to adapt. Zero
Trust Network Access (ZTNA) is a model that emphasizes adherence to the principles of Zero Trust
for applications, wherever they may be, including the cloud.

Cloud and Mobility Challenges

Today, applications, data and users are everywhere – in data centers, in the cloud, in multiple
software-as-a-service (SaaS) apps, on mobile devices and so on. Consequently, companies struggle
to gain complete visibility into their applications and data, let alone control and manage who has
access to those assets.

Many companies have tried to overcome these issues by using multiple point products, such as
secure web gateways, firewalls and remote access VPNs. However, with applications moving to the
cloud, the traffic no longer needs to go through a VPN, which creates a paradox because proxies
and secure web gateways cannot tunnel traffic to private applications. As a result, organizations
have been looking for an alternative to remote access VPN that can accommodate both cloud and
data center applications.

In light of these requirements, ZTNA has led to the development of software-defined perimeter
point products that complement proxies. These address private application access use cases, but
they also drive up the number of deployed point products. Some also bypass the enforcement of
security policies because they circumvent the inspection normally applied to internet-bound traffic.

Benefits of SASE and Zero Trust Network Access

The SASE model combines networking and network security services, such as ZTNA, cloud access
security broker (CASB), firewall as a service (FWaaS), data loss protection (DLP) and more, into a
single comprehensive, integrated solution that supports all traffic, applications and users. The
model also allows companies to rapidly authenticate users, identify and mitigate potential security
threats, and fully inspect content. SASE means organizations do not have to stand up a separate
infrastructure to address both internet and private applications, as was once the case with
conventional proxy- and software-defined perimeter products.

In other words, by combining SASE and Zero Trust principles, companies can achieve ZTNA with a
single solution to consistently apply and enforce security policies across their entire network.

PSE SASE Professional by Palo Alto Networks 9

Benefits of this approach include:

● Stronger network security

● Streamlined network management
● Significantly reduced costs associated with deploying security at scale
● A single, holistic view of the entire network

1.1.3 References
● SASE,
https://www.paloaltonetworks.com/cyberpedia/what-is-sase
● Zero Trust and SASE,
https://www.paloaltonetworks.com/cyberpedia/zero-trust-and-sase

1.2 Define the technical business value of SASE

1.2.1 Describe the of agility, availability and scalability of SASE

At Palo Alto Networks, we believe that an effective SASE solution must converge SD-WAN and
security into a single, integrated offering that delivers consistent protection with a
high-performance experience for all users without compromising security effectiveness or network
functionality.

Prisma SASE is the industry’s most complete SASE solution, converging security, SD-WAN and
Autonomous Digital Experience Management into a single cloud-delivered service. Only Prisma
SASE uniquely provides:

● Convergence without compromise: best-of-breed security and SD-WAN, natively integrated

without trade-offs.
● Complete, best-in-class security: consistently secures all apps used by your hybrid workforce,
regardless of location.
● Exceptional user experience: integrated Autonomous Digital Experience Management
backed by industry-leading SLAs.

Prisma SASE represents the combined functionality of Prisma Access and Prisma SD-WAN with
robust capabilities across Zero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG),
Cloud Access Security Broker (CASB), Firewall-as-a-Service (FWaaS) and SD-WAN. This makes it easy
for customers to purchase and deploy SASE from a single offering.

PSE SASE Professional by Palo Alto Networks 10

1.2.2 Explain the value of SASE as a shared-ownership model

Data protection must be taken into account when developing an enterprise security strategy for
the cloud-enabled enterprise because sensitive data leaves the corporate premises and is
exponentially exposed in the cloud. An effective data protection approach must encompass every
environment and every possible egress point for data including SaaS applications, IaaS, data
centers, branches and remote workers. SWGs don’t provide native integration with enterprise data
loss prevention and basically only look for threats, letting confidential data flow unsupervised in and
out the network. Integration with third party enterprise DLP solutions is complex, costly to
implement, and doesn’t come without limitations. Traditional CASBs only provide cloud data
protection but have similar challenges when it comes to integration with enterprise DLP solutions.

Cloud access security brokers surely offer a more comprehensive approach to cloud application
security than SWG, as they take into account both inline traffic and what lives already across SaaS
applications and other public cloud services. The SWG use case is naturally part of a multimode
CASB, and not the other way around. CASB solutions, however, present their own challenges. Most
of all, they are disjointed from the rest of the infrastructure and rely on on-prem components that
create deployment and integration complexity.

As global cybersecurity leaders, at Palo Alto Networks we strongly believe in security consolidation
and integration rather than piecemeal approaches. Modern organizations can fight adversaries
more effectively through a comprehensive security strategy that lays its foundations on
interconnected components. Control points on prem, in the cloud or for the cloud should share
threat intelligence and offer cloud scalability, ease of integration and unification of consoles. With
the increased adoption of cloud services, this approach needs to expand in the cloud more so.
Traditional CASB needs to evolve into next-generation CASB, utilizing an integrated solution that

PSE SASE Professional by Palo Alto Networks 11

doesn’t need extra components in order to gather traffic logs from the network and from user
devices, with a solution that is integrated rather than disjointed, that extends highly reliable threat
prevention and data security capabilities towards and into SaaS applications, and that ensures
consistency across the entire enterprise.

For those looking to secure the internet edge at large traditional sites like a campus or datacenter,
the NGFW is still your only real option, offering all the capabilities of SWG but with much higher
security efficacy and no limitations. At the branch and for remote workers, it's SASE that offers the
broadest coverage and is superseding SWG. For cloud-native environments the Cloud Security
Posture Management offers consistent vendor neutral security for all cloud providers. And of course,
to secure applications, it is CASB.

Security is what ties all these things together. All locations should be able to block the same threats
everywhere and to protect data consistently anywhere it flows and is stored so users are not left
gap-filling security policy, console-hopping to assess risk and manage day-to-day, or creating an
inconsistent poor user experience that leads to a higher and invisible attack surface.

1.2.3 Compare and contrast Prisma SASE solutions with point products

At Palo Alto Networks, we believe that SASE must converge best-of-breed security and SD-WAN
capabilities within the cloud to deliver exceptional user experiences while reducing security risk.

Prisma SASE is the industry’s most complete SASE solution, converging security, SD-WAN and
Autonomous Digital Experience Management into a single cloud-delivered service. Only Prisma
SASE uniquely provides:

● Convergence without compromise: best-of-breed security and SD-WAN, natively integrated

without trade-offs.
● Complete, best-in-class security: consistently secures all apps used by your hybrid workforce,
regardless of location.
● Exceptional user experience: with integrated Autonomous Digital Experience Management,
backed by industry-leading SLAs.

1.2.4 References
● Prisma SASE,
https://www.paloaltonetworks.com/blog/2021/09/the-industrys-most-complete-sase-solution
/
● SASE,
https://www.paloaltonetworks.com/cyberpedia/what-is-sase

1.3 Define the technical business value of Autonomous Digital Experience Management
(ADEM) within the SASE model

1.3.1 Define end-to-end visibility across the entire SASE service delivery path

A secure access service edge (SASE) brings together networking and network security services in a
single cloud-based platform. This way, organizations can embrace cloud and mobility while

PSE SASE Professional by Palo Alto Networks 12

reducing the complexity of dealing with multiple point products as well as saving IT, financial and
human resources. As you look for vendors to help you on your cloud journey, it is important to
understand what a SASE solution encompasses.

The first part of a SASE solution includes networking capabilities an organization already uses. SASE
integrates the following networking features into a cloud-based infrastructure:

● Software-defined wide area network (SD-WAN) edge devices provide easier connectivity for
branch offices. With SASE, these devices are connected to a cloud-based infrastructure
rather than to physical SD-WAN hubs located in other locations. By moving to the cloud, you
can eliminate the complexity of managing physical SD-WAN hubs and promote
interconnectivity between branch offices.

● Virtual private network (VPN) services incorporated by a SASE solution enable you to route
traffic through a VPN to the SASE solution, and then on to any application in the public or
private cloud, delivered via Software as a Service (SaaS) or on the internet. Traditional VPN
was used for remote access to the internal data center, but it is not optimized for the cloud.

● Web proxying provides an alternate means of securely connecting users to applications by

inspecting web-based protocols and traffic. Proxies were historically used for web security
enforcement, but due to their inherent security limitations, they are now seen as an
architectural alternative for device traffic that cannot be fully inspected (e.g., personal
devices that cannot accept an endpoint agent to force all web and non-web traffic through
security inspection). When implemented as part of a SASE solution, proxies can offer
organizations with legacy architectures an easier way of adopting the more robust security
capabilities SASE has to offer.

● Digital experience monitoring (DEM) provides insight into the entire service delivery path
between users and applications. These technologies synthesize real-time and simulated
user traffic data to enable IT administrators to identify and remediate connectivity failures
that may negatively impact a user’s remote work experience.

The second part of SASE incorporates the network security service tools organizations rely on. In a
comprehensive SASE solution, the following security services are delivered through a cloud-based
infrastructure:

● Zero Trust Network Access (ZTNA) applies the Zero Trust philosophy—never trust, always
verify—to the cloud, requiring every user to authenticate to access the cloud, restricting
access and minimizing the risk of data loss. However, ZTNA products based on a
software-defined perimeter (SDP) model can lack content inspection capabilities necessary
for consistent protection. Moving to a cloud-based SASE infrastructure eliminates the
complexity of connecting to a gateway. Users, devices and apps are identified no matter
where they connect from, and the ZTNA concept of protecting applications can be applied
across all services, including data loss prevention (DLP) and threat prevention.

● Firewall as a service (FWaaS) provides next-generation firewall features in the cloud, which
removes the need for physical hardware at branch and retail locations. SASE integrates
FWaaS into its cloud-based platform, allowing for simplified management and deployment.

PSE SASE Professional by Palo Alto Networks 13

 ● Secure web gateways (SWG) prevent employees and devices from accessing malicious
websites, enforce acceptable use policies before users can access the internet, and block
inappropriate content. A SASE solution includes SWG to protect users no matter their
location.

● Data loss prevention (DLP) protects sensitive data from being shared or misused by
authorized users and alerts key stakeholders when policies are violated. DLP is useful for
organizations that need to maintain compliance with regulations such as HIPAA, PCI DSS
and GDPR. With a SASE solution, DLP tools are integrated into the cloud platform,
eliminating the need for a separate DLP gateway. DLP should be applied inline as well as
search data at rest, whether in cloud- or SaaS-based data storage.

● Cloud access security broker (CASB) technology gives organizations visibility into where their
data resides, enforces company policies for user access and protects data against
unauthorized access. CASBs provide a gateway for your SaaS provider to your employees
through cloud-based security policies. SASE integrates CASB services into a single
cloud-based platform so stakeholders can easily manage access to apps and data.

A SASE solution combines these networking solutions and security services into a unified,
cloud-based platform. As your organization grows and adds more security products in the mix,
consider consolidating to a comprehensive SASE solution to benefit from:

● Greater business agility and speed

● Reduced complexity
● Consistent security designed to stop cyberattacks

1.3.2 Explain the business value of ADEM as it pertains to the simplification of troubleshooting

IT teams are challenged to ensure an exceptional user experience for branch and mobile users.
Current monitoring tools lack visibility into every network segment in the service delivery path and
require additional agents or appliances to be deployed in the infrastructure. Additionally,
responding to digital experience problems requires operations teams to manually troubleshoot and
remediate, increasing support efforts and cost.

Palo Alto Networks Autonomous Digital Experience Management (ADEM) was introduced in 2021 to
manage the digital experience for mobile users. We have now integrated ADEM directly into all
Prisma SD-WAN appliances, which has extended ADEM to all users, including those in the branch.
This enables organizations to gain end-to-end visibility from a single management console without
the need to deploy additional agents or appliances. ADEM with Prisma SD-WAN ensures the best
digital experience for branch users by providing observability in the cloud and across the entire
service delivery path, including all WAN links. In addition, organizations can leverage real and
synthetic traffic analysis for both user endpoints and IoT devices to pinpoint issues easily.

The hybrid work model—one that allows employees to move fluidly among corporate offices,
branch offices, home offices, or on the road—has emerged as the new norm, and it is forcing
organizations to think critically about the future of branch and mobile networking for their hybrid
workforces.

PSE SASE Professional by Palo Alto Networks 14

The shift to hybrid work means IT administrators have become responsible for network
performance that includes network segments managed by internet service providers (ISPs) or
facilitated by consumer-grade routers and home wifi connections. Corporate IT teams don’t
maintain the ISP networks or an individual’s home wifi router, which means they usually can’t see if
something is wrong with those networks or devices.

This lack of visibility makes it difficult for IT teams to quickly solve connectivity or access issues for
their employees working outside of the office. However, IT teams remain the first point of contact
when someone can’t access the applications or data they need to do their jobs, whether they are
home, in a coffee shop, or somewhere else. As a result, both the IT team member and employee get
to embark on the inevitable troubleshooting journey that begins with everyone’s favorite question:
“Have you tried rebooting your machine?”

Organizations can reduce the need for this common troubleshooting scenario with Prisma SASE
and its inclusion of autonomous digital experience management (ADEM) for mobile, branch and
remote offices.

ADEM simplifies IT troubleshooting for the hybrid workforce

We have designed ADEM from the ground up as a core component of Prisma Access, the
security-as-a-services layer to our Prisma SASE solution, to monitor and manage user experience. IT
and security teams have the advantage of centrally implementing and monitoring remote access
security policies and user experience for their hybrid workforces through a single pane of glass. And
because ADEM is natively integrated with Prisma SASE, no additional agents are required and no
additional burden is placed on the user.

ADEM monitors the experience of all applications irrespective of where they are hosted or who
owns the network infrastructure. It also continuously monitors the experience of every user as they
shift between working from home, therefore connecting over non-trusted networks, to working
from the office over a trusted corporate campus network.

ADEM provides deep insights and visibility into every part of the service delivery chain impacting
user experience, including device issues like incompatible version, high memory & CPU utilization,
home WiFi and network issues, Internet Path issues showing hop by hop performance visibility,
overlay VPN tunnel issues, and issues with the applications itself, allowing IT to quickly isolate
problem domain and resolve issues.

IT teams have been able to take advantage of these ADEM capabilities since the launch of Prisma
Access 2.0. With Prisma Access 2.2 and Prisma SD-WAN 5.6, we have extended ADEM for all users
and branch offices, enabling organizations to gain end-to-end visibility from a single management
console without the need to deploy additional agents or appliances.

As a result, ADEM with Prisma SD-WAN ensures the best digital experience for branch users by
providing observability in the cloud and across the entire service delivery path. In addition, IT teams
can leverage real and synthetic traffic analysis for both user endpoints and IoT devices to pinpoint
issues easily.

With ADEM now across the entire Prisma SASE platform, organizations can gain:

PSE SASE Professional by Palo Alto Networks 15

 ● SASE-native visibility across the entire service delivery path. ADEM provides deep visibility
into SASE-based service delivery, from endpoint to WiFi, ISP, and all hops in between the
user and the application, while delivering operational simplicity.

● Segment-wise insights using real and synthetic traffic. ADEM provides distinct visibility per
segment across the entire service delivery path and expedites troubleshooting and
remediation. Monitoring data collection from endpoint devices, synthetic tests and real user
traffic provides the most comprehensive digital experience visibility in a single solution.

● Autonomous remediation of network and security issues, which enables customers to

quickly identify and automatically correct digital experience issues before or when they
arise. ADEM uplevels your IT teams with easy-to-use single-pane visibility that leverages
endpoint, simulated, and real-time user traffic data to provide the most complete picture of
user traffic flows possible.

Autonomous Digital Experience Management for SASE

The concept of the “corporate network” has greatly expanded in TIME FRAME in recent years,
providing more work for IT teams and increased opportunity for employees to become frustrated
because they cannot access the tools and information they need to do their jobs. Employees need
consistency in both security and user experience as they move among branch, home, and other
locations, and IT teams need complete visibility to support them wherever they are located. The
ADEM capabilities in Prisma SASE are here to help, empowering both IT teams and the hybrid
workforce to do their best work, wherever they are.

1.3.3 References

● SASE key requirements,

https://www.paloaltonetworks.com/cyberpedia/secure-access-service-edge-key-requirement
s

PSE SASE Professional by Palo Alto Networks 16

 ● Prisma SASE & ADEM simplify network troubleshooting,
https://www.paloaltonetworks.com/blog/sase/prisma-sase-adem-simplify-network-troublesh
ooting-for-the-hybrid-workforce/

1.4 Sample Questions

1. Secure access service edge, or SASE, is an emerging cybersecurity concept that Gartner first
described in _____?
a. October 2018
b. August 2019
c. March 2021
d. August 2020

2. Which of the following statements is incorrect about SASE?

a. With a cloud infrastructure, you can easily connect to wherever resources are located.
b. Access to apps, the internet and corporate data is available globally.
c. Security and network access are delivered based on IP address.
d. Implementing data protection policies within a SASE framework helps prevent
unauthorized access and abuse of sensitive data.

3. Which of the following is NOT an example of a security service edge in cloud infrastructure?
a. ZTNA/VPN
b. CASB
c. FWaaS
d. AIOps

4. Which of the following is not considered malware?

a. Cookies
b. Virus
c. Worms
d. Trojans

5. Which network infrastructure element provides next-generation firewall features in the

cloud, removing the need for physical hardware at branch and retail location?
a. Zero Trust Network Access (ZTNA)
b. Firewall as a service (FWaaS)
c. Secure web gateways (SWG)
d. Data loss prevention (DLP)
e. Cloud access security broker (CASB)

6. Which infrastructure element prevents employees and devices from accessing malicious
websites, enforce acceptable use policies before users can access the internet, and block
inappropriate content?
a. Zero Trust Network Access (ZTNA)
b. Firewall as a service (FWaaS)
c. Secure web gateways (SWG)
d. Data loss prevention (DLP)
e. Cloud access security broker (CASB)

PSE SASE Professional by Palo Alto Networks 17

Domain 2: Competitive Differentiators
2.1 Explain the value Palo Alto Networks SASE architecture provides in contrast to its
competitors

2.1.1 Describe the advantages an inline SASE solution has over a proxy SASE solution

A proxy server is a dedicated computer or software system that sits between an end “client,” such as
a desktop computer or mobile device, and a desired destination, such as a website, server or web-
or cloud-based application. The proxy:

● Receives a web request from a client

● Terminates the connection
● Establishes a new connection with the desired destination
● Sends the data on the client’s behalf

By acting as an intermediary between the client and destination, proxies can shield the client’s IP
address from the destination, providing a layer of privacy. This helps prevent capture of users’
personally identifiable information.

