A new Mumbai branch IPSec tunnel negotiates Phase 1 and Phase 2 successfully, but no traffic flows from the branch to internet. What is the most likely Prisma-side cause?

Correct answer: b) Bandwidth was never allocated to the asia-south1 compute location, so the Gateway accepts the SA but drops traffic Answer: b. If the proposal was wrong (a), Phase 1 / Phase 2 would never complete. Prisma needs explicit regional bandwidth allocation before a Gateway will pass traffic — a Phase-2-up-but-no-data symptom in a freshly onboarded region is almost always this. (c) is wrong — NAT-T means a private IP is fine. (d) is wrong — asia-south1 covers Mumbai.

A user complains that Microsoft Teams calls are choppy from home only. ADEM shows the endpoint segment red, ISP segment green, Prisma segment green, SaaS segment green. The most likely cause is:

Correct answer: c) The user's home Wi-Fi or device CPU is the bottleneck — endpoint segment red points there Answer: c. ADEM's whole purpose is to localise the bad segment. Endpoint red + every other segment green points squarely at Wi-Fi RSSI / device CPU / local DNS. Telling the user to test on Ethernet usually proves it in 60 seconds. (a) would manifest as Prisma segment red. (b) and (d) are unrelated to this signal pattern.

You're publishing an internal Jira instance to contractors who use personal laptops. The cleanest pattern is:

Correct answer: c) Publish Jira through a Prisma Access ZTNA App Gateway with Clientless Browser Access — no agent, SAML SSO, Security policy still applies Answer: c. Clientless Browser Access on the App Gateway is exactly this scenario — no agent on the BYOD laptop, SAML SSO via your IdP, Prisma still inspects and applies Security policy. (a) requires installing managed software on a personal device. (b) bypasses Prisma's inspection. (d) is the worst of all worlds for a contractor footprint.

A Remote Network branch is on Tunnel 1 to asia-south1 and Tunnel 2 to asia-southeast1, both with BGP. The asia-south1 Gateway goes down for maintenance. What happens?

Correct answer: a) Tunnel 1 BGP session drops, prefixes withdrawn, ECMP repaints to Tunnel 2 within seconds — users see a brief blip and continue Answer: a. This is exactly why you design primary + secondary with BGP. The withdrawn prefixes drive ECMP to drop Tunnel 1 from the path, and the secondary continues to carry traffic. (b) and (c) describe a single-tunnel design. (d) would only happen if Service Connections were affected, not the local Gateway path.

A Service Connection from HQ to Prisma Access is advertising the default route (0.0.0.0/0) into Prisma. Symptom?

Correct answer: d) Every Mobile User's internet traffic is pulled through HQ before Prisma sends it out — defeating local breakout and creating a single point of failure Answer: d. Advertising 0/0 over the Service Connection tells Prisma "send all internet traffic to HQ". Every Mobile User and Remote Network then hairpins internet via HQ — exactly the design Prisma replaces. (a) is the opposite of best practice. (c) is technically false; the SC will accept the route, that's the trap. (b) doesn't follow from this misconfig.

In Cloud Identity Engine, you've integrated Entra ID via SAML but your Security policy that uses "source-user any-in-group('Finance')" doesn't match. What's the most likely fix?

Correct answer: b) Configure Entra to emit security-group claims in the SAML assertion (or use SCIM provisioning) so CIE knows the user's group membership Answer: b. Without the group claim in the SAML assertion (or a SCIM feed), CIE has the username but not the groups, so any group-based match fails. Entra's enterprise application config has a checkbox to emit "security groups assigned to the user" in the token. (a) and (c) defeat the whole identity model. (d) works for one user but does not scale.

Which combination is the correct order for ROLLING OUT SSL Decryption on Prisma Access without breaking users?

Correct answer: c) Push the Prisma forward-proxy CA to all endpoints in stages (pilot → 10% → 50% → 100%), verify trust, THEN flip Decryption policy to "decrypt" Answer: c. Endpoints must trust the Prisma decryption CA before you start MITMing TLS sessions — otherwise every browser screams. Stage the CA push, verify with a ring, then flip the policy. (a) is the wrong order and produces a fleet-wide TLS error storm. (b) is irrelevant. (d) is flat wrong.

