PSE SASE Firewall Study Guide

This is a non-comprehensive, personal reference for the Palo Alto PSE SASE Firewall Professional certification exam.

Prisma Access Manual

The exam is broken into multiple domains:

Domain 1:

Business Value

  1. Describe the complete secure access service edge (SASE) model
    • SASE combines networking (SD-WAN) and security services (SWG, CASB, ZTNA, FWaaS) into a unified cloud-delivered platform. Palo Alto’s Prisma SASE integrates all of these.
    • Enables Zero Trust by verifying user identity, device posture, and enforcing least privilege access per session.
  2. Define the technical business value of SASE
    • Delivers agility via cloud-first infrastructure, availability via redundant compute locations, and scalability by elastic resource provisioning.
    • Shared ownership: Palo Alto manages security stack; customers control policy.
    • Compared to point products, Prisma SASE reduces complexity and consolidates logs and policies.
  3. Define the technical business value of Autonomous Digital Experience Management (ADEM)
    • ADEM provides end-to-end visibility from device to app, offering metrics for path analysis and troubleshooting.
    • Streamlines IT operations by identifying issues across Wi-Fi, endpoint, WAN, or cloud without finger-pointing.
  4. Sample Questions
    • What business outcome is best aligned with Zero Trust in a SASE model?
      A) All traffic is sent to the cloud for inspection
      B) Least-privilege access is enforced regardless of user location
      C) All branch locations have internet breakout
      D) Only GlobalProtect users are inspected
      Correct Answer: B

Domain 2:

Competitive Differentiators

  1. Explain the value Palo Alto Networks SASE architecture provides in contrast to its competitors
    • Inline SASE solutions inspect all traffic as it flows, unlike proxy-based solutions which often lack real-time inspection.
    • Unified approach avoids stitching point products; single vendor, single pane of glass.
    • Dedicated cloud infra (Prisma Access) ensures tenant isolation and performance, unlike shared/public proxy clouds.
    • Prisma SD-WAN includes app-aware routing and forward error correction, improving over basic IP-based path selection.
  2. Explain how Palo Alto Networks SASE metrics autonomously drive network and security behaviors
    • End-to-end metrics collected via ADEM and CloudBlades.
    • Path quality data feeds into dynamic path selection (SLA-based) and can trigger policy actions.
    • Path visualization tools like SD-WAN topology map and experience scores offer insights not available in competing platforms.
  3. Sample Questions
    • What differentiates Prisma Access from proxy-based SASE solutions?
      A) It uses a shared proxy model
      B) It routes traffic through SD-WAN only
      C) It performs inline inspection with real-time threat prevention
      D) It requires third-party CASB integration
      Correct Answer: C

Domain 3:

Architecture and Planning

  1. Palo Alto Networks SASE Architecture
    • Core components: Prisma Access (Mobile Users, Remote Networks, Service Connections), Prisma SD-WAN (IONs, CloudBlades), ADEM, Cloud Management (SCM).
    • Enforces Zero Trust with least privilege policies and continuous trust evaluation.
  2. Prisma Access Architecture
    • Service Connections: IPsec tunnels from Prisma Access to customer data centers for private app access.
    • Remote Networks: IPsec tunnels from branch locations to Prisma Access for internet security and internal access (via SCs).
    • Mobile Users: GlobalProtect tunnels terminated in cloud gateways with enforcement and logging.
    • Consistent Cloud-Delivered Security Services (CDSS) include Threat Prevention, URL Filtering, DLP, and more.
  3. Prisma SD-WAN Architecture
    • Uses ION devices to provide application-aware routing and performance metrics.
    • CloudBlades provide plug-in integration to services like Prisma Access, ServiceNow, and ADEM.
    • Redundancy via Forward Error Correction (FEC), packet duplication, and VRRP.
  4. SaaS Security Architecture
    • SaaS Inline Security: Traffic analyzed in-line using App-ID Cloud Engine (ACE).
    • SaaS API Security: Direct API integrations with SaaS providers (e.g., Microsoft 365, Google Workspace).
    • Fully integrates with Prisma Access to apply consistent policy.
  5. Sizing and Licensing Methods
    • Mobile Users: Licenses by MU/month or bandwidth (1 Mbps = 1 unit)
    • Remote Networks: Bandwidth tiers; sizing based on branch uplink
    • SD-WAN: Based on ION model and throughput needs
    • SaaS: Based on users or apps secured
  6. Sample Questions
    • What enables private app access from remote Prisma Access nodes?
      A) Remote Network tunnels
      B) Service Connections
      C) GlobalProtect Portals
      D) CloudBlades
      Correct Answer: B

Domain 4:

Demonstration and Evaluation

  1. Use Cases: Mobile Users and Remote Networks
    • Mobile Users: Enable secure access with GlobalProtect + cloud gateways; apply URL filtering and HIP-based access.
    • Remote Networks: IPsec tunnels from IONs or third-party routers; outbound internet and SC-based internal access.
    • Secure Web Gateways (SWG): Provided via Prisma Access with web filtering, threat inspection, and logging.
    • App-ID/User-ID: Enforce policy based on app behavior and user identity.
    • ADEM/Device Insights: Measure performance from device to app; monitor Wi-Fi, DNS, proxy, SaaS.
  2. SD-WAN Use Cases
    • Metrics: Jitter, packet loss, latency used in dynamic path selection
    • Onboarding: Use CloudBlade to connect ION to Prisma Access
    • Topology: View all SD-WAN sites, tunnels, and path metrics
    • WAN Clarity Reports: Provide historical performance and anomaly detection
  3. Sample Questions
    • Which capability enables Prisma SD-WAN to select the best performing path?
      A) Static routing
      B) App-ID filtering
      C) SLA-based dynamic path selection
      D) Zone-based segmentation
      Correct Answer: C

Domain 5:

Network Security Best Practices

  1. Zero Trust Methodology
    • Remove implicit trust by enforcing identity, device posture, and app context for every session
    • Use granular policies to control lateral movement in apps and infra
    • Enforce security inline with SSL decryption and threat prevention
  2. Proof of Concept for Remote Networks
    • Discover sensitive data with DLP or SaaS Security
    • Map app usage and infrastructure access with logging tools
    • Define architecture in Prisma Access (locations, SCs, RN zones)
    • Build policy with App-ID/User-ID, control access by need
    • Validate via monitoring and test transactions
  3. SSL Decryption Best Practices
    • Identify sensitive data flows and create policy exclusions if needed
    • Use default decryption exclusion lists to minimize risk
    • Choose between SSL forward proxy, inbound inspection, or no-decrypt with allow/block
  4. Sample Questions
    • What’s a recommended method to remove implicit trust from network infrastructure?
      A) Allow all internal traffic
      B) Use identity-based segmentation and encrypted traffic inspection
      C) Rely on NAT for zone separation
      D) Use proxy bypass lists
      Correct Answer: B

Notes & Gotchas

Licensing Tiers (Legacy vs. New)

  • Legacy tier names used on exam: Business, Business Premium, Enterprise
  • Current tiers: Secure Web Gateway, ZTNA, Enterprise
Tier (Legacy) Tier (Current) SCs Included Notable Features
Business SWG None Basic GP access, no portal, no SCs
Business Premium ZTNA 5 SCs GP Portal, Clientless VPN, mobile users, remote networks
Enterprise Enterprise 20 SCs Adds SaaS API, Inline Sec, DLP, ADEM, Threat Insights
  • SCs = Service Connections (used to connect to customer data centers)
  • Additional SCs can be purchased beyond the tier default
  • SCs are critical for app access, identity sources, logging infrastructure

GlobalProtect Portal Behavior

  • Business: No user-configurable portal; agents manually connect to default region gateways
  • Business Premium: Custom portal, per-user agent config, auth methods, and clientless VPN

Routing Protocol Support

  • Supported: BGP, OSPF
  • Not supported: IGRP; Static is not dynamic

ZTNA & Tunnel Behavior

  • Tunnel only forms after authentication
  • Reinforces Zero Trust: always verify, no implicit trust

Core Components

  • Prisma Access: Mobile Users, Remote Networks, Service Connections, FWaaS, CDSS
  • Prisma SD-WAN: IONs, SLA-based pathing, CloudBlades, FEC, VRRP
  • SaaS Security: App-ID Cloud Engine (inline), API integrations (e.g. M365)
  • ADEM: Device → Gateway → App telemetry; monitors end-to-end experience

SCM Diagnostic Viewpoints

  • ADEM Insights: Device/Wi-Fi → DNS → Cloud → SaaS App latency & jitter
  • SD-WAN Monitoring: Tunnel metrics, loss, FEC effectiveness, topology maps
  • Service Connection Insights: Tunnel uptime, protocol health (e.g., BGP/OSPF neighbors)

Threat Visibility in GUI

  • Monitoring → Insights → Threats: Top threats, users, infected hosts
  • Policy → Security: Attach Threat Prevention profiles (AV, vuln, spyware)
  • Objects → Security Profiles: Profile creation and scope definition

SIEM / Log Forwarding

  • Settings → Logging Service → Log Forwarding
    • Define syslog/CEF/LEEF destinations
    • Assign log types (Threat, Traffic, URL, etc.)
    • Apply to Security Policies
    • Verification: Monitor → Insights confirms log delivery status

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

Palo Alto PSE SASE Study Guide Reference Information

By Sean, 2025-07-18