Proxies and Secure Web Gateways

Proxies are often implemented as part of a secure web gateway (SWG). This provides security
inspection of HTTP and HTTPS web protocols along with URL filtering and malware prevention.
Organizations may also use proxies instead of deploying agents on user devices. However, because
proxies can only inspect web-based traffic, they are typically used as part of a more comprehensive
security platform strategy or by organizations looking to gradually transition to a more secure
method of remote access. Alternative onboarding methods include IPsec or GRE tunneling and
firewall port forwarding.

PSE SASE Professional by Palo Alto Networks 18

While security inspection of all device traffic and protocols is ideal, organizations can achieve a
balance of architectural flexibility and security by implementing proxies as part of a secure access
service edge (SASE) approach. A SASE solution provides all the networking and security capabilities
an organization needs in a single cloud-delivered service. The benefits of this approach include:

● Protection of all application traffic: SASE provides remote users with secure access to all
applications and guards against much more than just web-based threats, reducing the risk
of a data breach.

● Consolidated capabilities for complete security: SASE combines the security capabilities
of SWG, firewall as a service (FWaaS), Zero Trust Network Access (ZTNA), cloud access
security broker (CASB) and much more.

● Exceptional user experience: Security doesn’t have to come at the cost of user experience.
Leading SASE solutions are built on massively scalable networks with ultra-low latency and
can include native digital experience monitoring (DEM) capabilities.

2.1.2 Describe the advantages a unified approach has over multiple point products

The SASE security model can help your organization in several ways:

● Flexibility: With a cloud-based infrastructure, you can implement and deliver security
services such as threat prevention, web filtering, sandboxing, DNS security, credential theft
prevention, data loss prevention and next-generation firewall policies.
● Cost savings: Instead of buying and managing multiple point products, utilizing a single
platform will dramatically reduce your costs and IT resources.
● Reduced complexity: You can simplify your IT infrastructure by minimizing the number of
security products your IT team has to manage, update and maintain, consolidating your
security stack into a cloud-based network security service model.
● Increased performance: With a cloud infrastructure, you can easily connect to wherever
resources are located. Access to apps, the internet and corporate data is available globally.
● Zero Trust: A Zero Trust approach to the cloud removes trust assumptions when users,
devices and applications connect. A SASE solution will provide complete session protection,
regardless of whether a user is on or off the corporate network.
● Threat prevention: With full content inspection integrated into a SASE solution, you benefit
from more security and visibility into your network.
● Data protection: Implementing data protection policies within a SASE framework helps
prevent unauthorized access and abuse of sensitive data.

2.1.3 Describe the advantages a dedicated cloud infrastructure has over a shared cloud
infrastructure
Companies are collecting massive amounts of data, ranging from highly confidential business,
financial and customer data to fairly unimportant information. They’re also moving more and more
of their data to the cloud and storing it in more places than ever – in public, private and hybrid
clouds, in cloud storage environments, in software-as-a-service applications, and so on.

PSE SASE Professional by Palo Alto Networks 19

As they do this, companies are discovering just how complicated protecting and securing all their
data across multiple environments can be. For example:

● They no longer know where all their applications and data are.
● With most of their applications and data housed on third-party infrastructure, companies no
longer have visibility into who is accessing and using their applications and data, which
devices are being used for access, or how their data is potentially being used or shared.
● They have no insight into how cloud providers are storing and securing their data.
● Even though most cloud providers have state-of-the-art security, this security is limited.
After all, companies and cloud providers share responsibilities for cloud security.
● Different cloud providers have varying capabilities, which can result in inconsistent cloud
data protection and security.

On top of this, companies face a host of security challenges, including the potential for:

● Security breaches
● Loss or theft of sensitive data
● Application vulnerabilities and malware propagation

Companies must also comply with data protection and privacy laws and regulations, such as the
General Data Protection Regulation, or GDPR, in the EU; the Health Insurance Portability and
Accountability Act of 1996, or HIPAA, in the U.S., and others. However, it can be incredibly difficult for
companies to consistently establish and enforce security policies across multiple cloud
environments, let alone prove compliance to auditors.

For these reasons, it’s no surprise that nine out of 10 cybersecurity professionals are concerned
about cloud security. According to the 2018 IDG Cloud Computing Survey, they say their biggest
challenges are protecting against data loss and leakage (67%), threats to data privacy (61%) and
breaches of confidentiality (53%).

Benefits of Cloud Data Protection

Among the benefits of cloud data protection, it enables companies to:

● Secure applications and data across multiple environments while maintaining complete
visibility into all user, folder and file activity.
● Proactively identify and mitigate risks, such as security threats, suspicious user behavior,
malware and others.
● Better govern access.
● Define policies.
● Prevent and detect data loss and disruption.

Infrastructure as a Service – The Public Cloud

IaaS, also called the public cloud, is the most impactful computing paradigm to emerge since the
internet boom of the early 2000s and the increase in software as a service, or SaaS, technology
resources. Just as the nascent days of the internet boom changed the way we do business, so too
has the public cloud. According to IDC® Research, of the more than 11,000 enterprises that
participated in the firm’s CloudView 2016 survey, 80 percent are embracing or moving toward
AWS®, Microsoft® Azure® or some other public cloud platform. The size and type of projects these

PSE SASE Professional by Palo Alto Networks 20

organizations are migrating are equally significant. This shows how the public cloud is no longer an
“exploration exercise.” Full production workloads are being moved, with some organizations stating
that more than 50 percent of their workloads will be public-cloud-based within the next five years.
Others are making bold statements that they will no longer have any data centers within five years.

The move to the public cloud is driven strongly by business groups, and the velocity is such that
security becomes a secondary consideration in some cases, solely because security moves in a
purposeful manner while cloud environments move at light speed. However, no one would dispute
the fact that applications and data in the private cloud, the public cloud or accessed through a
cloud storage service need to be protected with as much diligence as private networks and
on-premise software, hardware, applications, and data.

Comprehensive, Scalable Cloud Security with Flexible Licensing Options

In response to concerns about cloud security risks, including data loss and intrusion, Palo Alto
Networks® Prisma Access cloud service makes next-generation security infrastructure available to
customers in a cloud-based offering with cloud storage and preventive capabilities, including safe
enablement of applications, threat prevention, URL filtering, and WildFire® threat analysis service.
This complete cloud system delivers powerful security services that secure remote networks and
mobile users, helping widely distributed and global organizations reduce the management
complexity of costly, time-consuming cloud deployments.

Palo Alto Networks provides a multi-tenant, cloud-based security infrastructure at a predictable

cost, with a pay-as-you-go subscription model and pay-per-use licensing options. This allows
managers to quickly and easily add or remove remote locations and users, as well as create or
adjust security policies. With this flexible, on-demand cloud security service, data centers of any size
have scalable options to accommodate growth demands and achieve consistent security
throughout their computing environments, regardless of users’ locations or devices.

2.1.4 Describe the advantages next-generation SD-WAN has over legacy SD-WAN solutions

Since the 2000s, enterprises have deployed multiprotocol label switching (MPLS) networks to
connect branch offices to centralized data centers. MPLS is still a very common deployment of
enterprise WANs, requiring hardware routers and manual configuration. It is usually outsourced
and managed by service providers who guarantee network performance. However, it can be
expensive, and it is not designed to handle the increasingly high volumes of WAN traffic that result
from SaaS applications and cloud adoption.

The growing bandwidth requirements and restricted network budgets fueled by cloud adoption
have rendered traditional WAN architectures obsolete. Since 2013, organizations have started
migrating toward software-defined wide area networks (SD-WAN). Because it is typically a cheaper
and more scalable solution, SD-WAN resolves the issues of MPLS without sacrificing the quality of
service. However, as businesses leverage SD-WAN, they are discovering that their legacy solutions
still can’t scale at the rate required.

The Growing Need for a Better SD-WAN

As enterprise environments continue to evolve, three fundamental shifts are driving the need for a
new breed of SD-WAN:

PSE SASE Professional by Palo Alto Networks 21

 ● Cloud adoption
● Availability of cost-effective, high-performance broadband
● Need for infrastructure automation

In 2020, Palo Alto Networks debuted a next-generation SD-WAN solution that delivers essential
branch services, such as networking, security and more, from the cloud. Through machine learning
(ML), organizations can eliminate network trouble tickets and improve the end user experience by
enabling an increase in WAN bandwidth for a lower cost than legacy SD-WAN solutions.

Next-generation SD-WAN offers three clear benefits:

● Steers traffic and defines networking and security policies from an application-centric
perspective, rather than a packet-based approach.
● Minimizes manual operations and enables agile DevOps methods to be used via API
integrations.
● Supports the cloud-delivered branch architecture by enabling all branch services, such as
networking, security and more, to be delivered from the cloud.

Requirements of Next-Generation SD-WAN

Legacy SD-WAN approaches aren’t keeping up with the cloud-ready digital enterprise. A
next-generation solution should be:

● Application-defined: Provide deep application visibility, with Layer 7 intelligence for

network policy creation and traffic engineering, ensuring exceptional user experience by
enabling network teams to deliver SLAs for all apps, including cloud, SaaS and UCaaS.

● Autonomous: Automate operations and problem avoidance using ML and data science
methodologies to simplify network operations and reduce network trouble tickets.

● Cloud-delivered: Enable a cloud-delivered branch, where branch services such as

networking and security are delivered from the cloud, simplifying WAN management and
reducing total cost of ownership.

Palo Alto Networks Prisma SD-WAN reduces enterprise WAN costs by up to 82%, simplifies network
operations by leveraging ML to eliminate up to 99% of network trouble tickets, and improves the
end user experience by enabling a tenfold increase in WAN bandwidth for a lower cost than legacy
solutions.

2.1.5 References
● Proxy server,
https://www.paloaltonetworks.com/cyberpedia/what-is-a-proxy-server
● Cloud security,
https://www.paloaltonetworks.com/cyberpedia/cloud-security-service-cloud-storage-and-clo
ud-technology
● Cloud data protection,
https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-data-protection
● Next-generation SD-WAN,
https://www.paloaltonetworks.com/cyberpedia/what-is-next-generation-sd-wan

PSE SASE Professional by Palo Alto Networks 22

2.2 Explain how Palo Alto Networks SASE metrics autonomously drive network and security
behaviors

2.2.1 Explain improved user experience based on actionable, end-to-end, real-time analytics

Autonomous Digital Experience Management (ADEM) provides native, end-to-end visibility and
performance metrics for real application traffic in your Secure Access Service Edge (SASE)
environment.

ADEM functionality is natively integrated into the GlobalProtect app, Prisma SD-WAN devices, and
Prisma Access and therefore does not require the deployment of any additional appliances or
agents. Because of this native integration, the ADEM service enables synthetic tests for applications
you specify from the endpoint, from the Prisma SD-WAN device and from deployed Prisma Access
locations in your environment. ADEM continuously monitors all the segments from the endpoint to
the application for GlobalProtect mobile users and monitors all segments on all WAN paths (active
and backup) for Prisma SD-WAN remote sites and identifies baseline metrics for each monitored
application. In addition, ADEM provides visibility into any deviations or events that degrade the user
experience across each segment between the end user and the application, whether that segment
is the endpoint, WiFi, LAN, ISP, Prisma Access or the application (SaaS, IaaS or data center). ADEM
continuously monitors every segment in the service delivery path and provides insights that help
you to quickly isolate the segment causing digital experience problems and to simplify
remediation.

2.2.2 Explain how the SASE solution uses network and application metrics to enhance the user
experience

Organizations are reconsidering how they invest in technology to support their hybrid workforce
long term. Security, networking and digital experience management are IT infrastructure
components evolving to support a new, hybrid workplace.

One of the key trends fueling this transition to hybrid work is increased reliance on the internet and
SD-WAN to securely connect users and locations to applications in the cloud. As the industry’s most
complete SASE solution, Prisma SASE converges best-of-breed security and SD-WAN into a single
cloud-delivered service, without having to make compromises like user experience.

Let’s dive deeper into user experience monitoring and the branch digital experience for your hybrid
workforce, and why it’s so important.

With autonomous digital experience management (ADEM), you have visibility into the entire
service delivery path from user and branch to an application that can impact your user experience.
This visibility level helps you to quickly isolate segments which may result in degraded user and
branch experience and to resolve problems proactively before users experience them. You can get
root-cause diagnostics of device, WiFi, internet, applications and network issues that commonly
impact user experience, with visibility down to the “where” and the “why” of network issues.

The native integration between ADEM and Prisma SASE gives you the most comprehensive
monitoring coverage across users, branches and applications. ADEM provides full visibility into all

PSE SASE Professional by Palo Alto Networks 23

active and backup WAN paths connecting branches to various applications hosted in SaaS, IaaS or
private data centers. This industry-first, SASE-native integration provides visibility that would be
otherwise unachievable.

ADEM proactively measures the end-user experience of monitored applications running in a branch
office so you can quickly isolate and resolve problems before they impact multiple users.

In the same dashboard visualizing your mobile or home user’s experience, you can also see users
connecting from branch locations. The dashboard provides an application experience score on a
per-path basis for both active and backup paths. The ability to run proactive synthetics on every
path lets you know the best path, per application, for all users in a branch office. Real-user
monitoring enhances real-time visibility and experience diagnostics.

Let’s walk through an example of ADEM capabilities integrated with Prisma Access and Prisma
SD-WAN for your branch locations.

Step 1
The remote sites dashboard, pictured below, shows the overall branch experience for all monitored
applications and provides visibility into active and backup path experience for individual monitored
applications. With this visibility, you can see that the active path for the Slack application is
performing “poor” and the backup path for the same application is performing “fair.” This indicates
something is impacting both the active and backup paths.

Step 2
Further drilling down to topology, you can see ADEM isolated the issue to the internet service
provider (ISP) segment. The icon turned red, giving the administrator quick visibility into which
segment impacted user experience.

PSE SASE Professional by Palo Alto Networks 24

Step 3
Clicking on the internet icon provides further visibility into network performance metrics trends like
latency, jitter and packet loss impacting ISP performance.

Step 4
The IT administrator can further navigate to path visualization where they receive visual clues of
hop-by-hop ISP node performance and they can isolate the internet node causing degraded user
and branch experience.

PSE SASE Professional by Palo Alto Networks 25

With ADEM, network operators have a full view of their end-user experience with visibility from
remote users and corporate site performance at the same time. In our recent release, ADEM
capabilities are natively integrated into Prisma Access and Prisma SD-WAN, without having to
install additional appliances or agents on user machines or in branch offices.

2.2.3 Explain how connection visibility using path analysis differentiates the Palo Alto Networks
SASE solution from its competitors

At Palo Alto Networks, we believe that SASE must converge best-of-breed security and SD-WAN
capabilities in the cloud to deliver exceptional user experiences while reducing security risk.

Prisma SASE is the industry’s most complete SASE solution, converging security, SD-WAN, and
Autonomous Digital Experience Management into a single cloud-delivered service. Only Prisma
SASE uniquely provides:

● Convergence without compromise: Best-of-breed security and SD-WAN, natively

integrated without trade-offs.
● Complete, best-in-class security: Consistently secures all apps used by your hybrid
workforce, regardless of location.
● Exceptional user experience: An integrated Autonomous Digital Experience Management,
backed by industry-leading SLAs.

2.2.4 References

● Autonomous DEM,
https://docs.paloaltonetworks.com/autonomous-dem/autonomous-dem-in-prisma-access/a
utonomous-dem.html#idd780580b-f8d7-4b2f-a1ca-76ec2d24b735
● SASE- user experience monitoring,
https://www.paloaltonetworks.com/blog/sase/can-your-sase-do-user-experience-monitoring/

PSE SASE Professional by Palo Alto Networks 26

2.3 Sample Questions

1. What is a characteristic of next-generation SD-WAN solutions?

a. Detailed bandwidth reporting
b. Insights for SSL Decryption
c. Application-defined traffic steering
d. Establishment of secure fabric

2. Prisma SD-WAN utilizes machine learning (ML) for which of the following?
a. Threat prevention and security policy tuning
b. URL filtering and malware site identification
c. Management event correlation and reconciliation
d. Decryption tuning

3. What does ADEM give administrators visibility into?

a. The entire service delivery path
b. Container utilization
c. User traffic behaviors
d. Circuit bandwidth consumption

4. Which of the following is a true statement regarding Prisma Access?

a. The solution converges security features, SD-WAN, and advanced traffic synthesizers
b. The solution is unique in the industry due to the use of a secure fabric
c. The solution introduces proprietary routing protocols for superb performance
d. The solution applies machine learning to establish efficient routes

PSE SASE Professional by Palo Alto Networks 27

Domain 3: Architecture and Planning
3.1 The Palo Alto Networks SASE Architecture

3.1.1 Demonstrate understanding of the components of the Palo Alto Networks Prisma SASE
solution

Prisma Access
Prisma Access offers the industry’s most comprehensive secure-access service-edge (SASE),
enabling an organization to connect and secure any user, device or application. Prisma Access is
ideally suited for any remote site with one or multiple internet links and provides direct internet
access and the option to connect to other enterprise remote sites through Prisma Access.

The Prisma Access cloud management interface and Panorama provide different interfaces you can
use to interact with the same Prisma Access cloud infrastructure. However, Prisma Access feature
support can vary depending on the management interface as we work to provide you
management options in the Prisma Access app and Panorama. It’s important to consider that you
cannot switch management interfaces; so before you get started, you must decide how you want to
manage Prisma Access.

Cloud managed Prisma Access gives you:

● Secure connectivity to your corporate network for mobile users and remote networks.
● Secure internet traffic for mobile users and remote networks.
● Predefined best practice security profiles for internet traffic.
● Predefined SSL decryption policies (these are turned off by default).
● Secure access to SaaS applications.
● Simplified workflow to onboard mobile users and remote networks to Prisma Access.

Prisma SD-WAN 
Prisma SD-WAN is a core component in delivering secure Access service edge (SASE) for the
modern enterprise. At the core of the system is the application performance engine. Prisma
SD-WAN provides a software-defined, wide area network (SD-WAN) solution that transforms legacy
wide area networks (WANs) into a radically simplified and secure application fabric (AppFabric),
virtualizing heterogeneous underlying transports into a unified hybrid WAN. Prisma SD-WAN
controls network application performance based on application-performance service level
agreements (SLAs) and business priorities.
Through Instant-On Network (ION) devices, Prisma SD-WAN simplifies how WANs are designed,
built and managed, securely extending data center-class security to the network edge. Prisma
SD-WAN leverages the x86 platform with a centralized controller-based model, enabling simple
deployments at remote offices and data centers. You can view granular application-driven analytics,
build a robust policy, and view performance-based traffic management of the WAN.