You need long-term retention of Prisma Access Traffic and Threat logs for compliance (>1 year). Which mechanism do you use?

Correct answer: d) Configure Log Forwarding via NSS to your SIEM (Splunk, Sentinel, etc.) and rely on the SIEM's retention policy Answer: d. Strata Logging Service has a finite default retention. NSS streams logs in CEF / syslog to your SIEM, which then owns the long-term retention story. This also enables cross-correlation with non-Prisma sources. (a) requires expensive licence extensions and still has limits. (b) and (c) are non-answers.

A WFH Mobile User is in Mumbai but the GP agent is connecting to a London Gateway. What's the right diagnosis?

Correct answer: b) Check the Portal's allowed-Gateway list for the user (Mumbai may not be in scope), or the user's Gateway-selection latency probe results, or whether asia-south1 has bandwidth allocated Answer: b. Three things drive Gateway selection: the allowed list pushed by the Portal, the latency probes from the agent, and whether the closer region has capacity. Check all three. (a) is the lazy first guess and usually wrong. (c) is false — GP picks lowest RTT from the allowed list. (d) is unrelated.

You're designing HIP for a Windows-laptop fleet. Which set of checks gives the best signal-to-friction ratio on day one?

Correct answer: a) Disk encryption ON + Endpoint AV running with signatures ≤7 days + OS patched within 30 days — three checks, near-zero friction, huge security uplift Answer: a. The three checks in (a) catch the overwhelming majority of "compromised endpoint" scenarios while being almost invisible to compliant users. (b) is too thin. (c) creates a friction wall that the help-desk will demand you weaken in week two. (d) wastes the most valuable native control Prisma ships with.

Prisma Access Deep-Dive: Compute Locations, Onboarding, Identity, ZTNA & ADEM

The Prisma Access service infrastructure — three layers, one fabric

Before you click anything in SCM, fix the mental model of what is actually running in Palo Alto's cloud on your behalf. Prisma Access is delivered as three logical layers stitched together inside the service:

The Portal layer. A globally anycast endpoint that every Mobile User agent reaches first. The Portal authenticates the user (via Cloud Identity Engine), evaluates HIP posture, returns the list of Gateways the user is allowed to use, and hands the client a signed configuration. There is exactly one Portal per tenant, replicated worldwide.
The Gateway layer. Per-region cloud Gateways are where the user's IPSec / SSL-VPN tunnel actually terminates. Gateways run the App-ID + Threat Prevention engine and apply your Security policy. The Portal picks the best Gateway per user based on geographic proximity, latency probes and bandwidth load.
The Compute Location layer. The physical region where a Gateway runs (e.g. asia-south1 (Mumbai), us-east4 (Virginia)). Compute Locations are the units you reserve bandwidth against and what you allocate Service Connections to. Same compute location can serve Mobile Users and Remote Networks at the same time, sharing the regional bandwidth pool.

For Remote Networks, the same Gateway-and-Compute-Location concept applies, but the "user" is a branch CPE building an IPSec tunnel up to a region. For Service Connections, the same again, but now the on-prem firewall is the device terminating into the Compute Location to advertise private routes.

Figure 1 — Prisma Access service infrastructure

Mobile Users hit the Portal first, get a Gateway list, then build the tunnel directly to a regional Gateway running inside a Compute Location. Branches (Remote Networks) and on-prem firewalls (Service Connections) terminate directly at the regional Compute Location. Bandwidth is reserved per region, shared across all three onboarding modes that use it.

Compute location selection — how does Prisma pick one?

For Mobile Users, the Portal hands the agent a list of allowed Gateways. The agent then runs latency probes to each one and connects to the lowest-RTT Gateway that has spare capacity. If two Gateways have similar RTT, ties break on load. Re-evaluation happens on connect, on network change, and at a configurable interval (default ~120 s).

For Remote Networks and Service Connections, you pick the compute location at onboarding time. Prisma will not move a branch tunnel between regions on its own — the operator chooses. The way to handle a regional outage is the same way you'd handle one with a pair of physical firewalls: two tunnels to two different compute locations, BGP advertising the same prefixes, ECMP load-balancing.

