Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Palo Alto Networks
  3. PSE-Strata-Pro-24

Palo Alto Networks PSE-Strata-Pro-24 Exam (page: 1)
Palo Alto Networks Systems Engineer Professional - Hardware Firewall
Updated on: 13-Dec-2025

Viewing Page 1 of 13
PSE-Strata-Pro-24 PDF 60 Questions

A company plans to deploy identity for improved visibility and identity-based controls for least privilege access to applications and dat

  1. The company does not have an on-premises Active Directory (AD) deployment, and devices are connected and managed by using a combination of Entra ID and Jamf.
    Which two supported sources for identity are appropriate for this environment? (Choose two.)
  2. Captive portal
  3. User-ID agents configured for WMI client probing
  4. GlobalProtect with an internal gateway deployment
  5. Cloud Identity Engine synchronized with Entra ID

Answer(s): C,D

Explanation:

In this scenario, the company does not use on-premises Active Directory and manages devices with Entra ID and Jamf, which implies a cloud-native and modern management setup. Below is the evaluation of each option:

Option A: Captive portal

Captive portal is typically used in environments where identity mapping is needed for unmanaged devices or guest users. It provides a mechanism for users to authenticate themselves through a web interface.

However, in this case, the company is managing devices using Entra ID and Jamf, which means identity information can already be centralized through other means. Captive portal is not an ideal solution here.

This option is not appropriate.

Option B: User-ID agents configured for WMI client probing

WMI (Windows Management Instrumentation) client probing is a mechanism used to map IP addresses to usernames in a Windows environment. This approach is specific to on-premises Active Directory deployments and requires direct communication with Windows endpoints.

Since the company does not have an on-premises AD and is using Entra ID and Jamf, this method is not applicable.

This option is not appropriate.

Option C: GlobalProtect with an internal gateway deployment

GlobalProtect is Palo Alto Networks' VPN solution, which allows for secure remote access. It also supports identity-based mapping when deployed with internal gateways.

In this case, GlobalProtect with an internal gateway can serve as a mechanism to provide user and device visibility based on the managed devices connecting through the gateway.

This option is appropriate.

Option D: Cloud Identity Engine synchronized with Entra ID

The Cloud Identity Engine provides a cloud-based approach to synchronize identity information from identity providers like Entra ID (formerly Azure AD).

In a cloud-native environment with Entra ID and Jamf, the Cloud Identity Engine is a natural fit as it integrates seamlessly to provide identity visibility for applications and data.

This option is appropriate.


Reference:

Palo Alto Networks documentation on Cloud Identity Engine

GlobalProtect configuration and use cases in Palo Alto Knowledge Base



A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges:

"Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important."

Which recommendations should the SE make?

  1. Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.
  2. Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.
  3. VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.
  4. VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.

Answer(s): A

Explanation:

The customer is seeking centralized policy management to reduce human error while maintaining compliance with their contractual obligations to AWS and Azure. Here's the evaluation of each option:

Option A: Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems

Cloud NGFW is a fully managed Next-Generation Firewall service by Palo Alto Networks, offered in AWS and Azure marketplaces. It integrates natively with the CSP infrastructure, making it a good fit for customers with existing CSP agreements.

Panorama, Palo Alto Networks' centralized management solution, can be deployed as a virtual appliance in the CSP marketplace of choice, enabling centralized policy management across all NGFWs.

This option addresses the customer's need for centralized management while leveraging their existing contracts with AWS and Azure.

This option is appropriate.

Option B: Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice

This option suggests using Cloud NGFW in AWS but VM-Series firewalls in Azure.
While VM-Series is a flexible virtual firewall solution, it may not align with the customer's stated preference for CSP- managed services like Cloud NGFW.

This option introduces a mix of solutions that could complicate centralized management and reduce operational efficiency.

This option is less appropriate.

Option C: VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license

VM-Series firewalls are well-suited for cloud deployments but require more manual configuration compared to Cloud NGFW.

Building a Panorama instance manually on a host increases operational overhead and does not leverage the customer's existing CSP marketplaces.

This option is less aligned with the customer's needs.

Option D: VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private- offer Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems

This option introduces both VM-Series and CN-Series firewalls in both CSPs.
While CN-Series firewalls are designed for Kubernetes environments, they may not be relevant if the customer does not specifically require container-level security.

Adding CN-Series firewalls may introduce unnecessary complexity and costs.

This option is not appropriate.


Reference:

Palo Alto Networks documentation on Cloud NGFW

Panorama overview in Palo Alto Knowledge Base

VM-Series firewalls deployment guide in CSPs: Palo Alto Documentation



A customer claims that Advanced WildFire miscategorized a file as malicious and wants proof, because another vendor has said that the file is benign.