3.1.2 How the Palo Alto Networks Prisma SASE solution enables Zero Trust in a customer
environment

PSE SASE Professional by Palo Alto Networks 28

Zero Trust is a business-driven, strategic approach to securing your most critical data, applications,
assets, and services (DAAS) as well as your users based on what is important to your particular
business, in a protect surface. Zero Trust strategy is infrastructure-neutral, so you can apply it to all
physical and virtual locations—network, public cloud, private cloud and endpoint. The concept
behind Zero Trust is simple: trust is a vulnerability. Trust nothing in the digital environment–packets,
identities, devices or services—and verify everything. There is no such thing as default trust.

The goal of Zero Trust strategy is to eliminate trust from the network. Eliminating trust helps
prevent successful data breaches, simplifies operations through automation and a reduced
rulebase, and simplifies regulatory compliance and audits because Zero Trust environments are
designed for compliance and easy auditing.

The five-step methodology works whether you’re implementing a Zero Trust strategy in the cloud,
on a private network, or on endpoints, regardless of infrastructure.

● Step 1: Define your protect surface

● Step 2: Map the protect surface transaction flows
● Step 3: Architect a Zero Trust network
● Step 4: Create the Zero Trust policy
● Step 5: Monitor and maintain the network

The five-step methodology for implementing a Zero Trust strategy presents a logical, clear path to
protecting your environment, data, applications, assets, services and users. The way you apply the
methodology depends on what you’re protecting and your business requirements—what’s critical
to your business—but the outcomes you’re working toward are always the same:

● Segment the network effectively and efficiently to prevent lateral movement.

● Protect business-critical data and systems from unauthorized applications and users.
● Protect business-critical applications from unauthorized access and usage.
● Enforce policy seamlessly across networks, cloud and endpoints to simplify management
and apply consistent policy everywhere.

3.1.3 References

● SASE,
https://docs.paloaltonetworks.com/sase
● Zero Trust,
https://docs.paloaltonetworks.com/best-practices/10-1/zero-trust-best-practices/zero-trust-be
st-practices/what-is-zero-trust-and-why-do-i-need-it.html

3.2 Demonstrate understanding of Prisma Access architecture

3.2.1 Define Prisma Access architecture for service connections

Service connections enable both mobile users and users at your branch networks to access
resources in your HQ or data center. Beyond providing access to corporate resources, service
connections allow your mobile users to reach branch locations.

PSE SASE Professional by Palo Alto Networks 29

Plan Service Connections
Create service connections to allow Prisma Access to perform the following tasks:

● Allow access to the resources in your HQ or data center.

● Allow remote networks and mobile users to communicate with each other.

If you have corporate resources that your remote networks and mobile users need to access, you
must enable Prisma Access to access the corresponding corporate network.

Even if you do not need your Prisma Access users to connect to your HQ or data center, you might
need to allow your mobile users to access your remote network sites. Service connections are
required for this use case because, while all remote network sites are fully meshed, the mobile user
infrastructure is not. Minimally configuring a service connection establishes the hub-and-spoke
network mobile users need to access a branch network.

To improve network efficiency, place service connections close to the remote network or networks
that mobile users access most frequently.

Before you begin to configure Prisma Access service connections, gather the following information
for each of the HQ or data centers to which you want Prisma Access to be able to connect.

● IPSec-capable firewall, router or SD-WAN device connection at your corporate site.

● IPSec settings for terminating the primary VPN tunnel from Prisma Access to the
IPSec-capable device on your corporate network.
● IPSec settings for terminating the secondary VPN tunnel from Prisma Access to the
IPSec-capable device on your corporate network.
● List of IP subnetworks at the site.
● List of internal domains that Prisma Access must be able to resolve.
● IP address of a corporate access node at your network’s site to which Prisma Access can
send ICMP ping requests for IPSec tunnel monitoring.
● Make sure that this address is reachable by ICMP from the entire Prisma Access
infrastructure subnet.
● Network reachability settings for the service infrastructure subnet.
● Make the entire service infrastructure subnet reachable from the HQ or data center. Prisma
Access uses IP addresses for all control plane traffic from this subnet.

3.2.2 Define Prisma Access architecture for remote networks

As your business scales, onboard geographically distributed sites — branch offices, retail stores, and
SD-WAN deployments — to Prisma Access and deliver best-in-breed security to your users. Prisma
Access for remote networks removes the complexity of configuring and managing endpoints at
every site. Add new sites and minimize operational challenges while ensuring that users at these
locations are always connected and secure.

To start securing a remote network site, onboard the site to Prisma Access so that you can start
sending site traffic to Prisma Access through an IPSec tunnel.

PSE SASE Professional by Palo Alto Networks 30

Plan Prisma Access Remote Network Deployment
Here’s what to consider or gather before onboarding a remote network to Prisma Access:

● Does the remote network require access to corporate resources?

If your remote network requires access to infrastructure or resources in your HQ or a data
center, create a Prisma Access service connection to the corporate site. If the remote
network location is autonomous and doesn’t need access to the infrastructure at other
locations, you don’t need to do this.

● Choose the right Prisma Access locations

When users at your branch office connect to Prisma Access, the Prisma Access location you
choose determines the language in which content from the internet is served. For the best
user experience, select the region and location in the same country as your branch office to
ensure the best experience for your users. If a location is not available in the same country as
your branch office, choose a location that uses the same language as the majority of the
users at the site.

● Have IP subnets ready

For Prisma Access to route traffic to your remote networks, you’ll need to provide routing
information for the subnetworks you want Prisma Access to secure. You can do this in
several ways: you can define a static route to each subnetwork at the remote network
location, configure BGP between your service connection locations and Prisma Access, or
use a combination of both methods. If you configure both static routes and enable BGP, the
static routes take precedence. While it might be convenient to use static routes if you have
just a few subnetworks at your remote network locations, in a large deployment with remote
networks with overlapping subnets, BGP will enable you to scale more easily.

● How to allocate bandwidth for remote networks

At least two (often more) Prisma Access locations that are geographically near each other
are grouped in to compute locations. This is the level at which you allocate bandwidth,
instead of allocating bandwidth for individual Prisma Access locations or for specific remote
network sites.

For example, if you need to onboard four branch offices using remote networks in the
Singapore, Thailand, and Vietnam locations, all these locations map to the Asia Southeast
compute location. If you allocate 200 Mbps bandwidth to the Asia Southeast compute
location, Prisma Access divides the 200 Mbps of bandwidth between the four branch offices
you onboarded in that location. If you also add a location in Hong Kong, you note that Hong
Kong maps to the Hong Kong compute location, and you would need to add bandwidth to
that compute location. Additionally, you would specify a minimum bandwidth of 50 Mbps
per compute location.

Prisma Access dynamically allocates the bandwidth based on load or demand per location.
Using the previous example where the four sites collectively use up to 200 Mbps, if one or
more sites are not using as much bandwidth as the other sites, Prisma Access provides more
bandwidth for the locations that are more in demand, giving you a more efficient use of
allocated bandwidth. In addition, if one of the sites goes down, Prisma Access reallocates the
bandwidth between the other sites that are still up in that compute location.

PSE SASE Professional by Palo Alto Networks 31

 ● Still consider how much bandwidth each site needs when allocating bandwidth based
on location
To help you determine how much bandwidth a specific site needs, consider the bandwidth
available from your ISP at each location. When calculating the amount of bandwidth you
need at a site, consider that the bandwidth usage includes both egress and ingress traffic
for the remote network connection.

● IPSec termination nodes

IPSec termination nodes allow you to associate remote networks with compute locations.
When you onboard a remote network, select an IPSec termination node for the remote
network that correlates to the compute location.

You can specify a maximum of 250 remote networks per IPSec termination node. After you
use 250 remote networks on an IPSec termination node in a compute location, you cannot
onboard additional remote networks in that IPSec termination node. You can have a
maximum of 200 IPSec termination nodes in a compute location.

● Overlapping subnets
As a general rule, you cannot have any overlapping subnets within a Prisma Access instance.
That is, the subnets for all remote network locations, your service connections, and your
Prisma Access for mobile users IP address pools cannot overlap. However, in some
circumstances you cannot avoid having overlapping subnets; for example, if you acquired a
company that uses subnets that overlap with your existing subnets. In some cases, you
might want to configure two regions with overlapping subnets by design; for example, if you
want to create a separate guest network at a retail store location with different policy rules.
Prisma Access does allow you to onboard remote network locations with overlapping
subnets, as long as the remote networks are in different regions. Keep in mind, however,
that the sites with overlapping subnets have the following limitations:

o There is no inbound remote network-to-remote network traffic. The other remote

network locations would not know where to route the traffic because multiple
remote network locations route to the same subnets. However, users and services at
any remote network location can access resources at other remote network
locations, provided there are no overlapping subnets at the site, and any site can
access the internet through the Prisma Access infrastructure.

o Traffic from your service connections cannot access resources at any remote network
location with overlapping subnets because it would not know which remote network
location to route the traffic. The remote network locations with overlapping subnets
can, however, access resources from service connections.

o Mobile users cannot access resources at the remote network locations with
overlapping subnets, because of, again, the inbound routing limitations.

3.2.3 Define Prisma Access architecture for mobile users

Securing mobile users from threats is often a complex mix of security and IT infrastructure
procurement and setup, and bandwidth and uptime requirements in multiple locations

PSE SASE Professional by Palo Alto Networks 32

throughout the world, all while staying within budget. With Prisma Access for users, the entire
infrastructure is deployed for you and scales based on the number of active users and their
locations. Users can then connect to Prisma Access for consistent security policy enforcement even
in locations where you do not have a network infrastructure and IT presence. You can use the
GlobalProtect app or an explicit proxy to direct user traffic to Prisma Access.

Here’s an overview of how to set up a mobile users location — and start onboarding mobile users to
Prisma Access — in just a few steps.

● Choose a connection type, or use both GlobalProtect and explicit proxy: First decide how
the mobile users in the location you’re setting up should connect to Prisma Access. You can
divide your mobile user license between GlobalProtect and explicit proxy connections; some
users can connect through GlobalProtect while others connect through Explicit Proxy.

● GlobalProtect connection: The GlobalProtect app installed on mobile user devices sends
traffic to Prisma Access.

● Explicit proxy connection: A proxy auto-config (PAC) file on mobile user devices redirects
browser traffic to Prisma Access.

● Set up basic infrastructure settings: Configure the infrastructure settings that are specific
to your connection type (GlobalProtect or explicit proxy). For both connection types, there
are only a few required settings that need to be filled out initially in order for Prisma Access
to provision your mobile users environment.

PSE SASE Professional by Palo Alto Networks 33

● Choose the Prisma Access location to which your mobile users will connect: Add the
Prisma Access locations where you want to support mobile users.

The map displays the global regions where you can deploy Prisma Access for users: North
America, South America, Europe, Africa, Middle East, Asia, Japan and ANZ (Australia and
New Zealand). In addition, Prisma Access provides multiple locations within each region to
ensure that your users can connect to a location that provides a user experience tailored to
the users’ locale. For the best performance, select “all.”

Alternatively, select the specific locations within each selected region where your users will
need access. By limiting your deployment to a single region, you can have more granular
control over your deployed regions and can also exclude regions whose exclusion is required
by your policy or industry regulations.

For the best user experience, if you are limiting the number of locations, choose locations
that are closest to your users or in the same country as your users. If a location is not

PSE SASE Professional by Palo Alto Networks 34

 available in the country where your mobile users reside, choose a location that is closest to
your users for the best performance.

● Authenticate mobile users: Set up user authentication so that only legitimate users have
access to your services and applications. To test your setup, you can add users that Prisma
Access authenticates locally, or you can go straight to setting up enterprise-level
authentication.

● Prisma Access enforces best practice security policy rules by default. These rules allow
your users to securely browse to general internet sites. Users are:
o Blocked from visiting known bad websites based on URL
o Blocked from uploading or downloading files that are known to be malicious
o Protected from unknown, never-before-seen threats
o Protected from viruses, spyware (command and control attacks), and vulnerabilities

After going through the initial setup, you can review and update these default rules to meet
your enterprise needs.

● Verify that the mobile users location is active: After you push your initial configuration to
Prisma Access, Prisma Access begins provisioning your mobile user environment. This can
take up to 15 minutes. When your mobile user locations are up and running, you’ll be able to
verify them on the mobile users setup pages, the overview, and within “insights.”

3.2.4 Explain the consistency of cloud-delivered security services (CDSS) across the platform

DNS Security
Automatically secure your DNS traffic by using Palo Alto Networks DNS Security service, a
cloud-based analytics platform providing your firewall with access to DNS signatures generated
using advanced predictive analysis and machine learning. This predictive analysis and machine

PSE SASE Professional by Palo Alto Networks 35

learning uses malicious domain data collected from a growing threat intelligence sharing
community.

WildFire
The cloud-delivered WildFire® malware analysis service uses data and threat intelligence from the
industry’s largest global community and applies advanced analysis to automatically identify
unknown threats and stop attackers in their tracks.

Threat Prevention
Threat Prevention defends your network against both commodity threats — which are pervasive
but not sophisticated — and targeted, advanced threats perpetuated by organized cyber
adversaries. Threat Prevention includes comprehensive exploit, malware and
command-and-control protection. Palo Alto Networks frequently publishes updates that equip the
firewall with the very latest threat intelligence. You can use the Palo Alto Networks Threat Vault
(located at https://researchcenter.paloaltonetworks.com) to research the latest threats that Palo Alto
Networks next-generation firewalls can detect and prevent.

Advanced URL Filtering

Palo Alto Networks URL filtering solution, called Advanced URL Filtering, gives you a way to control
not only web access, but also how users interact with online content. PAN-DB — the Advanced URL
Filtering cloud — classifies sites based on content, features and safety, and you can enforce your
security policy based on these URL categories. You can also prevent credential phishing theft by
tightly controlling the types of sites to which users can enter their corporate credentials.

Visit Palo Alto URL Testing (found at https://urlfiltering.paloaltonetworks.com) to see how PAN-DB
categorizes a URL and to learn about all available URL categories.

Review the Advanced URL filtering datasheet for a high-level summary of how Advanced URL
Filtering enables safe web access and protects your users from dangerous websites, malware sites,
credential-phishing pages and attacks attempting to leverage web browsing to deliver threats.

Enterprise Data Loss Prevention

Palo Alto Networks Enterprise DLP is the industry’s first cloud-delivered solution that
comprehensively protects sensitive data across all networks, clouds and users. It easily enables data
protection and compliance in minutes, eliminating deployment and ongoing management cycles
to ensure the most cost effective enterprise DLP on the market.

SaaS Security
SaaS security is an integrated CASB (cloud access security broker) solution that helps security teams
meet the challenges of protecting the growing availability of sanctioned and unsanctioned SaaS
applications and maintaining compliance consistently in the cloud while stopping threats to
sensitive information, users and resources. SaaS security options include SaaS API Security (formerly
Prisma SaaS) and the SaaS Security Inline add-on.

Use SaaS Security Inline to discover and manage risks posed by unsanctioned SaaS apps while you
rely on SaaS API Security to scan assets in the cloud space for at-rest detection, inspection and
remediation across all user, folder and file activity within sanctioned SaaS applications.

PSE SASE Professional by Palo Alto Networks 36

With both SaaS Security Inline and SaaS API Security, you have an integrated CASB that offers
better security outcomes without the complexity of third-party integrations and the overhead and
cost of managing large number of vendors that exist with legacy CASBs.

Review the SaaS security privacy datasheet for details on the privacy of the data you store in SaaS
applications and how SaaS security handles that data.

IoT Security
The IoT Security solution works with next-generation firewalls to dynamically discover and maintain
a real-time inventory of the IoT devices on your network. Through AI and machine-learning
algorithms, the IoT Security solution achieves a high level of accuracy, and even classifies IoT device
types encountered for the first time. And because it is dynamic, your IoT device inventory is always
up to date. IoT Security also provides the automatic generation of policy recommendations to
control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall
policies. You need an IoT Security subscription to access this solution.

3.2.5 References

● Prisma Access (Cloud Management),

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-ad
min.html
● Mobile users,
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-ad
min/secure-mobile-users-with-prisma-access.html
● CDSS,
https://docs.paloaltonetworks.com/cdss

3.3 Demonstrate understanding of Prisma SD-WAN architecture

3.3.1 How the network delivers performance and reliability at scale

Prisma SD-WAN is a core component in delivering secure access service edge (SASE) for the
modern enterprise. At the core of the system is the application performance engine.

Prisma SD-WAN provides a software-defined, wide area network (SD-WAN) solution that transforms
legacy wide area networks (WANs) into a radically simplified and secure application fabric
(AppFabric), virtualizing heterogeneous underlying transports into a unified hybrid WAN.

Prisma SD-WAN controls network application performance based on application-performance

service level agreements (SLAs) and business priorities. Through instant-on network (ION)
devices, Prisma SD-WAN simplifies how WANs are designed, built and managed, securely
extending data center-class security to the network edge. Prisma SD-WAN utilizes a centralized
controller-based model, enabling simple deployments at remote offices and data centers. You can
view granular application-driven analytics, build a robust policy, and performance-based traffic
management of the WAN.

PSE SASE Professional by Palo Alto Networks 37

3.3.2 How CloudBlades provide integration into the application ecosystem

Prisma Access offers the industry’s most comprehensive secure access service edge (SASE),
enabling an organization to connect and secure any user, device, or application. Prisma Access is
ideally suited for any remote site with one or multiple internet links and provides direct internet
access and the option to connect to other enterprise remote sites through Prisma Access. Prisma
Access for Networks CloudBlade enables remote networks to connect to Prisma Access via an
industry-standard IPSec VPN. Prisma Access for Networks (cloud managed) is the cloud based
management solution for Prisma Access.

To integrate Prisma SD-WAN and Prisma Access, refer to the following requirements for Prisma
Access for Networks (cloud managed).