Bandwidth allocation — the most-missed slider

Every Prisma Access tenant has a total purchased bandwidth (e.g. 2 Gbps). That total has to be allocated to compute locations. An unallocated region cannot accept traffic. If you forget to allocate bandwidth to asia-south1 before onboarding a Mumbai branch, the IPSec tunnel will negotiate up to Phase 2 and then drop traffic with no obvious cause. Allocate before you onboard.

💡Pro Tip

Over-allocate by ~20% in regions that host both Mobile Users and Remote Networks. The two share the same regional pool — a Friday-afternoon WFH surge can starve a busy branch if you sized to the average instead of the peak.

Palo Alto IPSec Simulator Prisma Access Simulator

Mobile Users in production — beyond the demo

A demo Mobile User is one laptop with one rule. A production fleet of 4,000 endpoints needs deliberate choices on three fronts: authentication, posture, and split-tunnel.

Authentication via Cloud Identity Engine

Cloud Identity Engine (CIE) is the SAML / SCIM layer Prisma Access uses to bring user + group identity into policy. You point CIE at Entra ID, Okta, Ping or any SAML 2.0 IdP, configure the SAML assertion mapping (NameID = UPN, group claim = on), and Prisma now sees every authenticated session by username and group membership. Combine with MFA at the IdP (Entra Conditional Access, Okta Sign-On Policy) and there is no need for a separate Prisma-side OTP step.

HIP — Host Information Profile

HIP is the device-posture gate that runs after auth but before Security policy is applied. Common production checks:

Disk encryption is on (BitLocker for Windows, FileVault for macOS).
Endpoint AV (Crowdstrike, Defender, Sentinel One) is running and signature ≤ 7 days old.
OS patch level is within N days of current.
Required certificate is present in the user / machine store.
Required process is running (a custom checker exe, EDR agent, etc.).

HIP profiles compose into HIP objects, which are then referenced in Security policy: "only users whose endpoint matches HIP-Object-Compliant can reach Finance apps". A failed HIP check can drop the tunnel, restrict access to a quarantine subnet, or push a remediation message — your call.

Split-tunnel design

Most production tenants run an include-domain / exclude-domain split-tunnel. Two patterns dominate:

"Tunnel everything except media" — default route through Prisma, but exclude Microsoft Teams / Zoom voice domains so RTP goes direct. Saves Prisma bandwidth and improves call quality.
"Tunnel corporate apps only" — pin specific corporate FQDNs to the tunnel and let everything else go direct. Useful for contractors and BYOD where you don't want to inspect personal traffic.

Both modes need accurate domain lists; the Microsoft 365 published JSON of optimize-required-default endpoints is the standard input for the first pattern.

Remote Networks — branch onboarding with real config

The Remote Network onboarding flow in SCM walks you through naming, region selection, bandwidth and tunnel parameters. What it does not tell you is how to express the same parameters on a real branch CPE. Here is the production-grade pair: IKEv2 + ESP, with primary + secondary tunnels.

IKEv2 + ESP proposal accepted by Prisma Access (CPE side)

! ---- IKEv2 (Phase 1) ----
encryption       : aes-256-cbc
integrity        : sha384
dh-group         : group20 (ECP-384)
authentication   : pre-shared-key
lifetime         : 28800 seconds
dpd              : on-demand, 30 s interval, 3 retries

! ---- ESP (Phase 2) ----
encryption       : aes-256-gcm
integrity        : null (implicit with GCM)
pfs              : group20
lifetime         : 3600 seconds, 4 GB data

! ---- Identifiers ----
local-id  : fqdn / branch-mumbai-01.example.com
remote-id : fqdn / pa-asia-south1.prisma-access.com

! ---- Routing ----
mode     : routed (NOT policy-based)
local-net  : advertised via BGP
remote-net : advertised via BGP

BGP is the right answer for any branch with more than one prefix or more than one tunnel. Static routes work but become a maintenance burden the moment you add a new internal VLAN.