How could the systems engineer assure the customer that Advanced WildFire was accurate?

  1. Review the threat logs for information to provide to the customer.
  2. Use the WildFire Analysis Report in the log to show the customer the malicious actions the file took when it was detonated.
  3. Open a TAG ticket for the customer and allow support engineers to determine the appropriate action.
  4. Do nothing because the customer will realize Advanced WildFire is right.

Answer(s): B

Explanation:

Advanced WildFire is Palo Alto Networks' cloud-based malware analysis and prevention solution. It determines whether files are malicious by executing them in a sandbox environment and observing their behavior. To address the customer's concern about the file categorization, the systems engineer must provide evidence of the file's behavior. Here's the analysis of each option:

Option A: Review the threat logs for information to provide to the customer

Threat logs can provide a summary of events and verdicts for malicious files, but they do not include the detailed behavior analysis needed to convince the customer.

While reviewing the logs is helpful as a preliminary step, it does not provide the level of proof the customer needs.

This option is not sufficient on its own.

Option B: Use the WildFire Analysis Report in the log to show the customer the malicious actions the file took when it was detonated

WildFire generates an analysis report that includes details about the file's behavior during detonation in the sandbox, such as network activity, file modifications, process executions, and any indicators of compromise (IoCs).

This report provides concrete evidence to demonstrate why the file was flagged as malicious. It is the most accurate way to assure the customer that WildFire's decision was based on observed malicious actions.

This is the best option.

Option C: Open a TAG ticket for the customer and allow support engineers to determine the appropriate action

While opening a support ticket is a valid action for further analysis or appeal, it is not a direct way to assure the customer of the current WildFire verdict.

This option does not directly address the customer's request for immediate proof.

This option is not ideal.

Option D: Do nothing because the customer will realize Advanced WildFire is right

This approach is dismissive of the customer's concerns and does not provide any evidence to support WildFire's decision.

This option is inappropriate.


Reference:

Palo Alto Networks documentation on WildFire

WildFire Analysis Reports



Which three known variables can assist with sizing an NGFW appliance? (Choose three.)

  1. Connections per second
  2. Max sessions
  3. Packet replication
  4. App-ID firewall throughput
  5. Telemetry enabled

Answer(s): A,B,D

Explanation:

When sizing a Palo Alto Networks NGFW appliance, it's crucial to consider variables that affect its performance and capacity. These include the network's traffic characteristics, application requirements, and expected workloads. Below is the analysis of each option:

Option A: Connections per second

Connections per second (CPS) is a critical metric for determining how many new sessions the firewall can handle per second. High CPS requirements are common in environments with high traffic turnover, such as web servers or applications with frequent session terminations and creations.

This is an important sizing variable.

Option B: Max sessions

Max sessions represent the total number of concurrent sessions the firewall can support. For environments with a large number of users or devices, this metric is critical to prevent session exhaustion.

This is an important sizing variable.

Option C: Packet replication

Packet replication is used in certain configurations, such as TAP mode or port mirroring for traffic inspection.
While it impacts performance, it is not a primary variable for firewall sizing as it is a specific use case.

This is not a key variable for sizing.

Option D: App-ID firewall throughput

App-ID throughput measures the firewall's ability to inspect traffic and apply policies based on application signatures. It directly impacts the performance of traffic inspection under real-world conditions.

This is an important sizing variable.

Option E: Telemetry enabled

While telemetry provides data for monitoring and analysis, enabling it does not significantly impact the sizing of the firewall. It is not a core variable for determining firewall performance or capacity.

This is not a key variable for sizing.


Reference:

Palo Alto Networks documentation on Firewall Sizing Guidelines

Knowledge Base article on Performance and Capacity Sizing



Which statement applies to the default configuration of a Palo Alto Networks NGFW?

  1. Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall.
  2. The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone.
  3. The default policy action allows all traffic unless explicitly denied.
  4. The default policy action for interzone traffic is deny, eliminating implicit trust between security zones.

Answer(s): D

Explanation:

The default configuration of a Palo Alto Networks NGFW includes a set of default security rules that determine how traffic is handled when no explicit rules are defined. Here's the explanation for each option:

Option A: Security profiles are applied to all policies by default, eliminating implicit trust of any data traversing the firewall

Security profiles (such as Antivirus, Anti-Spyware, and URL Filtering) are not applied to any policies by default. Administrators must explicitly apply them to security rules.

This statement is incorrect.

Option B: The default policy action for intrazone traffic is deny, eliminating implicit trust within a security zone

By default, traffic within the same zone (intrazone traffic) is allowed. For example, traffic between devices in the "trust" zone is permitted unless explicitly denied by an administrator.