PRODUCT REQUIREMENT
Prisma ● Active Prisma SD-WAN subscription.
SD-WAN ● Prisma SD-WAN AppFabric deployed at one or more locations.
● Physical and/or virtual ION devices running:
o Recommended version is 5.4.3 or higher.
o Minimum version supported is 5.1.9.
Prisma ● Prisma Access for Networks version 2.1.1 or later.
Access for ● Aggregate bandwidth licensing must be enabled.
Networks ● Identification of the IPSec termination nodes within Prisma identified for connectivity.
(Cloud ● You must own a CSP (customer support portal) account with an app administrator or
Managed) higher role assigned. Prisma Access and Prisma SD-WAN apps must be available and
linked with each other on the HUB interface under that CSP account. To map both
the apps, click the gear icon, then “manage apps.” Once this is done, the mapping will
be visible under the Prisma SD-WAN instance.

PSE SASE Professional by Palo Alto Networks 38

3.3.3 Key components of Prisma SD-WAN
Prisma SD-WAN is a core component in delivering Secure Access Service Edge (SASE) for the
modern enterprise. At the core of the system is the application performance engine. Prisma
SD-WAN provides a software-defined, wide area network (SD-WAN) solution that transforms legacy
wide area networks (WANs) into a radically simplified, secure, application fabric (AppFabric),
virtualizing heterogeneous underlying transports into a unified hybrid WAN.

Prisma SD-WAN controls network application performance based on application-performance

service level agreements (SLAs) and business priorities.

Through Instant-On Network (ION) devices, Prisma SD-WAN simplifies how WANs are designed,
built, and managed, securely extending data center-class security to the network edge. Prisma
SD-WAN leverages a centralized controller-based model, enabling simple deployments at remote
offices and data centers. You can view granular application-driven analytics, build a robust policy,
and performance-based traffic management of the WAN.

Prisma SD-WAN Key Components

SD-WAN Controller
Access the SD-WAN controller through an intuitive graphical user interface that helps you manage
your network. The SD-WAN web interface enables you to perform the following tasks:

● Centralize routing and build a network of private and public WAN paths.
● Push a WAN configuration to ION devices at a branch or data center using API calls.
● Utilize a centralized point of administration for security policy rules as well as application and
network analytics.
● Enable secure automated virtual private network (VPN) tunnels using a zero-touch
configuration process.

ION Devices
ION devices enable you to combine disparate WAN networks, such as MPLS, LTE, and internet links,
into a single, high-performance, hybrid wide area network (WAN).

ION 1000, ION 1200, ION 2000, and ION 3000

Physical or virtual devices that serve as a forwarding element at a branch.

● The Analytics mode provides detailed information on network and application traffic.
● The Control mode makes path selections, security decisions, and prioritizes applications. It
also manages congestion based on controller-programmed policies, reports application and
network performance statistics to the controller.

ION 7000 and ION 9000

Physical or virtual devices serve as a forwarding element at a branch or a data center. At a data
center, you can connect an ION 7000 or an ION 9000 to perform the following tasks:

● Connect to the data center core and WAN edge routers.

● Inject Prisma SD-WAN branch routes into the core router to become the preferred next hop
to guarantee path symmetry.

PSE SASE Professional by Palo Alto Networks 39

 ● Identify traffic sourced from or destined to Prisma SD-WAN branches, which ensures
seamless, non-disruptive integration between SD-WAN and non-SD-WAN branches.

3.3.4 How Prisma SD-WAN delivers resiliency across all paths and network configurations

Organizations have scaled their networks to span various countries, regions and continents. But as
organizations grow their business, especially through acquisitions and mergers, their networks
have become heterogeneous and complex. Traditional network technologies are costly and lack the
flexibility needed to scale and adjust to a cloud-first world. A software-defined wide area network
(SD-WAN) solution can provide clarity for these complex distributed networks.

Challenges for Large Distributed Networks

Expansive organizations leverage traditional WAN technologies that heavily depend on
multiprotocol label switching (MPLS) for accessing applications and workloads from on-premise
data centers. Modern branch offices require different scale and feature requirements than legacy
WAN architectures were designed to support. Multiple point products and solutions add to the
complexity of deploying, managing and troubleshooting their complex networks. In most cases,
organizations with these complex distributed networks struggle to ensure network uptime and also
significantly increase their costs to meet the demands of each office.

Unfortunately, legacy networking vendors have failed to address these challenges, and have instead
created a complex ecosystem that is hard to manage and troubleshoot, even with a large IT team.
As a result, organizations require a flexible and secure solution to improve performance, optimize
access to applications both on and off-premise, and offer the ability to scale to thousands of sites.
Additionally, organizations need a simplified onboarding process to top cloud providers, enabling
multi-cloud connectivity to deliver cloud applications. Finally, intelligent routing that can
dynamically learn and adapt at scale to remediate network issues is also necessary.

A Next-Generation SD-WAN Solution that Delivers

A next-generation SD-WAN solution is key to address the needs of those enterprises struggling with
their complex distributed networks. Palo Alto Networks Prisma SD-WAN enables cloud-delivered
networking and security to significantly improve user experience, provide application resiliency and
simplify operations. As the industry’s first next-generation SD-WAN solution, Prisma SD-WAN is
uniquely application-defined and autonomous, allowing large organizations with complex
networks to realize the following benefits.

Reduce operational complexity with network automation

Prisma SD-WAN offers a comprehensive WAN edge solution that:

● Automates advanced routing operations that ensure seamless integration with existing
legacy infrastructure to simplify the migration to SD-WAN.
● Provide a consistent and efficient end user experience with per-flow path symmetry and
application-defined, flow-based forwarding for traffic.
● Steer traffic intelligently with API programmable application flows to ensure the best path
selection without adding another layer of complexity of overlay routing protocols.

PSE SASE Professional by Palo Alto Networks 40

 ● Consolidate advanced networking technologies such as quality of service, load balancing
and application security in a single, powerful appliance, reducing infrastructure sprawl and
operational complexity.

Simplify WAN deployment at scale

With a cloud controller, Prisma SD-WAN provides fully automated and intuitive workflows that
ensure ease of configuring, provisioning and management that allows organizations to:

● Deploy new or replace existing WAN edge appliances in minutes with zero-touch.
● Automate redundant, secure overlays between sites that support load balancing and rapid
failover to deliver improved application performance and meet service level agreement
(SLA) objectives.
● Automate provisioning and operations across thousands of sites, leveraging
industry-standard devops via the robust API model.
● Simplify and further automate multi-cloud connectivity without service disruptions using
CloudBlades’ API-based architecture, eliminating data center backhaul for cloud application
delivery.

Speed-up troubleshooting with improved network availability, machine learning and AIOps
Prisma SD-WAN offers deep application visibility and flexible deployment models that customers
can take advantage of to enable:

● High availability at the device, interface and WAN carrier levels ensure a seamless failover to
remediate network, port and provider blackouts.
● Identification of network anomalies, event correlation, and root cause analysis.
● Seamless integration with third-party operational tools such as ServiceNow (which
automates support tickets and reduces IT staff efforts to track and resolve issues).

3.3.5 References
● Network delivery performance (Prisma SD-WAN),
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/get-started
-with-prisma-sd-wan.html
https://www.paloaltonetworks.com/network-security
● CloudBlades,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/deployment-and-integrations/3-0-
1/prisma-access-cloudblade-integration-guide/prisma-sd-wan-and-prisma-access-for-netwo
rks-cloud-managed-integration.html

3.4 Demonstrate understanding of software as a service (SaaS) security architecture

3.4.1 Explain how Palo Alto Networks SaaS Inline Security and App-ID cloud engine (ACE) are key
components in any SASE architecture

SaaS Inline Security

PSE SASE Professional by Palo Alto Networks 41

SaaS Inline Security is a security service that offers advanced risk scoring, analytics, reporting and
security policy rule authoring so that your organization has the SaaS visibility and security controls
to prevent data security risks of unsanctioned SaaS app usage on your network.
SaaS Inline Security natively integrates with your NGFW, Panorama-managed Prisma Access, and
cloud managed Prisma Access to provide granular SaaS application visibility and control of
unsanctioned SaaS apps through advanced analytics, reporting, visualization, categorizations and
security policy authoring so that you can minimize data security risks to your organization.
Employees inadvertently use SaaS apps that violate compliance agreements or that carry risks that
exceed your organization’s tolerance, but SaaS Inline Security discovers such risks so that you can
understand them and take action.

SaaS Inline Security provides easy deployment and inline policy enforcement. SaaS Inline Security
leverages ACE (App-ID cloud engine) technology and SaaS policy rule recommendations to provide
greater and faster SaaS app discovery and a seamless SaaS security workflow between your
organization’s administrators for improved security posture.

SaaS Inline Security provides:

● Shadow IT discovery: Using ACE (App-ID cloud engine) technology, shadow IT

automatically discovers new SaaS apps to keep pace with the new and emerging SaaS apps
by identifying approximately 15,000 SaaS apps using machine-learning algorithms to
achieve a high-level of accuracy and speed.

● Shadow IT control: Enables you to author SaaS policy rule recommendations based on a

combination of applications, users and groups, categories, activities, device posture
(personal vs. corporate) and Enterprise DLP data profiles as well as collaborate with your
firewall administrator on SaaS security policy rules to control intentional and unintentional
risky SaaS apps and user activity, allowing access to corporate SaaS apps only for the
legitimate users.

● Shadow IT visibility and reporting: Delivers an up-to-date combined view of both

unsanctioned and sanctioned SaaS application usage across categories and subcategories,
including content marketing, collaboration and productivity, and ERP.

● Risk assessment: Exposes risky SaaS applications being used in your application ecosystem.
The risk score is between one (low risk) and 10 (high risk) and is based on over 32 compliance
attributes, including COPPA, CJIS and GDPR; vendor attributes, including founded, app
domains and employee count, as well as SaaS Security inline report with visibility data
aggregated across all SaaS apps; and risk score customizing tools that allow you to
manually change risk score for individual SaaS applications without changing the
underlying calculation method, or adjust the weights for the underlying attributes and allow
SaaS security inline to recalculate and apply the risk score automatically.

● Risk categorization: Identifies safer alternatives to risky SaaS applications with advanced
filters with drill-down views for granularity to locate the SaaS app that meets your
organization’s risk tolerance; NPS score metric to assess customer satisfaction with SaaS
applications; and tagging, both custom and default, to differentiate sanctioned SaaS apps

PSE SASE Professional by Palo Alto Networks 42

 from unsanctioned SaaS apps that are being used by employees in your organization for
efficient monitoring and policy enforcement.

SaaS Inline Security includes SaaS visibility and advanced analytics to help you understand
cloud-based threats and provides SaaS policy rule recommendation authoring to protect against
those threats by blocking traffic for unsanctioned SaaS apps and risky user activity.

SaaS Inline Security offers the following capabilities:

● SaaS visibility
● SaaS policy rule recommendation authoring with policy synchronization
● ACE (App-ID cloud engine)

App-ID Cloud Engine (ACE)

App-ID cloud engine (ACE) is a service that enables the downloading of App-IDs for unknown SaaS
applications from the cloud. ACE converts unknown applications to known applications, vastly
increases the number of known App-IDs, speeds up the availability and delivery of new App-IDs,
and dramatically increases visibility into applications that previously did not have specific App-IDs.
App-IDs make it possible to take action on the SaaS Apps you define in your SaaS policy rule
recommendations.

The rapid proliferation of SaaS applications makes it difficult to assign all of them specific App-IDs,
gain visibility into those applications, and control them. Security policy rules that allow ssl,
web-browsing or “any” application may allow unsanctioned SaaS applications that can introduce
security risks to your network. To gain visibility into those applications and control them, SaaS
Security administrators can recommend Security policy rules for specific SaaS apps, as identified by
SaaS App-IDs provided by the App-ID cloud engine (ACE), to administrators who have the authority
to import and commit them to security policy.

Security policy rules detect and take action on specific application traffic on your network. SaaS
policy rule recommendations are based on a combination of applications, users and groups,
categories, activities, device posture, and data profiles. For example, you might create a policy rule
recommendation that blocks all HR and finance employees from uploading assets to risky file
sharing applications such as 4Shared and WeTransfer.

After you define these parameters and set the rule action, you then submit the rule for review. The
administrator with the authority to commit the rule evaluates the recommended rule and decides
whether or not to implement it. If that administrator chooses to implement the rule, the
administrator imports it and selects where to place the policy rule in the rulebase, creating all the
required HIP profiles, tags and application groups automatically.

The administrator with the authority to commit the rules is the same administrator who maintains
the rulebase. If you update a policy rule recommendation, that recommendation needs to be
reimported. If you delete a SaaS policy rule recommendation, the recommendation needs to be
deleted from the security policy rulebase.

3.4.2 Define Palo Alto Networks SaaS API Security architecture in a SASE solution

PSE SASE Professional by Palo Alto Networks 43

SaaS API Security (formerly Prisma SaaS) is a security solution that connects to your sanctioned
SaaS application using the SaaS application’s API. This API integration enables the service to
discover and scan all assets retroactively when you first connect the SaaS application. SaaS security
API scans and analyzes all your assets and applies policy to identify exposures, external
collaborators, risky user behavior and sensitive documents. It also identifies the potential risks
associated with each asset.

SaaS API Security also performs deep content inspection and protects both your historical assets
and new assets from malware, data exposure and data exfiltration. As SaaS API Security identifies
incidents, you can assess them and define automated actions to eliminate or close the incident.
After the initial scan of your historical assets, SaaS API Security continuously monitors each SaaS
application and applies policy against new or modified assets for ongoing incident assessment and
protection.

As you transition your sanctioned IT applications into the cloud, you increase the risk of
compromising sensitive data and propagating malware. SaaS API Security analyzes the data in your
sanctioned software-as-a-service (SaaS) applications and performs policy-driven analysis so you can
proactively detect issues and remediate them.

SaaS API Security is a cloud-based service you can connect directly to your sanctioned SaaS
applications using the cloud app’s API. It will then provide data classification, sharing/permission
visibility and threat detection within the application. It provides complete insight into all user, folder
and file activity to help you determine if you are at risk for any data exposure or compliance-related
policy violations.

SaaS API Security protects against cloud-based threats by scanning and analyzing all your assets
and applying security policy to identify exposures, external collaborators, risky user behavior and
sensitive documents and also identifying the potential risks associated with each asset.

The following workflow is designed to facilitate effective SaaS policy. Follow the tasks below in the
order that they are listed.

● Activate SaaS API Security.

● Configure basic settings on SaaS security, including language and time zone, if you haven’t
already.
● Set up SaaS API Security.
● Identify your sanctioned SaaS apps, then add them to SaaS API Security.
● Create SaaS policy.
● Monitor the results, then fine-tune your SaaS policy as needed.

To provide visibility into the security challenges with data classification and governance, security
gaps owing to non-compliance, sharing/permission violations and malware propagation within the
sanctioned cloud applications on your network, SaaS API Security focuses on the following key
areas:

● Content security: The content you store in each cloud application is an asset. SaaS API
Security provides visibility into your asset inventory to help you uncover accidental or
malicious data exposure. SaaS API Security discovers the assets residing in the cloud

PSE SASE Professional by Palo Alto Networks 44

 application, assesses the shared or exposed data within and outside your organization, and
identifies the impact or risk to intellectual property and regulatory non-compliance. In
addition to creating an incident and alerting the administrator, the service provides
auto-remediation capabilities, including the option to quarantine, change sharing or notify
the owner.

● User activity monitoring: SaaS security API uses a combination of tools, including machine
language learning, predefined and user-defined data patterns, security configuration
controls, and access to event logs auditing user access and activity on each cloud
application. With these tools, it builds context on sensitive data within your environment,
identifies thresholds for expected and unexpected behavior, and uses this intelligence to log
a violation or alert you to risky user behavior and possible data leaks from accidental or
malicious user activity.

● Security configuration controls: SaaS API Security provides policies allowing you to
manage and restrict privileged user activity, email forwarding, and retention rules, and
protects you from misconfigurations such as lack of storage volume encryption, lack of
enforcement for securing keys, credentials, and multi-factor authentication. When any of
these security issues occur, you can configure the service to generate an alert or log it as a
policy violation.

● Third-Party App Integrations: Threats from third-party apps are serious because these apps
have access to all or a large part of the data in the related cloud app. Protect your users and
network from misconfigurations and known and unknown malware arising from these app
integrations with a service that gives you the ability to approve, block or restrict third-party
app installation.

SaaS API Security complements SaaS Inline Security capabilities to provide an integrated CASB

(cloud access security broker) solution.

3.4.3 Explain how SaaS Security integrates with the rest of the SASE architecture

Security teams like yours are challenged with protecting the growing availability of sanctioned and
unsanctioned SaaS applications and maintaining compliance consistently in the cloud while
stopping threats to sensitive information, users and resources.

SaaS Security is an integrated CASB (cloud access security broker) solution that:

● Provides visibility and control over all your shadow IT risks.

● Secures SaaS applications from known and unknown cloud threats.
● Protects sensitive data and ensures compliance across all SaaS applications.
● Allows access to corporate apps only for legitimate users.

Use SaaS Inline Security to discover and manage risks posed by unsanctioned SaaS apps while you
rely on SaaS API Security to scan assets in the cloud space for at-rest detection, inspection and
remediation across all user, folder and file activity within sanctioned SaaS applications.

PSE SASE Professional by Palo Alto Networks 45

With SaaS security — both SaaS Inline Security and SaaS API Security (formerly Prisma SaaS)
combined — you have an integrated CASB solution that offers better security outcomes without the
complexity of third-party integrations and the overhead and cost of managing large number of
vendors that exist with legacy CASBs.

3.4.4 References
● SaaS security,
https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/get-st
arted-with-saas-security-api/whats-saas-security-api.html

3.5 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE solution

3.5.1 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE solution for
mobile users

Prisma Access uses these enforcement policies for mobile user licenses:

● Though there is no strict policing of the mobile user count, the service does track the
number of unique users over the last 90 days to ensure that you have purchased the proper
license tier for your user base, and stricter policing of user count may be enforced if
continued overages occur.

● In addition, if you use Prisma Access for users, the GlobalProtect app is required on each
supported device. Using the GlobalProtect app is not required for mobile users, and explicit
proxy deployments are needed.
Use the following information when you license and assign mobile user units to your Explicit Proxy
deployment:

● Prisma Access Explicit Proxy requires that you have a Prisma Access license for mobile users.