BGP from branch CPE to Prisma Access (primary tunnel)

router bgp 64512
 bgp router-id 10.20.0.1
 neighbor 169.254.10.1 remote-as 65000          ! Prisma Access ASN
 neighbor 169.254.10.1 ebgp-multihop 2
 neighbor 169.254.10.1 update-source Tunnel1
 address-family ipv4 unicast
  network 10.20.10.0/24                          ! branch user VLAN
  network 10.20.20.0/24                          ! branch printers VLAN
  neighbor 169.254.10.1 prefix-list FROM-PA in
  neighbor 169.254.10.1 prefix-list TO-PA   out
 exit-address-family

Duplicate the entire block for the secondary tunnel pointing at a different compute location, then ECMP across both. When Prisma withdraws the prefix it learns from a Service Connection during maintenance, BGP will silently steer that traffic onto the surviving tunnel within seconds.

!Common pitfall

Setting NAT-T off on the CPE because "Prisma is reachable directly". Most branches sit behind an ISP-provided NAT — if NAT-T is off the tunnel will negotiate but ESP will be silently dropped. Always leave NAT-Traversal on; the per-packet overhead is negligible.

Service Connections — the pipe into your private estate

A Service Connection is structurally another IPSec tunnel into a Prisma compute location, but its role is one-directional reach: it lets Mobile Users and Remote Networks reach private apps that live behind your on-prem firewall, cloud transit gateway, or IaaS VPC. It is not a path for internet egress.

Three production rules:

Two Service Connections from two DCs, into two compute locations. Active-active, both advertising the same private prefixes with BGP. ECMP load-balances; either side surviving a regional outage keeps private reach alive.
Advertise summary routes, not host routes. A typical mistake is advertising 10.30.5.13/32 for an SAP server. Advertise the subnet (10.30.5.0/24) and let the on-prem fabric route within it.
Don't run a default route over a Service Connection. If you do, every Mobile User on the planet will pull internet through your HQ and Prisma will dutifully hairpin it. That is exactly the design Prisma replaces.

The request lifecycle — eight hops in detail

Figure 2 — A single HTTPS request through Prisma Access

Steps 1–4 are control-plane (auth + posture + Gateway selection). Step 5 is the tunnel itself. Steps 6–8 are the data-plane NGFW pipeline. ADEM probes and log forwarding run in parallel and are what makes the service operable on day 2.

ZTNA on Prisma Access — App Gateway + Clientless Browser Access

The same Prisma Access service can publish private apps in two flavours: full-tunnel (Mobile User connects, Security policy decides what private subnets they can reach) and ZTNA App Gateway (per-app reverse-proxy publishing, no tunnel needed). The second is the closer match to a Zscaler ZPA / Cloudflare Access experience.

With App Gateway, you register an internal app (e.g. jira.internal), point Prisma at the on-prem reverse-proxy reachable through a Service Connection, and Prisma publishes a public URL like jira.access.example.com. Users authenticate to that URL via SAML, Prisma runs Security policy (App-ID, URL, Threat Prevention) on the reverse-proxied connection, and the user never sees the internal hostname or IP.

Clientless Browser Access is the same App Gateway with no agent on the endpoint — useful for contractors or unmanaged devices. Just a browser, SAML SSO, and the per-app reverse proxy.

Mode	Agent needed	Best for	Catch
Full tunnel (Mobile User)	GlobalProtect	Managed corporate fleet	Tunnel = full network reach unless tightly policied
ZTNA App Gateway (agent)	GlobalProtect	Per-app access on managed devices	Per-app policy needs careful per-FQDN config
Clientless Browser Access	None	Contractors, BYOD, vendor portals	Limited to web apps; no thick clients

ADEM — the day-2 observability you already paid for

Autonomous Digital Experience Management ships with every Prisma Access tenant. It runs synthetic probes from the agent and from the Gateway to surface per-segment performance:

Endpoint segment — CPU, memory, Wi-Fi RSSI, local DNS resolution time.
ISP / Wi-Fi → Prisma Gateway segment — RTT, jitter, packet loss to the tunnel endpoint.
Prisma Gateway → SaaS segment — TCP connect time, HTTPS first-byte, full-page load.
Application-level — synthetic transactions against M365, Salesforce, Workday, etc.