This statement is incorrect.

Option C: The default policy action allows all traffic unless explicitly denied

Palo Alto Networks firewalls do not have an "allow all" default rule. Instead, they include a default "deny all" rule for interzone traffic and an implicit "allow" rule for intrazone traffic.

This statement is incorrect.

Option D: The default policy action for interzone traffic is deny, eliminating implicit trust between security zones

By default, traffic between different zones (interzone traffic) is denied. This aligns with the principle of zero trust, ensuring that no traffic is implicitly allowed between zones. Administrators must define explicit rules to allow interzone traffic.

This statement is correct.


Reference:

Palo Alto Networks documentation on Security Policy Defaults

Knowledge Base article on Default Security Rules



Viewing Page 1 of 13



Share your comments for Palo Alto Networks PSE-Strata-Pro-24 exam with other users:

JugHead 9/27/2023 2:40:00 PM

please add this exam
Anonymous


sushant 6/28/2023 4:38:00 AM

please upoad
EUROPEAN UNION


John 8/7/2023 12:09:00 AM

has anyone recently attended safe 6.0 certification? is it the samq question from here.
Anonymous


Blessious Phiri 8/14/2023 3:49:00 PM

expository experience
Anonymous


concerned citizen 12/29/2023 11:31:00 AM

52 should be b&c. controller failure has nothing to do with this type of issue. degraded state tells us its a raid issue, and if the os is missing then the bootable device isnt found. the only other consideration could be data loss but thats somewhat broad whereas b&c show understanding of the specific issues the question is asking about.
UNITED STATES


deedee 12/23/2023 5:10:00 PM

great help!!!
UNITED STATES


Samir 8/1/2023 3:07:00 PM

very useful tools
UNITED STATES


Saeed 11/7/2023 3:14:00 AM

looks a good platform to prepare az-104
Anonymous


Matiullah 6/24/2023 7:37:00 AM

want to pass the exam
Anonymous


SN 9/5/2023 2:25:00 PM

good resource
UNITED STATES


Zoubeyr 9/8/2023 5:56:00 AM

question 11 : d
FRANCE


User 8/29/2023 3:24:00 AM

only the free dumps will be enough for pass, or have to purchase the premium one. please suggest.
Anonymous


CW 7/6/2023 7:37:00 PM

good questions. thanks.
Anonymous


Farooqi 11/21/2023 1:37:00 AM

good for practice.
INDIA


Isaac 10/28/2023 2:30:00 PM

great case study
UNITED STATES


Malviya 2/3/2023 9:10:00 AM

the questions in this exam dumps is valid. i passed my test last monday. i only whish they had their pricing in inr instead of usd. but it is still worth it.
INDIA


rsmyth 5/18/2023 12:44:00 PM

q40 the answer is not d, why are you giving incorrect answers? snapshot consolidation is used to merge the snapshot delta disk files to the vm base disk
IRELAND


Keny 6/23/2023 9:00:00 PM

thanks, very relevant
PERU


Muhammad Rawish Siddiqui 11/29/2023 12:14:00 PM

wrong answer. it is true not false.
SAUDI ARABIA


Josh 7/10/2023 1:54:00 PM

please i need the mo-100 questions
Anonymous


VINNY 6/2/2023 11:59:00 AM

very good use full
Anonymous


Andy 12/6/2023 5:56:00 AM

very valid questions
Anonymous


Mamo 8/12/2023 7:46:00 AM

will these question help me to clear pl-300 exam?
UNITED STATES


Marial Manyang 7/26/2023 10:13:00 AM

please provide me with these dumps questions. thanks
Anonymous


Amel Mhamdi 12/16/2022 10:10:00 AM

in the pdf downloaded is write google cloud database engineer i think that it isnt the correct exam
FRANCE


Angel 8/30/2023 10:58:00 PM

i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable
UNITED STATES


SH 5/16/2023 1:43:00 PM

these questions are not valid , they dont come for the exam now
UNITED STATES


sudhagar 9/6/2023 3:02:00 PM

question looks valid
UNITED STATES


Van 11/24/2023 4:02:00 AM

good for practice
Anonymous


Divya 8/2/2023 6:54:00 AM

need more q&a to go ahead
Anonymous


Rakesh 10/6/2023 3:06:00 AM

question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview
Anonymous


Nik 11/10/2023 4:57:00 AM

just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.
HONG KONG


Deep 6/12/2023 7:22:00 AM

needed dumps
INDIA


tumz 1/16/2024 10:30:00 AM

very helpful
UNITED STATES