● You can use mobile user units for either Prisma Access Explicit Proxy or Prisma Access
GlobalProtect deployments.
o If your deployment is Explicit Proxy only, then allocate all the mobile user units to
Explicit Proxy. Similarly, if your deployment is completely GlobalProtect, then allocate
all the mobile user units to GlobalProtect. You must allocate a minimum of 200 units
per deployment type.
o If your deployment requires some users to connect using Explicit Proxy and others
using GlobalProtect; then split and allocate the mobile user units between Explicit
Proxy and GlobalProtect. You can switch the number of units allocated for Explicit
Proxy and GlobalProtect at any time, giving you the flexibility to transition from
Explicit Proxy to GlobalProtect any time.
o If you want to use both GlobalProtect and Explicit Proxy for the same user, you must
allocate one unit each for Explicit Proxy and GlobalProtect.

If you want to add an explicit proxy to an existing mobile users deployment, you can divide your
mobile users license between the users you want to secure with GlobalProtect and the users you

PSE SASE Professional by Palo Alto Networks 46

want to secure with an explicit proxy. Explicit proxy uses your existing Mobile User license. Whether
you have a new deployment or if you upgrade, you can divide your mobile user license between
GlobalProtect and Explicit Proxy connections.

3.5.2 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE solution
for networks

Prisma Access provides a flexible licensing scheme so that you can purchase just what you need to
secure your remote networks and mobile users. The instructions here are for activating Prisma
Access licenses if you’re using the Prisma Access app as your management interface. If you are
planning to use Panorama to manage Prisma Access, follow the instructions for licensing Panorama
Managed Prisma Access.

Prisma Access Licenses

Prisma Access offers a licensing model that allows you to implement and use the capabilities of
Prisma Access aligned to your business needs in a way that delivers the fastest return on
investment. Whether your applications are migrating to the cloud, your users are working from
anywhere, or if you are looking to gain operational efficiencies, Prisma Access offers the relevant
type of license for your deployment.
You can choose from the following license editions:

● Business
● Business Premium
● Zero Trust Network Access (ZTNA) Secure Internet Gateway (SIG)
● Enterprise

ZTNA SIG is available for Prisma Access for Mobile Users only; you can use all other editions with
Mobile Users, Remote Networks, or both mobile users and remote networks.
All license editions are available for Local and Worldwide Prisma Access locations. When you
purchase a license with Worldwide locations, you can deploy Prisma Access in all Prisma Access
locations. When you purchase a license with Local locations, you can select up to 5 Prisma Access
locations.

Others Licenses to Use With Prisma Access

Cloud services that you want to integrate with Prisma Access must be deployed in the same region
as Prisma Access. You can integrate these cloud services with Prisma Access when you first activate
Cloud Managed Prisma Access, or anytime afterward.

● Cortex Data Lake (Required)—Prisma Access logs are stored in Cortex Data Lake, and so
Prisma Access requires you to also have a Cortex Data Lake license. It’s a good idea to
activate Cortex Data Lake before you begin activating Prisma Access. If you try to activate
Prisma Access without first activating Cortex Data Lake, Prisma Access will guide you to
activate Cortex Data Lake before allowing you to continue Prisma Access activation. Your
Cortex Data Lake instance and Prisma Access instance must be deployed in the same
region.

● Cloud Identity Engine (Directory Sync)—Cloud Identity Engine gives Prisma Access
read-only access to your Active Directory information, so that you can easily set up and

PSE SASE Professional by Palo Alto Networks 47

 manage security and decryption policies for users and groups. Cloud Identity Engine is free
and does not require a license to get started.

● SaaS Security API—Integrate SaaS Security API with Prisma Access for Clientless VPN and
authentication support.

Prisma Access protects all app traffic with the industry’s most complete cloud-delivered security
platform to enable a secure hybrid workforce with an exceptional user experience. Customers have
the flexibility to choose Panorama™ network security management or Cloud Management to
administer Prisma Access deployments.

Licensing Model
Our licensing model allows you to consume the capabilities of Prisma Access aligned to your
business needs in the manner that delivers the fastest return on investment (ROI). Whether your
applications are migrating to the cloud, your users are working remotely, or you are looking to gain
operational efficiencies, you have the flexibility to purchase the capabilities your organization needs.
Both Panorama-managed and Cloud Management options for Prisma Access support this licensing
model. You can choose your Prisma Access edition based on your access needs and security goals.

3.5.3 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE solution
for SD-WAN

Prisma SD-WAN has a new bandwidth on-demand licensing structure that enables organizations
to purchase SD-WAN based on the amount of bandwidth they are utilizing. This type of
pay-as-you-go subscription-based consumption model allows for consumers to optimize costs and
easily allocate bandwidth where it is needed. This subscription works by having the customer
purchase bandwidth by the megabit-per-second. The purchased allotment is then allocated by the
customer from their pool across sites. This allows the consumer to only pay for bandwidth they are
using.

3.5.4 Identify appropriate methods for sizing and licensing a Palo Alto Networks SASE solution
for SaaS

● SaaS API Security all apps: The “all apps” license is a user-based license that grants one
user the right to use SaaS API Security to secure sanctioned SaaS applications. A license is
term-based at one or three years and has the capabilities to protect your sanctioned SaaS
apps by unlocking the features outlined below.

● Automatic discovery: SaaS Security DLP (classic) automatically scans cloud resources for
over 20 SaaS apps using predefined data patterns, classifies all documents using machine
learning, and checks hash on all Microsoft Office documents, PDF and portable executable
files against WildFire rules without requiring you to create any policy rules.

PSE SASE Professional by Palo Alto Networks 48

 ● Monitoring: You can review user activity logs enabling you to monitor and investigate the
actions of your end users on the data and assets stored in your apps, including risky or
suspicious user or administrator behavior. You can track events, such as file and folder
downloads and uploads as well as failed login attempts, or you can learn how a user shared
or collaborated on assets hosted in your SaaS applications.

● Advanced data classification: When you configure data classification labels for the files in
your third-party apps, you can control data sharing and prevent data exfiltration.

● Policy enforcement: Policy enables you to monitor and enforce responsible use of assets
and protect them from malware, malware propagation and data leaks.

● Malware detection: WildFire detects and protects against malware propagation

by scanning file using WildFire analysis and known threats based on file hash (a unique
fingerprint of a file as a result of running the file through a cryptographic hash function).

● Machine learning: SaaS Security DLP (classic) uses supervised machine learning algorithms
to sort sensitive documents into “financial,” “legal” and “healthcare” categories for document
classification to guard against exposures, data loss and data exfiltration. To improve
detection rates for the sensitive data in your organization, you can define the machine
learning data pattern match criteria to identify the sensitive information in your cloud apps
and protect them from exposure.

● SaaS API Security support: SaaS API Security licenses include a premium support
entitlement. No activation required.

● Saas Inline Security: The SaaS Security solution works with Cortex Data Lake to discover all
the SaaS applications that are being used on your network. SaaS Inline Security discovers up
to thousands of shadow IT applications, along with their users and usage details. SaaS Inline
Security also enforces SaaS policy rule recommendations seamlessly across your existing
Palo Alto Networks firewalls.

● Public Cloud Storage: This volume-based license helps you gain bucket and blob visibility
and control for your AWS, Azure and Google Cloud Storage (GCP) and is term-based at one
or three years. You can identify and remove public buckets and blobs from inadvertent
exposure or use, prevent the propagation of malware and data exfiltration with advanced
machine learning and DLP, and view an audit trail for stored buckets and blobs to detect
anomalies.

● Enterprise DLP: This add–on provides greater protection against data loss. With SaaS
Security with Enterprise DLP add-on, you’ll have the complete set of DLP capabilities —
exclusive access to data patterns and data profiles that are not included with SaaS Security
DLP (classic).

3.5.5 References

● Licensing for network,

PSE SASE Professional by Palo Alto Networks 49

 https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/pr
isma-access-overview/prisma-access-licensing
● Licensing for SD-WAN,
https://www.paloaltonetworks.com/sase/sd-wan
● Licensing for SaaS,
https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security/license-ty
pes

3.6 Sample Questions

1. Which are two core components for delivering the Secure Access Service Edge (SASE)?
a. Prisma Access
b. Prisma SD-WAN
c. PAN-OS
d. Cortex

2. How many steps are in the methodology to implement a zero trust strategy?
a. Six-step methodology
b. Five-step methodology
c. Four-step methodology
d. Three-step methodology

3. Which of the following offers an integrated CASB solution?

a. Service Connection Security
b. DLP Security
c. SaaS Security Inline
d. IoT Security

4. What is Advanced URL Filtering?

a. A way to control web access and user interactions with online content
b. A threat intelligence service for dynamic security policy updates
c. Application-based URL inventories to account for non-HTTP sites
d. A collection of pinned certificate inventories to aid decryption

5. What enables both automation and integration?

a. ION Devices
b. VPN
c. API
d. URL

6. What connects remote networks to Prisma Access via an industry-standard IPSec VPN?
a. Rest API
b. CloudBlades
c. Wide area networks (WANs)
d. Application fabric (AppFabric)

7. Which feature is not provided by the SaaS Inline Security?

a. Shadow IT control

PSE SASE Professional by Palo Alto Networks 50

 b. Shadow IT discovery
c. Shadow IT visibility and reporting
d. Security configuration controls

8. Which of the following provides protection for cloud-based assets by providing at-rest
detection?
a. SaaS Security
b. SaaS API Security
c. SaaS Inline Security
d. App-ID cloud engine

9. What is the advantage of the new SD-WAN licensing model?

a. Consumers effectively get 4 days of bandwidth free every month.
b. Hardware costs are eliminated, resulting in reduced infrastructure costs.
c. Prisma Access licensing and Threat Prevention is rolled into the subscription for a
heavily discounted security package.
d. Consumers pay for bandwidth consumed, resulting in lower costs since unused
bandwidth costs nothing.

10. Which of the following is required to use Prisma Access for users?
a. GlobalProtect on the end-points
b. Cloud managed Prisma Access
c. Panorama managed Prisma Access
d. Explicit Proxy

PSE SASE Professional by Palo Alto Networks 51

Domain 4: Demonstration and Evaluation
4.1 Demonstrate use cases for mobile users and remote networks

4.1.1 Demonstrate use cases for mobile users

Securing mobile users from threats is often a complex mix of security and IT infrastructure
procurement and setup, bandwidth and uptime requirements in multiple locations throughout the
world, while staying within budget. With Prisma Access for users, the entire infrastructure is
deployed for you and scales based on the number of active users and their locations. For more
information about mobile users in cloud-managed Prisma Access, see Mobile Users in Prisma
Access (Cloud Management).

Use the Prisma Access > Insights > Mobile Users tab to view data related to your mobile users using
GlobalProtect, explicit proxy or both, such as Mobile Users Open Alerts, Prisma Access Location
Status, and user Login Count of Mobile Users. The data displayed throughout the Mobile Users tab
is based on the Time Range you select with the exception of the Mobile User License Consumption
widget, which always displays data based on the number of unique users logged in the last 90 days
relative to all licensed users. A unique user is a user with a unique username who has logged in to
Prisma Access at least once in a given period specified by Time Range.

4.1.2 Demonstrate use cases for remote networks

When building a remote-access solution with GlobalProtect, a firewall appliance is deployed with a
GlobalProtect subscription and depending on the volume and location of users, additional
GlobalProtect instances are deployed. Mobile users connecting to the Gateway are protected by the
corporate security policy and are granted secure access to network resources. Additional
components of a hardware-based GlobalProtect deployment may include co-location facilities and
associated services if a suitable company facility is unavailable. A hardware-based approach to a
GlobalProtect infrastructure is a common deployment option; you can now use the globally
available AWS infrastructure to eliminate some of the hardware-based dependencies and simplify
your GlobalProtect deployment. An added benefit to deploying the VM-Series with GlobalProtect in
AWS is that now you can leverage some of the scalability and automation features to build a
solution that can dynamically scale to better support any planned or unplanned traffic spikes.

4.1.3 Describe a secure web gateway (SWG)

A secure web gateway (SWG) protects users from web-based threats in addition to applying and
enforcing corporate acceptable use policies. Instead of connecting directly to a website, a user
accesses the SWG, which is then responsible for connecting the user to the desired website and
performing functions such as URL filtering, web visibility, malicious content inspection, web access
controls and other security measures.

SWGs enable companies to:

● Block access to inappropriate websites or content based on acceptable use policies

● Enforce their security policies to make internet access safer

PSE SASE Professional by Palo Alto Networks 52

 ● Help protect data against unauthorized transfer

Why Companies Need a Secure Web Gateway

As enterprises and their mobile workforces grow, it becomes increasingly difficult to protect mobile
users from threats. This is because organizations have a variety of applications, some located at
headquarters and some in the cloud.

Applications at headquarters are accessed through a remote access VPN. When users access cloud
applications, they are disconnected from the VPN and exposed to risk. This is why organizations use
SWGs: to provide secure internet access when users are disconnected from the VPN.

SASE: A More Advanced and Comprehensive Cloud-Delivered Security Solution

One of the challenges of deploying SWG functionality is that it is typically set up as a stand-alone
environment without coordinating workflows, reporting or logging with other security
infrastructure in the organization. This can lead to increased complexity over time as organizations
often have multiple security point products that make their security operations less efficient and
effective.

More recently, a new approach for security infrastructure emerged. As described by the research
and advisory firm Gartner, a secure access service edge (SASE) combines networking and network
security services into a single, cloud-delivered solution. This allows companies to deliver multiple
types of security services from the cloud, such as SWG, advanced threat prevention, firewall as a
service (FWaaS), domain name system (DNS) security, cloud access security brokers (CASB), data
loss prevention (DLP) and others. This way, companies are able to control web access; provide users
with secure connectivity; and protect all their traffic, users and applications from hostile websites
and content, all from one cloud-based platform.

A SASE solution that provides SWG can offer protection in the cloud through a unified platform for
complete visibility and precise control over web access while enforcing security policies that protect
users from hostile websites.

Benefits of a Using a SASE Solution

SASE offerings provide multiple advantages for enterprises, such as:

● Protection from advanced security threats, data loss and data theft
● Greatly reduced cost of deploying security at scale
● Streamlined network management
● Complete visibility and precise control over their entire network

4.1.4 Explain how App-ID and User-ID are used to create policy

App-ID
App-ID™ is a patent-pending traffic classification technology that identifies applications traversing
the network, irrespective of port, protocol, evasive characteristic or encryption (SSL or SSH).

PSE SASE Professional by Palo Alto Networks 53

App-ID uses as many as four identification techniques to determine the exact identity of
applications traversing the network — again, irrespective of port, protocol, evasive tactic or SSL
encryption. Identifying the application is the very first task performed by App-ID, providing
administrators with the greatest amount of application knowledge and the most flexibility in terms
of safe application. As the foundational element of the Palo Alto Networks next-generation firewall,
App-ID provides visibility and control over work-related and non-work-related applications that can
evade detection by masquerading as legitimate traffic, hopping ports or sneaking through the
firewall using encryption (SSL and SSH). In the past, unapproved or non-work-related applications
on the corporate network were summarily removed or blocked. However, in today’s business
environment, the response options are not nearly as clear because many of the same applications
are helping employees get their jobs done. App-ID enables administrators to see the applications
on the network, learn how they work, what their behavioral characteristics are, and their relative
risk. When used in conjunction with User-ID, administrators can see exactly who is using the
application based on their identity, not just an IP address. Armed with this information,
administrators can use positive security model rules to block unknown applications, while enabling,
inspecting and shaping those that are allowed.

User-ID
User-ID™ enables you to identify all users on your network using a variety of techniques to ensure
that you can identify users in all locations using a variety of access methods and operating systems,
including Microsoft Windows, Apple iOS, Mac OS, Android and Linux®/UNIX. Knowing who your
users are instead of just their IP addresses enables the following:

● Visibility: Improved visibility into application usage based on users gives you a more
relevant picture of network activity. The power of User-ID becomes evident when you notice
a strange or unfamiliar application on your network. Using either ACC or the log viewer, your
security team can discern what the application is, who the user is, the bandwidth and
session consumption, along with the source and destination of the application traffic, as well
as any associated threats.

PSE SASE Professional by Palo Alto Networks 54

 ● Policy control: Tying user information to security policy rules improves safe enablement of
applications traversing the network and ensures that only those users who have a business
need for an application have access. For example, some applications, such as SaaS
applications that enable access to Human Resources services (such as Workday or Service
Now) must be available to any known user on your network. However, for more sensitive
applications you can reduce your attack surface by ensuring that only users who need these
applications can access them. For example, while IT support personnel may legitimately
need access to remote desktop applications, the majority of your users do not.

● Logging, reporting, forensics: If a security incident occurs, forensics analysis and reporting
based on user information rather than just IP addresses provides a more complete picture of
the incident. For example, you can use the pre-defined “user/group activity” to see a
summary of the web activity of individual users or user groups, or the SaaS application
usage report to see which users are transferring the most data over unsanctioned SaaS
applications.

To enforce user- and group-based policies, the firewall must be able to map the IP addresses to
usernames in the packets it receives. User-ID provides many mechanisms to collect this user
mapping information. For example, the User-ID agent monitors server logs for login events and
listens for syslog messages from authenticating services. To identify mappings for IP addresses that
the agent did not map, you can configure the authentication policy to redirect HTTP requests to a
“captive portal” login. You can tailor the user mapping mechanisms to suit your environment, and
even use different mechanisms at different sites to ensure that you are safely enabling access to
applications for all users, in all locations, all the time.

User-ID technology has four main components. The table lists each component’s name and
primary characteristics.

Component Characteristics
Palo Alto Networks firewall ● Maps IP addresses to usernames
● Maps usernames to group names
PAN-OS integrated User-ID agent ● Runs on the firewall
● Collects IP address-to-username information
Windows-based User-ID agent ● Runs on a domain member
● Collects IP address-to-username information
● Sends information to the firewall
Palo Alto Networks Terminal The amount of time in which additional alerts for the same activity
Services agent or behavior are suppressed before Cortex XDR raises another
analytics alert.

The User-ID agent comes in two forms: an integrated agent resident on the firewall and a Windows
based agent. These are detailed as follows:

● The PAN-OS integrated agent is included with PAN-OS software.

● The Windows-based agent is available for download from Palo Alto Networks and can be
installed on one or more Windows systems.
● A firewall can communicate with both agent types at the same time.
● Both agent types monitor up to 100 domain controllers or exchange servers.

PSE SASE Professional by Palo Alto Networks 55

 ● Both agent types can monitor users and domain controllers only from a single active
directory (AD) domain.
● The integrated agent is designed for small and midsize deployments such as small remote
offices or lab environments.
● Multiple Windows-based agents can be deployed to handle larger environments or
multi-forest domains.

To enable user- and group-based policy enforcement, the firewall requires a list of all available users
and their corresponding group memberships so that you can select groups when defining your
policy rules. The firewall collects group mapping information by connecting directly to your LDAP
directory server or by using XML API integration with your directory server. The user identity, as
opposed to an IP address, is an integral component of an effective security infrastructure. Knowing
who is using each of the applications on your network and who may have transmitted a threat or is
transferring files can strengthen your security policy and reduce incident response times. User-ID
enables you to leverage user information stored in a wide range of repositories for visibility, user-
and group-based policy control, and improved logging, reporting and forensics, as follows:

● Enable User-ID on the source zones that contain the users who will send requests that
require user-based access controls.
Enable User-ID on trusted zones only. If you enable User-ID and client probing on an
external untrusted zone (such as the internet), probes could be sent outside your protected
network, resulting in an information disclosure of the User-ID agent service account name,
domain name, and encrypted password hash, which could allow an attacker to gain
unauthorized access to protected services and applications.

● Create a dedicated service account for the User-ID agent.

This is required if you plan to use the Windows-based User-ID agent or the PAN-OS
integrated User-ID agent to monitor domain controllers, Microsoft Exchange servers, or
Windows clients for user login and logout events.

● Map users to groups.

This enables the firewall to connect to your LDAP directory and retrieve group mapping
information so that you will be able to select usernames and group names when creating
policy.

● Map IP addresses to users.

How you do this depends on where your users are located and which types of systems they
are using, and which systems on your network are collecting login and logout events for
your users. You must configure one or more User-ID agents to enable user mapping.

PSE SASE Professional by Palo Alto Networks 56

4.1.5 Explain how ADEM and device insights are applied

After you’ve surveyed the applications running on your network and determined which applications
you want to monitor, you can create an app test and decide whether you want to run the test only
for mobile users, only for remote sites, or for both. As you create app tests, keep in mind that
although you can create app tests targeted to multiple users or remote sites, the number of tests is
based on the number of app tests each individual user runs (for example, if you an app test for Slack
and target it to 1000 users, this would count against your license as 1000 tests). Each remote site
based on your device has its own capacity.

In order to run synthetic tests — to SaaS applications or applications in your data center through
Prisma Access, Secure Fabric, via split tunneling, or direct access — you must have security policy
rules that allow the synthetic test traffic over ICMP, TCP, HTTPS, and optionally HTTP (depending on
how you configure your app tests).

To create an app test:

Step 1: From the Prisma Access app on the hub, select Autonomous DEM > Applications.

Step 2: “Add new app test” or click the ”monitor app” link to view the health link that corresponds to
a specific application in the application list.

PSE SASE Professional by Palo Alto Networks 57

Step 3: Name the new app test.

Step 4: You have the option to run application tests only for Mobile Users or only for remote sites or
for both.
● Mobile users: Define the source users that you want to run this app test. By default,
all licensed ADEM users are assigned to run the test. If you want to limit this app test
to specific users, “add users” and then select the users you want to run the test.

● Remote networks: Select the remote site. By default, all remote site licenses are
selected. You can also choose to run the tests on all remote sites or only particular
remote sites. Define Advanced Options as needed. By default ADEM sets the network
test optionsand web test options based on the applications you selected. However,
you can customize these options if needed in your environment.

Step 5: Identify the application you want to test as the target. If you selected an application from
the applications list, the name is automatically populated. Otherwise, begin typing the application
name to see a list of applications from which to select. If you don’t see the application you want to
create a test for, you can create a custom application in your Prisma Access environment using
Panorama or the Cloud Management app. Once you have created the custom application and
successfully committed, you will see your app under the “applications” dropdown menu on
the “new app test” page in ADEM.

Step 6: Click “add/edit target” and add the domain URL or the IP address for the target and
click “save.” The test begins to run at this point.

PSE SASE Professional by Palo Alto Networks 58

Be sure to configure each test with one unique application for which you provide one domain
name.

Step 7: After you create the tests, you can view a summary of all the tests created in
the Applications > Application test tab.

The tests get a priority assigned to them in the order that they were created. For example, the first
test you create gets a priority order one. The next test created is assigned priority order two and so
on with subsequent tests. The tests are pushed to the mobile users and remote sites according to
the priority they are assigned. If the remote site devices have available capacity for the test, the test
will be enabled. Otherwise, the remote site gets moved to the “excluded remote sites” column for
the test.

Even though the tests are assigned to both mobile users and remote sites, the priority in which the
tests are pushed to the device is important particularly to the remote sites because each device in a
remote site is capable of running a different number of tests depending on the device size. For
example, Test A is given a priority of eight and it is attached to multiple remote sites, all of which
can run Test A. Then, if one of those sites has reached its limit on how many tests it can run, Test A
will not be pushed to that remote site. Instead, the remote site that has reached its testing limit will
be moved to the  “excluded remote sites'' column. However, if you absolutely must run Test A, you
can change the test’s priority from eight to a higher location in the table. To move Test A to the top

PSE SASE Professional by Palo Alto Networks 59

of the list, you can click on the dots to the left of the check box, then drag it to and drop it at the top
of the list. Alternatively, you can select its corresponding check box and click the up arrow at the
bottom of the page. The priority change will only be visible after clicking “save.” At that point, Test A
will be assigned a higher priority and pushed to the aforementioned remote site before the
remaining tests that follow Test A in the table. This would mean, however, that the remote site that
has exceeded its testing limit will be excluded in the configuration push from some other lower
priority test (in comparison to Test A) that is pushed to it.

For a list of devices and the maximum number of tests they are capable of running, refer to the
table in “get started” for remote networks.

Select the check box to the left of the test to delete, enable, or disable a test. Once you disable a
test, it will not be executed until it is enabled again.

The next time the selected users and remote sites connect to Prisma Access they will receive the
new app test settings and begin running the tests. After the app tests start running, the ADEM
service collects sample data from all assigned users every five minutes.

4.1.6 References

● Mobile User Dashboard,

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-insights/insights/mo
bile-users-dashboard
● Remote networks,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-
wan-sites-and-devices/use-external-services-for-monitoring/configure-dns-on-prisma-sd-wa
n/prisma-sd-wan-dns-use-cases
● Building a scalable remote access environment in AWS,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/whitepapers/building-scalable-globalprotect-deployment-full

PSE SASE Professional by Palo Alto Networks 60

 ● ADEM,
https://docs.paloaltonetworks.com/autonomous-dem/autonomous-dem-in-prisma-access/se
t-up-an-autonomous-dem-application-test.html

4.2 Demonstrate use cases for SD-WAN

4.2.1 Describe the value of the application-based metrics

The site summary dashboard provides an information-rich display of branch-related metrics. These
include new metrics such as network health as well as existing network, device and application
metrics.

The “site health overview” widget contains the “current best health score” and the “overall site
consumed bandwidth” metrics. Each of these has a time series view that is displayed upon clicking.

The “current best health score” metric is determined by the “secure fabric link” with the current
highest score. In the time series chart, the score is determined in any given time sample by the
healthiest “secure fabric link” at the selected site. This value will fluctuate as the health of the
underlying network connectivity changes.

PSE SASE Professional by Palo Alto Networks 61

The “overall site consumed bandwidth” metric displays current total bandwidth consumption, and
ingress and egress bandwidth consumption as a raw value and as a percentage of the total
available. Upon clicking the tab, a time series chart appears illustrating the ingress and egress
consumed bandwidth in reference to the total configured bandwidth at that particular ite.

The “circuit connectivity and health” widget displays the name of the circuit, its physical
connectivity, its tunnel connectivity, tunnel health, a time-series graph indicating the
best-performing tunnel's health score over a period of time, and current consumed bandwidth
both in egress/ingress direction.

Clicking a circuit displays several other widgets, including circuit metrics, insights and secure fabric
connectivity and health.

The “circuit metrics” widget displays time-series graphs illustrating the health score of the best
performing tunnel and the circuit bandwidth utilization between the configured ingress/egress and
the actual ingress/egress over time.

Insights are determined by the system using a suite of machine learning algorithms. These insights
identify conditions such as:

● Excessive packet loss detected

● Excessive latency detected
● Bandwidth upgrade recommended
● Configured vs. consumed bandwidth mismatch detected
● Low Circuit Throughput Detected

The “secure fabric connectivity and health” widget displays each of the branch to DC secure fabric
links along with their respective connectivity status, health chart, and associated current link
metrics: packet loss, jitter, latency and link MOS.

PSE SASE Professional by Palo Alto Networks 62

Upon clicking a link labeled “secure fabric,” a comprehensive view of link metrics is displayed in a
time series chart. The time range can be changed, as well as the selected secure fabric and the
direction.

The “circuit health” widget displays the list of tunnels with their name, connectivity details and
health score. It also displays the packet loss, jitter, latency and MOS for the ingress or egress
connections.

The “consumed bandwidth” widget displays the circuit bandwidth utilization between the

configured ingress/egress and the actual ingress/egress over time.

The “devices” widget displays the device's name, its status, the software version installed, whether
the admin interface is up, as well as the device’s routing peers, its HA status, consumed CPU, and
consumed memory data.

Additional controller connectivity status for config and events, analytics and flows is available when
you hover over or click the status icon.

Possible device connection states include:

● Online: All three connections (config and events, analytics and flows) are online.
● Partially online: config and events are online and analytics and/or flows may be offline.
● Offline: All three connections (config and events, analytics and flows) are offline.

PSE SASE Professional by Palo Alto Networks 63

The “top events by priority” widget displays the list of the top events by priority. All events in the
selected time range are displayed regardless of status, including both the resolved and
acknowledged events. To view all current standing alarms select “view all site alarms and alerts.”
This will display the standing alarms regardless of time range.

The “application utilization” widget displays information about the application utilization at the site
during the selected time range. The total application ingress and egress traffic for the time range is
displayed. The top 10 applications by traffic volume are also displayed, along with the other traffic,
including the total bandwidth utilization, ingress, egress and percentage of total traffic based on
the bandwidth utilization. By clicking the ellipses, flow information or the time series utilization
data can be viewed.

The “recent site audit logs” widget displays the recent configuration changes made to the site
within the selected time range. To see the full list of changes, select “view all site audit logs.”

The TCP connection stats displays the data related to the TCP connection metrics in the selected
time range and includes four (4) metrics:

PSE SASE Professional by Palo Alto Networks 64

 ● Init success: A successful TCP connection was established.
● Transaction success: After a successful TCP connection, a successful data transaction was
observed.
● Init failure: A failed attempt to establish a TCP connection.
● Transaction failure: After a successful TCP connection, a failed data transaction was
observed.

The metrics for all TCP applications are initially displayed; however, any one of the top 10 TCP
applications can be selected to focus more narrowly on a specific top application.

The “top media audio performance” widget displays statistical information regarding the observed
mean opinion score for a site’s audio traffic. The top audio application by traffic volume is
automatically selected, but other top 10 media audio applications may also be selected as needed.
The MOS score is measured in both the ingress and egress directions. The median value for the
selected time range is displayed along with a trend indicator to display any observed performance
changes from the previous time period. The box plot displays the low, 25th percentile, median, 75th
percentile and high observed MOS scores. The numeric values are displayed upon hovering over the
bar chart. Recent flows for the media traffic can be viewed by selecting “view flows.” Selecting “new
media activity” shows the detailed time series media performance metrics.

4.2.2 Explain how application metrics are used in path selection

Prisma SD-WAN allows network administrators to meet their application service level agreements
(SLAs) with its path, QoS, and security policies. Through the Prisma SD-WAN path policy, you can
define rules to express business intent for which paths are allowed per application. The ION devices
evaluate each application session against the defined path policy and select the WAN path that
meets the application-specific SLA. One of the many mechanisms used to determine if a path will
meet an application’s SLA is monitoring the link quality.

Prisma SD-WAN determines link quality by actively probing the secure fabric VPN paths over public
and private transports and the private WAN underlay paths. The probes provide a constant
measurement of network performance metrics, such as jitter, latency and packet loss. These
metrics, along with application-specific performance metrics and layer one through layer seven
reachability inform traffic forwarding decisions for new and existing application flows.
The dashboard on the Prisma SD-WAN web interface provides the aggregate link quality metrics of
all branch and data center sites at a glance. It includes information on the MOS, packet loss, jitter,
and latency of the links. Time frames for the viewable data include the last five minutes and the last
available one hour of any metric.

PSE SASE Professional by Palo Alto Networks 65

By default, link quality metrics influence path selection for all real-time voice and video
applications. If a link is considered acceptable, the real-time application will stay on the initially
selected path. When the link is degraded or considered inadequate, the ION device will seamlessly
move all existing and subsequent real-time application flows to a suitable alternate path as allowed
by policy, if available.

The interactive “monitoring summary” and “link quality details” dashboards provide visibility into
the device connectivity status and link quality metrics of all your links across sites.

The “monitoring summary” dashboard provides a summarized and graphical view of the data. The
following captures the dashboard widgets presenting the analytical data in a visual and graphical
format.

The link quality metrics dashboard provides a snapshot of the current state of the links that you are
monitoring. You gain insight into the link MOS (mean opinion score), link packet loss, link jitter and
link latency via the dashboard. Links are displayed by default for all your sites and for the most
recent time range (“last available five minutes” or “last available hour”). The interactive dashboard
provides filters to change the scope of data displayed and allows you to analyze information you
want to view in greater detail in the “link quality details” tab.

Based on the link quality metrics chosen, filter the data based on the interval, start time and/or
direction. The interactive dashboard allows you to change the metric to any other link quality
metrics to view the corresponding graphs. The last distribution range of the bar graphs is to the
90th percentile of the available data.

The links table enables you to view all secure fabric links between two sites along with the circuit
and WAN information. You can also view the link quality metrics and the type for each link. You can
sort the table information based on a particular link quality metric displaying the corresponding
worst value on top. Expand the site detail to view the link quality metrics for ingress and egress
flows. It enables you to view the link quality chart per site and path. The chosen site and path are
the pre-selected filter criteria for the “activity” chart that displays the corresponding information.

PSE SASE Professional by Palo Alto Networks 66

Policies > SD-WAN > Path Selection
Select the  tab labeled “path selection” to define paths for applications or services traffic to swap to
if the primary path quality exceeds the configured path quality thresholds displayed in the path
quality profile.

FIELD DESCRIPTION
Traffic From the drop-down menu, select a traffic distribution profile. This determines how the
Distribut firewall selects an alternate path for the application or service traffic when one of the path
ion health metrics for the preferred path exceeds the threshold configured in the path quality
Profile profile for the rule.

4.2.3 Demonstrate how to onboard a Prisma SD-WAN site to interact with Prisma Access
Palo Alto Networks Prisma SD-WAN (formerly CloudGenix) is a cloud-delivered service that
implements app-defined, autonomous SD-WAN to help you secure and connect your branch
offices, data centers and large campus sites without increasing cost and complexity. The AppFabric
connects your sites securely with application awareness and gives you the freedom to use any
WAN, any cloud for a thin branch (security from the cloud) solution.

To integrate Prisma SD-WAN and Prisma Access for Networks (cloud managed), you must refer to
the following requirements.

PRODUCT REQUIREMENT
Prisma ● Active Prisma SD-WAN subscription.
SD-WAN ● Prisma SD-WAN AppFabric deployed at one or more locations.
● Physical and/or virtual ION devices running:
o Recommended version is 5.4.3 or higher.
o Minimum version supported is 5.1.9.
Prisma ● Prisma Access for Networks version 2.1.1 or later.
Access for ● Aggregate bandwidth licensing must be enabled.

PSE SASE Professional by Palo Alto Networks 67

 Networks ● Identification of the IPSec termination nodes within Prisma identified for
(Cloud connectivity.
Managed) ● You must own a CSP (customer support portal) account with an app administrator or
higher role assigned. Prisma Access and Prisma SD-WAN apps must be available and
linked with each other on the HUB interface under that CSP account. To map both
the apps, click the gear icon > Manage apps. Once done, the mapping will be visible
under the Prisma SD-WAN Instance.

Configure the Prisma SD-WAN CloudBlade to prepare the Prisma SD-WAN Controller for
integration.

Step 1: The Prisma SD-WAN web interface, select CloudBlades.

Step 2: In CloudBlades, locate the Prisma Access for Networks Integration (managed by Panorama)
CloudBlade and click “configure.” If this CloudBlade does not appear in the list, contact Prisma
SD-WAN Support.

PSE SASE Professional by Palo Alto Networks 68

Step 3: Prisma Access for Networks (managed by Panorama) CloudBlade to view the CloudBlade
installation page. Enter the following information in the fields shown below, changing it where
appropriate:

1. VERSION: Select the version of the CloudBlade to use (2.1.1).

2. ADMIN STATE: For the admin state, select/retain “enabled.” .
3. PANORAMA HOSTNAME/IP: Enter the hostname and/or IP address of the Panorama XML
API Interface. This is typically the same hostname/IP address as the management web UI.
4. PANORAMA ADMIN USERNAME: Enter the admin username for Prisma SD-WAN to use for
Prisma Access related configuration changes and updates to Panorama.
5. ION PEERING DEFAULT LOCAL AS NUMBER: Starting with version 2.0.3 and higher, a BGP
Local AS number is defined to quickly onboard ECMP sites. This can be any 16-bit AS
number, but private BGP AS number(s) are recommended.
6. TUNNEL IDENTIFIER PRISMA ACCESS FOR NETWORKS SIDE: Enter an FQDN IKE identifier
in name@domain.com format. This identifier will be used by Prisma Access to identify
remote tunnel connections.
7. TUNNEL IDENTIFIER TEMPLATE, PRISMA SD-WAN SIDE: Enter an FQDN IKE identifier in
name@domain.com format. This identifier should be different from the Prisma Access
identifier. This identifier will be used as a template to generate a unique ID per tunnel.
8. TUNNEL INNER IP POOL: Specify an IP pool using IP/Mask notation. This IP pool should be
unused or unique across the entire network and should not be used by the Palo Alto Service
Infrastructure Subnet.
9. PRISMA MULTI-TENANT NAME: Specify the tenant name that will be used for remote
networks with the CloudBlade.
10. ENFORCE DEFAULT PRISMA SD-WAN LIVELINESS PROBES: For Prisma Access, the default
is to leverage an ICMP probe to the last Prisma Access infrastructure IP address.

Step 4: Click “install” after the settings are configured.

PSE SASE Professional by Palo Alto Networks 69

4.2.4 Describe how to use, map, and understand the SD-WAN topology

You can configure static and dynamic routing in a branch for internet, private WAN underlays and
standard VPN tunnels.

Configure static routing on a branch ION device to support topologies with one or more LAN-side
Layer 3 devices to forward traffic destined for subnets that are more than one hop away. Use static
routes to configure next hops to subnets behind a Layer 3 switch on the LAN-side or destinations
reachable over a WAN network underlay or a standard VPN. You can add static routes on an ION
device that point to the standard VPN interface or the standard VPN peer IP address.

Configure dynamic Border Gateway Protocol (BGP) routing on a branch ION device for internet,
private WAN underlays and standard VPNs. The ION device learns routes dynamically over the
internet, private WAN and standard VPNs and advertises global branch prefixes on these routes.

By default, ION devices use a bypass pair for private WAN underlay traffic. If you use a Layer 3
interface, you must explicitly enable L3 Direct Private WAN Forwarding for the private WAN
underlay. The ION device uses the bypass pair only to bridge traffic. Starting with device software
version 5.2.1, ION devices support dynamic LAN routing in branch sites. To use LAN routing, you
must explicitly enable L3 Direct Private WAN Forwarding and L3 LAN forwarding. You can enable L3
LAN Forwarding only when there are no Private Layer 2 bypass pairs associated with any of the
interfaces on the device. Starting with device software version 5.2.3, if there are Private Layer 2

PSE SASE Professional by Palo Alto Networks 70

interfaces on the device, the device displays a message to first remove any Private Layer 2 interfaces
associated with the device and then enable L3 LAN Forwarding.

A branch ION device supports only classic peers. It can support multiple BGP peers and also peer
with multiple BGP peers on the same interface. The device treats each underlay and standard VPN
as a separate domain. The routes learned from one domain are not advertised to another domain,
thus preventing the branch ION device from dynamically becoming a transit point.

At a branch site, configure the routing for a link or a routing instance per link. The following
topologies illustrate private WAN and third-party routing in a branch:

● Private WAN dynamic border gateway protocol (BGP) routing: In this scenario, the branch
ION device participates in dynamic BGP routing by peering with a private WAN peer edge
router or an internet router, or standard VPNs. There may be more than one link,; however,
dynamic routing may be enabled on each.
● Private WAN static routing: In this scenario, the branch ION device has a default static
route pointing to the peer edge router. On behalf of the ION device, the peer edge router
will advertise routes for branch prefixes. There may be more than one private WAN link.
● Standard VPNs to cloud security services or data centers: In this scenario, the branch ION
has a standard VPN connection to a cloud security service. This VPN has a static default
route, but a second option is to have a BGP adjacency configured with the standard
endpoint. You can deploy the ION at a branch site as follows:
o Layer 2-only deployment model: You do not need to configure routing when the
ION is deployed in-line between the switch and a branch router. In this deployment,
the internet links terminate on the branch ION device and the private wide area
network (WAN) link terminates on the WAN router.
The branch ION device dynamically steers traffic directly to the private WAN via the
WAN router it is connected to, or to a public WAN or VPN on public WAN for each
application based on path policies and network and application performance
characteristics.
o Layer 2/Layer 3 deployment model: Deploy the Prisma SD-WAN ION device in-line
between the switch and a branch router, with the added facility of routing via a
separate Layer 3 WAN interface on the ION device. In this deployment, you can
configure a Layer 3 WAN interface (WAN 2) as the source for a private WAN VPN to
another Prisma SD-WAN branch or data center site.
An example of this would be to configure LAN 1 and WAN 1 as a Layer 3 bypass pair,
but to configure WAN 2 to BGP peer with the router. The ION device then advertises
prefixes to the router and learns routes from the router.

● Router replacement model: In this model, the branch ION device terminates both private
WAN and internet links. When terminating the private WAN links, the branch ION device
participates in dynamic routing with the peer edge router. The device advertises prefixes
present in the branch and learns the prefixes reachable through the MPLS core.

● LAN-Side BGP Routing: On the LAN side, the ION device can be the default gateway for all
branch subnets or can participate in static or dynamic routing with a Layer 3 device. The
branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
o Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.

PSE SASE Professional by Palo Alto Networks 71

 o Advertises BGP learned prefixes from the WAN side (e.g. MPLS peer edge router) or a
default route to the LAN Layer 3 device.
o Advertises prefixes learned from the Layer 3 device to other branches and data
centers.

4.2.5 Explain the value of WAN Clarity Reports

WAN Clarity Reports are auto-generated weekly and provide aggregate views of ingress and egress
traffic distribution, 90th percentile bandwidth utilization across circuits, WAN utilization over a
threshold, heatmaps, top applications, clients, servers, client and server pairs and undefined
domains for both the entire week and separately for periods of high utilization.

Download the entire reports package or view the reports from the Prisma SD-WAN controller for
week-over-week trend comparisons as well as comparisons across sites and circuits.

The WAN clarity report is available for immediate use as a licensed subscription service. Contact the
Prisma SD-WAN sales team to enable the subscription. The reports include:

● WAN clarity branch reports

● WAN clarity data center reports

WAN Clarity Branch Reports

The following are the descriptions of branch reports in the WAN clarity reports.
● Traffic distribution
● Utilization quadrant
● Utilization over threshold
● Heatmap
● Hotspots
● Top N
● Application volume per circuit

WAN Clarity Data Center Reports

The data center reports provide insights into utilization trends from a data center perspective.
Similar to the branch reports, these reports identify top applications, source IP addresses,
destination IP addresses, source-destination IP address pairs and undefined domains along with
top branches. You can generate this set of reports for hotspots observed in the data center.

It is important to note that a hotspot definition for a data center differs from that for a branch.
While utilization over 70% of configured bandwidth is considered a hotspot for branches, for a data
center, you may consider 90th percentile utilization as a hotspot. It therefore becomes imperative
to accurately set the data center’s circuit bandwidth allocations. These reports provide an
approximation of the utilization trends as the reports generated only consider overlay paths.

In summary, WAN Clarity Reports are generated every week to help you understand how the
circuits in the Prisma SD-WAN AppFabric can be utilized from an entire fabric, site, circuit,
application and user perspective. These reports provide actionable insights that you can use for
capacity planning, path policy adjustments, QoS policy adjustments and enforcement of proper use
of network resources by the end-user community.

PSE SASE Professional by Palo Alto Networks 72

The following sections describe the data center reports in the WAN clarity reports in more detail.

● Traffic distribution
● Circuit utilization
● Hotspot reports
● Top N reports

4.2.6 References
● Application-based metrics,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/get-started
-with-prisma-sd-wan/site-summary-dashboard.html#id679065f0-8077-4915-bba8-1b794e0e1
a40
● Application metrics are used in path selection,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-
wan-application-visibility-and-reporting/link-quality.html
● Onboard a Prisma SD-WAN site to Prisma Access,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/deployment-and-integrations/2-1-1
/prisma-access-cloudblade-integration-guide/configure-and-install-prisma-access--cloudbla
de/configure-and-install-prisma-access-for-networks-managed-by-panorama-cloudblade.ht
ml#ida71b2bbf-bfd5-488b-be23-81e7010bb791
● WAN Clarity Reports,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-
wan-application-visibility-and-reporting/prisma-sd-wan-clarity-reports

4.3 Sample Questions

1. Which of the following provides native, end-to-end visibility and performance metrics for
real application traffic in your secure access service edge (SASE) environment?
a. DNSSEC
b. App-ID
c. SWG
d. ADEM

2. Which serves to increase perceived application response and improve the overall user
experience?
a. DNS accounting
b. DNS caching
c. IoT DNS
d. Secure DNS

3. Which report provides aggregate views of ingress and egress traffic distribution?
a. Security policy
b. Deployment model
c. WAN static routing
d. WAN Clarity report

4. What do WAN Clarity reports provide?

PSE SASE Professional by Palo Alto Networks 73

a. CloudBlade status for a site
b. AppFabric utilization for a circuit
c. Route utilization for a device
d. Bandwidth utilization for a circuit category

PSE SASE Professional by Palo Alto Networks 74

Domain 5: Network Security Best Practices
5.1 Define the Palo Alto Networks best practice methodology for using a Zero Trust approach
to network security

Although Zero Trust is typically associated with securing users or use cases such as Zero Trust
Network Access (ZTNA), a comprehensive zero trust approach encompasses users, applications and
infrastructure.

● Users: Step one of any Zero Trust effort requires strong authentication of user identity,
application of “least access” policies, and verification of user device integrity.
● Applications: Applying Zero Trust to applications removes implicit trust with various
components of applications when they talk to each other. A fundamental concept of Zero
Trust is that applications cannot be trusted and continuous monitoring at runtime is
necessary to validate their behavior.
● Infrastructure: Everything infrastructure-related — including routers, switches, cloud, IoT
and supply chain — must be addressed with a Zero Trust approach.

5.1.1 Identify best practice for eliminating implicit user trust, regardless of user location

● Define your desired business outcomes before architecting your Zero Trust environment.
The Zero Trust model supports and enables secure business functions.
● Use Palo Alto Networks Next-Generation Firewalls as segmentation gateways to consolidate
security technologies on one platform and to apply consistent security policy in all locations
natively at Layer 7 using App-ID, User-ID and Content-ID. A segmentation gateway
segments and controls the network based on applications, users and data, and should
provide granular access control and secure all traffic as it crosses micro-perimeters and
gains access to a protected surface.
● Segment your network based on what is valuable to your business to prevent unauthorized
lateral movement.

5.1.2 Identify best practice for eliminating implicit trust within applications

● Use an integrated, centrally managed platform that reduces the total cost of ownership,
rather than a collection of point products that do not work well together. Palo Alto Networks
shares information among platform elements and enables centralized management and

PSE SASE Professional by Palo Alto Networks 75

 simplified operation using Panorama, GlobalProtect and Prisma Access to provide consistent
policy, prevention and protection across all locations.

● Apply the principle of least-privileged access to your protected surfaces. Determine who
needs access to what resources, how they need access and when they need access. Allow
only the exact level of access required for each user and device, assert identity (including
proper authorization), and then map Layer 7 policy to identity.

● Decrypt, inspect and log every packet through Layer 7 that regulations, compliance and
your business practices allow you to inspect. You must inspect and log Layer 7 traffic.
Remember, every attacker knows how to bypass security controls at Layer 3 and Layer 4.

● Transition to a Zero Trust environment gradually, one segment at a time and beginning with
one or more non-critical segments from which you learn and gain experience. Zero Trust
segments coexist with legacy segments, so you can use a safe, iterative approach instead of
a risky rip-and-replace approach.

5.1.3 Identify best practice for eliminating implicit trust of infrastructure

● Design from the inside-out instead of from the outside-in to protect what’s most valuable to
your business first. Your most valuable assets are more likely to be in your data center than
at your perimeter.

● Create a strategy for tagging workloads to group objects and registering tags dynamically to
help automate security policy.

● Develop processes to operate, maintain and continually update prevention controls as you
develop your strategy and design the network. Document processes, educate and train
personnel, set baselines, and measure progress against the baselines.

5.1.4 References

● Architecting the Zero Trust enterprise,

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/whitepapers/architecting-zero-trust-enterprise

5.2 Execute a Proof of Concept (POC) for remote networks use cases

5.2.1 Explain customer sensitive data discovery as defined in the Zero Trust model

At its core, Zero Trust is about eliminating implicit trust across the organization. This means
eliminating implicit trust related to users, applications, and infrastructure.

Zero Trust for users: Step one of any Zero Trust effort requires strong authentication of user
identity, application of “least access” policies and verification of user device integrity.

Zero Trust for applications: Applying Zero Trust to applications removes implicit trust with various
components of applications when they talk to each other. A fundamental concept of Zero Trust is

PSE SASE Professional by Palo Alto Networks 76

that applications cannot be trusted and continuous monitoring at runtime is necessary to validate
their behavior.

Zero Trust for Infrastructure: Everything infrastructure-related — including routers, switches,

cloud, IoT and supply chain — must be addressed with a Zero Trust approach.

For each of the three pillars, it is critical to consistently:

● Establish identity using the strongest possible authentication. The request is

authenticated and authorized to verify identity before granting access. This identity is
continuously monitored and validated throughout the transaction.

● Verify the device/workload. Identifying the enterprise laptop, a server, a personal

smartphone or a mission-critical IoT device requesting access, then determining the device's
identity and verifying its integrity is integral to Zero Trust. The integrity of the device or host
requesting access must be verified. This integrity is continuously monitored and validated
for the lifetime of the transaction; or, in the case of applications and cloud infrastructure, the
requested device or microservices, storage or compute resources, partner and third-party
apps must be identified before granting access.

● Secure the access. Enterprises need to ensure users only have access to the minimal
amount of resources they need to conduct an activity. For example, users may be restricted
from accessing data and applications if it is necessary for them to access that information.
Even after authentication and checking for a clean device, least privilege necessary must still
be ensured.

● Secure all transactions. To prevent malicious activity, all content exchanged must be
continuously inspected to verify that it is legitimate, safe and secure. Data transactions must
be fully examined to prevent enterprise data loss and attacks on the organization through
malicious activity.

PSE SASE Professional by Palo Alto Networks 77

5.2.2 Define which users, applications and infrastructure are accessing data

Working, however tirelessly, to reduce the attack surface is not viable in today’s evolving threat
landscape. The attack surface is continuously expanding, making it difficult to define, shrink or
defend against. However, with Zero Trust, rather than focusing on the macro level of the attack
surface, you determine your protect surface. The protect surface encompasses the critical data,
application, assets and services — DAAS — most valuable for your company to protect.

Here are some examples of DAAS you might include in your protect surface:

● Data: Credit card information (PCI), protected health information (PHI), personally
identifiable information (PII) and intellectual property (IP)
● Applications: Off-the-shelf or custom software
● Assets: Supervisory Control and Data Acquisition (SCADA) controls, point-of-sale terminals,
medical equipment, manufacturing assets and IoT devices
● Services: DNS, DHCP and Active Directory®

Once defined, you can move your controls as close as possible to that protected surface to create a
microperimeter with policy statements that are limited, precise and understandable.

5.2.3 Define a customer's architecture in a Zero Trust network

Zero Trust networks are completely customized instead of being derived from a single, universal
design. Instead, the architecture is constructed around the protected surface. Once you’ve defined
the protected surface and mapped flows relative to the needs of your business, you can map out
the Zero Trust architecture, starting with a next-generation firewall. The next-generation firewall
acts as a segmentation gateway, creating a microperimeter around the protected surface. With a
segmentation gateway, you can enforce additional layers of inspection and access control, all the
way to Layer 7, for anything trying to access resources within the protected surface.

5.2.4 Define Zero Trust policies and controls

Once the network is architected, you will need to create Zero Trust policies using the “Kipling
Method” to whitelist which resources should have access to others. Kipling, put forth the concept of
“who, what, when, where, why and how” in his poem “Six Serving Men.” Using this method, we are
able to define the following:

PSE SASE Professional by Palo Alto Networks 78

 ● Who should be accessing a resource?
● What application is being used to access a resource inside the protected surface?
● When is the resource being accessed?
● Where is the packet destination?
● Why is this packet trying to access this resource within the protected surface?
● How is the packet accessing the protected surface via a specific application?

This granular policy enforcement ensures that only known allowed traffic or legitimate application
communication is permitted.

5.2.5 Explain how Palo Alto Networks validates each transaction in a Zero Trust model
This final step includes reviewing all logs, both internal and external, all the way through Layer 7,
and focusing on the operational aspects of Zero Trust. Since Zero Trust is an iterative process,
inspecting and logging all traffic will provide valuable insights into how to improve the network
overtime.

Once you have completed the five-step methodology for implementing a Zero Trust network for
your first protected surface, you can expand to iteratively move other data, applications and assets
or services from your legacy network to a Zero Trust network in a way that is cost-effective and
non-disruptive.

5.2.6 References
● Architecting the Zero Trust enterprise,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/whitepapers/architecting-zero-trust-enterprise

5.3 Identify best practices for implementing Secure Sockets Layer (SSL) decryption

5.3.1 Explain customer sensitive data discovery as defined in the Zero Trust model

The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between
two entities, such as a web server and a client. SSL and SSH encapsulate traffic, encrypting data so
that it is meaningless to entities other than the client and server with the certificates to affirm trust
between the devices and the keys to decode the data. Decrypt SSL and SSH traffic in order to:

● Prevent malware concealed as encrypted traffic from being introduced into your network.
For example, an attacker compromises a website that uses SSL encryption. Employees visit
that website and unknowingly download an exploit or malware. The malware then uses the
infected employee endpoint to move laterally through the network and compromise other
systems.
● Prevent sensitive information from moving outside the network.
● Ensure the appropriate applications are running on a secure network.
● Selectively decrypt traffic; for example, create a decryption policy and profile to exclude
traffic for financial or healthcare sites from decryption.

PSE SASE Professional by Palo Alto Networks 79

For Prisma Access, all SSL Decryption related settings can be managed from a single page on Cloud
Management. This includes managing the:

SSL Decryption policies

Prisma Access supports decryption as a policy-based decision to enable you to specify traffic to
decrypt by destination, source, service, or URL category. Admins have to determine which traffic
they can decrypt and what cannot be decrypted due to privacy and legal concerns.

SSL Decryption profiles

Decryption profiles get associated with decryption policies. The profile defines controls for SSL
protocols, certificate verification, and failure checks to help prevent traffic that uses weak
algorithms or unsupported modes.

Decryption Settings (Certificates)

The firewall uses certificates and keys to decrypt traffic and enforces App-ID and security settings.
There are essentially two types of certificates that we recommend.

A forward trust certificate is what is used to sign the proxy session (firewall to client) when the
server is a trusted source (as validated by its certificate issuing authority). The Forward Trust CA
certificate should be stored into the trusted certificate store on user endpoints.

PSE SASE Professional by Palo Alto Networks 80

You can use the default certificates we provide OR choose to use your enterprise PKI
(recommended), in which case you will have to import the CA certificates and designate them as
Forward trust certificates.
Note: You can also use GlobalProtect to distribute these certificates to your endpoints.

A forward untrust certificate is used to sign the proxy session (firewall to client) when the server is
an untrusted source. This helps differentiate between the two and leverage the browser’s controls
over distinguishing between a trusted and untrusted site.

If using enterprise PKI, ensure that the forward untrust certificate is NOT signed by your Enterprise
CA certificate as it needs to be “untrusted”.

Ready to Use
Prisma Access Cloud Management provides default decryption policies along with default profiles
and certificates which can be made use of to easily enable SSL decryption by simply enabling a
couple of available policies.

A default best-practice decryption policy is provided with a list of URL categories that will be
decrypted in accordance with Palo Alto Networks best practices. This list is editable to meet your
company policies.

A default best-practice “no-decrypt” policy is provided with a list of URL categories that are typically
not decrypted for privacy and legal reasons. This list is editable to meet your company policies.

Encouraging Best Practices

The default policies and configuration provided with Prisma Access Cloud Management is in
accordance with recommended best practices. You can make use of these policies as-is.

In addition to this, continuous and inline best practice assessment helps identify any configuration
that is not aligned with the recommended best practices with clear instructions to help mitigate
the highlighted issues.

PSE SASE Professional by Palo Alto Networks 81

5.3.2 Explain the value of SSL default decryption exclusion lists

Certain sites make use of pinned-certificates or mutual authentication - either of which makes SSL
decryption by a proxy impossible. In order to ensure smooth functioning of the well-known sites
that employ these techniques, we maintain a global exclusion list of sites to be excluded from SSL
Decryption.

You have full control over this list which can be viewed and edited to comply with your policies.
You can exclude two types of traffic from decryption:

● Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an
incomplete certificate chain, unsupported ciphers or mutual authentication (decrypting
blocks the traffic). Palo Alto Networks provides a predefined SSL decryption exclusion list
(Navigate to device > certificate management > SSL decryption exclusion) that excludes
hosts with applications and services that are known to break decryption technically from
SSL decryption by default. If you encounter sites that break decryption technically and are
not on the SSL decryption exclusion list, you can add them to the list manually by server
hostname. The firewall blocks sites whose applications and services break decryption
technically unless you add them to the SSL decryption exclusion list.

● Traffic that you choose not to decrypt because of business, regulatory, personal or other
reasons, such as financial services, health and medicine or government traffic. You can
choose to exclude traffic based on source, destination, URL category and service.

You can use asterisks (*) as wildcards to create decryption exclusions for multiple hostnames
associated with a domain. Asterisks behave the same way that carets (^) behave for URL category
exceptions — each asterisk controls one variable subdomain (label) in the hostname. This enables
you to create both very specific and very general exclusions. Several examples of this include:

● mail.*.com matches mail.company.com but does not match mail.company.sso.com.

● *.company.com matches tools.company.com but does not match eng.tools.company.com.
● *.*.company.com matches eng.tools.company.com but does not match eng.company.com.
● *.*.*.company.com matches corp.exec.mail.company.com, but does not match
corp.mail.company.com.
● mail.google.* matches mail.google.com, but does not match mail.google.uk.com.
● mail.google.*.* matches mail.google.co.uk, but does not match mail.google.com.

For example, to use wildcards to exclude video-stats.video.google.com from decryption but not to
exclude video.google.com from decryption, exclude *.*.google.com.

PSE SASE Professional by Palo Alto Networks 82

To increase visibility into traffic and reduce the attack surface as much as possible, avoid making
unnecessary decryption exceptions.

Prisma Access provides a predefined SSL decryption exclusion list to exclude from decryption
commonly used sites that break decryption because of technical reasons such as pinned
certificates and mutual authentication. The predefined decryption exclusions are enabled by
default and Palo Alto Networks delivers new and updated predefined decryption exclusions Traffic
that matches defined exclusions is not decrypted and is allowed based on the security policy that
governs that traffic.

Because the traffic of sites on the SSL decryption exclusion list remains encrypted, no further
security inspection of the traffic is performed. You can disable a predefined exclusion.

5.3.3 Identify the decryption deployment methods

The most time-consuming part of deploying decryption is not configuring the decryption policies
and profiles, but preparing for the deployment by working with stakeholders to decide what traffic
to decrypt and not to decrypt, educating your user population about changes to website access,
developing a private key infrastructure (PKI) strategy and planning a staged, prioritized rollout.

Set goals for decryption and review your decryption planning best practices checklist to ensure that
you understand the recommended best practices. The best practice goal is to decrypt as much
traffic as your firewall resources permit. Initially, priority should be given to decrypting traffic that
has the highest impact to business objectives or that may act as a likely transport to malicious
activities.

To prepare to deploy decryption:

● Work with stakeholders to develop a decryption deployment strategy

● Develop a PKI rollout plan
● Size the decryption firewall deployment
● Plan a staged, prioritized deployment

Work with stakeholders to develop a decryption deployment strategy

Work with stakeholders such as legal, finance, HR, executives, security and IT/support to develop a
decryption deployment strategy. Start by getting the required approvals to decrypt traffic to secure
the corporation. Decrypting traffic involves understanding how legal regulations and business
needs affect what you can and can’t decrypt.

Then, identify and prioritize the traffic you want to decrypt. The best practice is to decrypt as much
traffic as you can in order to gain visibility into potential threats in encrypted traffic and to prevent
those threats. If incorrect firewall sizing prevents you from decrypting all of the traffic you want to
decrypt, prioritize the most critical servers, the highest-risk traffic categories and less trusted
segments and IP subnets. To help prioritize, ask yourself questions such as, “What happens if this
server is compromised?” and “How much risk am I willing to take in relation to the level of
performance I want to achieve?”

PSE SASE Professional by Palo Alto Networks 83

Next, identify traffic that you can’t decrypt because the traffic breaks decryption for technical
reasons such as a pinned certificate, an incomplete certificate chain, unsupported ciphers or
mutual authentication. Decrypting sites that break decryption technically results in blocking that
traffic. Evaluate the websites that break decryption technically and ask yourself if you need access
to those sites for business reasons. If you don’t need access to those sites, allow decryption to block
them. If you need access to any of those sites for business purposes, add them to the SSL
decryption exclusion list to exempt them from decryption. The SSL decryption exclusion list is
exclusively for sites that break decryption technically.

Identify sensitive traffic that you choose not to decrypt for legal, regulatory, personal or other
reasons, such as financial, health or government traffic, or the traffic of certain executives. This is not
traffic that breaks decryption technically, so do not use the SSL decryption exclusion list to exempt
this traffic from decryption. Instead, you create a policy-based decryption exclusion to identify and
control traffic you choose not to decrypt and apply the “no decryption” profile to the policy to
prevent servers with certificate issues from accessing the network. Policy-based decryption
exclusions are only for traffic you choose not to decrypt.

When you plan your decryption policy, consider your company’s security compliance rules,
computer usage policy and your business goals. Extremely strict controls can impact the user
experience by preventing access to non-business sites the user used to access, but may be required
for government or financial institutions. There is always a tradeoff between usability, management
overhead and security. The tighter the decryption policy, the greater the chance that a website will
become unreachable, which may result in user complaints and possibly modifying the rulebase.

Different groups of users and even individual users may require different decryption policies, or you
may want to apply the same decryption policy to all users. For example, executives may be
exempted from decryption policies that apply to other employees. And you may want to apply
different decryption policies to employee groups, contracts, partners and guests. Prepare updated
legal and HR computer usage policies to distribute to all employees, contractors, partners, guests
and any other network users so that when you roll out decryption, users understand their data can
be decrypted and scanned for threats.

Similarly to different groups of users, decide which devices to decrypt and which applications to
decrypt. Today’s networks support not only corporate devices, but BYOD, mobile, remote-user and
other devices, including contractor, partner and guest devices. Today’s users attempt to access
many sites, both sanctioned and unsanctioned, and you should decide how much of that traffic you
want to decrypt.

Additionally, decide what traffic you want to log and investigate what traffic you can log. Be aware
of local laws regarding what types of data you can log and store, and where you can log and store
the data. For example, local laws may prevent logging and storing personal information such as
health and financial data.

Decide how to handle bad certificates. For example, will you block or allow sessions for which the
certificate status is unknown? Understanding how you want to handle bad certificates determines
how you configure the decryption profiles that you attach to decryption policies to control which
sessions you allow based on the server certificate verification status.

PSE SASE Professional by Palo Alto Networks 84

Plan a staged, prioritized deployment
Plan to roll out decryption in a controlled manner, piece by piece. Don’t roll out your entire
decryption deployment at once. Test and ensure that decryption is working as planned and that
users understand what you are doing and why. Rolling out decryption in this manner makes it
easier to troubleshoot in case anything doesn’t work as expected and it helps users adjust to the
changes.

Educating stakeholders, employees, and other users such as contractors and partners is critical
because decryption settings may change their ability to access some websites. Users should
understand how to respond to situations in which previously reachable websites become
unreachable and what information to give technical support. Support should understand what is
being rolled out when and how to help users who encounter issues. Before you roll out decryption
to the general population, you should:

● Identify early adopters to help champion decryption and who will be able to help other
employees who have questions during the full rollout. Enlist the help of department
managers and help them understand the benefits of decrypting traffic.

● Set up proof-of-concept (POC) trials in each department with early adopters and other
employees who understand why decrypting traffic is important. Educate POC participants
about the changes and how to contact technical support if they run into issues. In this way,
decryption POCs become an opportunity to work with technical support to POC in how to
support decryption and to develop the most painless method for supporting the general
rollout. The interaction between POC users and technical support also allows you to
fine-tune policies and how to communicate with users.

● When you set up POCs, also set up a user group that can certify the operational readiness
and procedures prior to the general rollout.

● Educate the user population before the general rollout, and plan to educate new users as
they join the company. This is a critical phase of deploying decryption because the
deployment may affect websites that users previously visited but are not safe, so those sites
are no longer reachable. The POC experience helps identify the most important points to
communicate.

● Phase in decryption. You can accomplish this in several ways. You can decrypt the highest
priority traffic first (for example, the URL categories most likely to harbor malicious traffic,
such as gaming) and then decrypt more as you gain experience. Alternatively, you can take a
more conservative approach and decrypt the URL categories that don’t affect your business
first (so if something goes wrong, no issues occur that affect business), for example, news
feeds. In all cases, the best way to phase in decryption is to decrypt a few URL categories,
take user feedback into account, run reports to ensure that decryption is working as
expected, and then gradually decrypt a few more URL categories and verify, and so on. Plan
to make decryption exclusions to exclude sites from decryption if you can’t decrypt them for
technical reasons or because you choose not to decrypt them.

● If you enable users to opt out of SSL Decryption (users see a response page that allows them
either to opt out of decryption and end the session without going to the site or to proceed to

PSE SASE Professional by Palo Alto Networks 85

 the site and agree to have the traffic decrypted), educate them about what it is, why they’re
seeing it and what their options are.

● Create realistic deployment schedules that allow time to evaluate each stage of the rollout.

5.3.4 References
● Decryption exclusions,
https://live.paloaltonetworks.com/t5/prisma-access-cloud-management/enabling-decryption
-with-prisma-access-cloud-management/ta-p/396764

5.4 Sample Questions

1. Which of the following are encompassed by the concept of Zero Trust Networks?
a. User identity authentication
b. API playbooks
c. Secure fabric
d. Underlayment

2. What does Prisma Access provide to help establish Zero Trust for Applications?
a. Device security evaluations
b. Transaction security
c. Identity enforcement
d. Incident response playbooks

3. The term "DAAS" stands for_____?

a. Data authentication assets security
b. Data applications authentication security
c. Data applications assets security
d. Data applications assets services

4. Which of the following enables a Zero Trust Enterprise?

a. Distributed security controls
b. Machine learning controls
c. Integrated security controls
d. Dynamic policy controls

5. What is the purpose of an SSL Decryption Exclusion?

a. To identify what resources should be allocated for decryption of traffic
b. To exempt traffic from security policy rules
c. To allow malware traffic to be inspected
d. To prevent certificate pinned traffic from being decrypted

6. What is the purpose of PKI?

a. Control of certificates
b. Identify malicious certificate use
c. Manage session keys
d. Establish integration of kubernetes

PSE SASE Professional by Palo Alto Networks 86

Appendix A: Answers to Sample Questions
Below are the questions offered throughout the study guide, with the correct answers indicated.

Domain 1

1. Secure access service edge, or SASE, is an emerging cybersecurity concept that Gartner first
described in _____?
a. October 2018
b. August 2019
c. March 2021
d. August 2020

2. Which of the following statements is incorrect about SASE?

a. With a cloud infrastructure, you can easily connect to wherever resources are located.
b. Access to apps, the internet and corporate data is available globally.
c. Security and network access are delivered based on IP address.
d. Implementing data protection policies within a SASE framework helps prevent
unauthorized access and abuse of sensitive data.

3. Which of the following is NOT an example of a security service edge in cloud infrastructure?
a. ZTNA/VPN
b. CASB
c. FWaaS
d. AIOps

4. Which of the following is not considered malware?

a. Cookies
b. Virus
c. Worms
d. Trojans

5. Which network infrastructure element provides next-generation firewall features in the

cloud, removing the need for physical hardware at branch and retail location?
a. Zero Trust Network Access (ZTNA)
b. Firewall as a service (FWaaS)
c. Secure web gateways (SWG)
d. Data loss prevention (DLP)
e. Cloud access security broker (CASB)

6. Which infrastructure element prevents employees and devices from accessing malicious
websites, enforce acceptable use policies before users can access the internet, and block
inappropriate content?
a. Zero Trust Network Access (ZTNA)
b. Firewall as a service (FWaaS)
c. Secure web gateways (SWG)
d. Data loss prevention (DLP)
e. Cloud access security broker (CASB)

PSE SASE Professional by Palo Alto Networks 87

Domain 2

1. What is a characteristic of next-generation SD-WAN solutions?

a. Detailed bandwidth reporting
b. Insights for SSL Decryption
c. Application-defined traffic steering
d. Establishment of secure fabric

2. Prisma SD-WAN utilizes machine learning (ML) for which of the following?
a. Threat prevention and security policy tuning
b. URL filtering and malware site identification
c. Management event correlation and reconciliation
d. Decryption tuning

3. What does ADEM give administrators visibility into?

a. The entire service delivery path
b. Container utilization
c. User traffic behaviors
d. Circuit bandwidth consumption

4. Which of the following is a true statement regarding Prisma Access?

a. The solution converges security features, SD-WAN, and advanced traffic
synthesizers
b. The solution is unique in the industry due to the use of a secure fabric
c. The solution introduces proprietary routing protocols for superb performance
d. The solution applies machine learning to establish efficient routes

Domain 3

1. Which are two core components for delivering the Secure Access Service Edge (SASE)?
a. Prisma Access
b. Prisma SD-WAN
c. PAN-OS
d. Cortex

2. How many steps are in the methodology to implement a zero trust strategy?
a. Six-step methodology
b. Five-step methodology
c. Four-step methodology
d. Three-step methodology

3. Which of the following offers an integrated CASB solution?

a. Service Connection Security
b. DLP Security
c. SaaS Security Inline
d. IoT Security

4. What is Advanced URL Filtering?

PSE SASE Professional by Palo Alto Networks 88

 a. A way to control web access and user interactions with online content
b. A threat intelligence service for dynamic security policy updates
c. Application-based URL inventories to account for non-HTTP sites
d. A collection of pinned certificate inventories to aid decryption

5. What enables both automation and integration?

a. ION Devices
b. VPN
c. API
d. URL

6. What connects remote networks to Prisma Access via an industry-standard IPSec VPN?
a. Rest API
b. CloudBlades
c. Wide area networks (WANs)
d. Application fabric (AppFabric)

7. Which feature is not provided by the SaaS Inline Security?

a. Shadow IT control
b. Shadow IT discovery
c. Shadow IT visibility and reporting
d. Security configuration controls

8. Which of the following provides protection for cloud-based assets by providing at-rest
detection?
a. SaaS Security
b. SaaS API Security
c. SaaS Inline Security
d. App-ID cloud engine

9. What is the advantage of the new SD-WAN licensing model?

a. Consumers effectively get 4 days of bandwidth free every month.
b. Hardware costs are eliminated, resulting in reduced infrastructure costs.
c. Prisma Access licensing and Threat Prevention is rolled into the subscription for a
heavily discounted security package.
d. Consumers pay for bandwidth consumed, resulting in lower costs since unused
bandwidth costs nothing.

10. Which of the following is required to use Prisma Access for users?
a. GlobalProtect on the end-points
b. Cloud managed Prisma Access
c. Panorama managed Prisma Access
d. Explicit Proxy

Domain 4

1. Which of the following provides native, end-to-end visibility and performance metrics for
real application traffic in your secure access service edge (SASE) environment?

PSE SASE Professional by Palo Alto Networks 89

 a. DNSSEC
b. App-ID
c. SWG
d. ADEM

2. Which serves to increase perceived application response and improve the overall user
experience?
a. DNS accounting
b. DNS caching
c. IoT DNS
d. Secure DNS

3. Which report provides aggregate views of ingress and egress traffic distribution?
a. Security policy
b. Deployment model
c. WAN static routing
d. WAN Clarity report

4. What do WAN Clarity reports provide?

a. CloudBlade status for a site
b. AppFabric utilization for a circuit
c. Route utilization for a device
d. Bandwidth utilization for a circuit category

Domain 5

1. Which of the following are encompassed by the concept of Zero Trust Networks?
a. User identity authentication
b. API playbooks
c. Secure fabric
d. Underlayment

2. What does Prisma Access provide to help establish Zero Trust for Applications?
a. Device security evaluations
b. Transaction security
c. Identity enforcement
d. Incident response playbooks

3. The term "DAAS" stands for_____?

a. Data authentication assets security
b. Data applications authentication security
c. Data applications assets security
d. Data applications assets services

4. Which of the following enables a Zero Trust Enterprise?

a. Distributed security controls
b. Machine learning controls
c. Integrated security controls

PSE SASE Professional by Palo Alto Networks 90

 d. Dynamic policy controls

5. What is the purpose of an SSL Decryption Exclusion?

a. To identify what resources should be allocated for decryption of traffic
b. To exempt traffic from security policy rules
c. To allow malware traffic to be inspected
d. To prevent certificate pinned traffic from being decrypted

6. What is the purpose of PKI?

a. Control of certificates
b. Identify malicious certificate use
c. Manage session keys
d. Establish integration of kubernetes

PSE SASE Professional by Palo Alto Networks 91

Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security
certifications give you the Palo Alto Networks product portfolio knowledge necessary to prevent
successful cyberattacks and to safely enable applications.

Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.

Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.

New courses are being added often, so check back to see new curriculum available.

Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?

Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.

Learning Through the Community

You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can:

● Discover reference material

● Learn best practices
● Learn what is trending

PSE SASE Professional by Palo Alto Networks 92