The output is a per-user experience score on a 1–10 scale. When a user complains "Teams is bad", ADEM tells you within 30 seconds whether the bad segment is their Wi-Fi, the ISP, the Prisma path or the destination SaaS — eliminating the 45-minute triage you used to do over chat.

✓Verify a Mobile User is fully onboarded

end-to-end Mobile User verification

# 1) On the endpoint
gpcli --show-status                 # Connected, Gateway = pa-asia-south1, Internal = false

# 2) In SCM
#    Manage → Insights → Mobile Users → Connected
#    Filter on the user: expect Username from IdP, HIP = Match, Gateway name,
#    Source IP = endpoint NAT IP, Internal IP = a /32 from the Mobile User subnet.

# 3) Trigger a known-blocked test
curl -v https://web.telegram.org/    # expect Prisma block page (TLS handshake to Prisma cert, then RST)

# 4) Confirm the log
#    SCM → Activity → Log Viewer → Traffic
#    Filter:   ( app eq telegram-base ) and ( action eq deny )
#    The Source User column must show the IdP identity, Rule = your contractor block rule.

# 5) ADEM sanity
#    SCM → Insights → ADEM → User score for this username.
#    Score should be 8+ on a normal home network; drill down on any failing segment.

Logs & SIEM integration — where the data lives, how it gets out

Every log Prisma Access generates lands first in the Strata Logging Service — Palo Alto's hosted log store. Retention defaults are typically 30 days; you can extend with additional licence. You access them three ways:

SCM Log Viewer — interactive filter, drill-down, save searches.
Log Forwarding to NSS / SIEM — for long-term retention and cross-correlation. NSS (Network Security System) is the forwarder; it streams logs in CEF, LEEF, or syslog to Splunk, QRadar, Sentinel, Elastic, Chronicle.
API access — XSOAR playbooks pull events for automated response.

Sensible log categories to forward day-1: Traffic, Threat, URL, WildFire, Decryption, GlobalProtect events, System. Skip Auth-Success unless you have a specific use case — the volume is enormous and the value is low.

A real-world day-2 scenario — branch tunnel flap

It's 14:00 IST. The Mumbai branch reports "internet is slow, sometimes nothing loads". The branch has primary + secondary Remote Network tunnels to asia-south1 and asia-southeast1 respectively.

The L3 triage flow:

SCM → Insights → Remote Networks → Mumbai-Branch. Tunnel 1 status flapping — Up / Down / Up — every ~3 minutes. Tunnel 2 stable.
BGP session table on the branch CPE: neighbour to Prisma on Tunnel 1 keeps re-establishing. Routes withdrawn during each flap → ECMP repaints to Tunnel 2 → users notice ~5 s of "frozen" connections per flap.
System log filter on the CPE: IKEv2 SA expires at minute marks matching tunnel-flap timing → DPD timeout. ISP path between branch and Prisma is dropping outer ESP under load.
Resolution. Lower DPD interval from 30 s to 10 s to make the failover faster. Open a ticket with the ISP for the underlying packet loss. Verify in ADEM that user score for that branch climbed from 6.2 back to 8.8.

This is the muscle memory L3 SASE engineers build: Insights → BGP → System log → fix the root cause → verify with ADEM. Never close a ticket without the verification step.

Reproduce the branch tunnel flap Walk the Mobile User onboarding flow

Common Mistakes

!Mistake 1 — Forgetting to allocate bandwidth to the region you're onboarding

Without allocation, the Phase 2 SA negotiates and traffic silently drops at the Gateway. The fix is one slider in SCM, but the symptom looks like a routing or policy bug for hours if you don't know to look. Allocate first, onboard second.

!Mistake 2 — Skipping HIP because "we have EDR"

EDR detects compromise after the fact. HIP gates connection before the user reaches anything. They are complementary — turn HIP on with at least three checks (disk encryption, AV running, OS patch level) on day one. Friction is minimal and the security value is enormous.

!Mistake 3 — Pushing the SSL decryption CA to all users in one shot

A bad CA push has every browser on every endpoint throwing cert errors on every site. Stage it: pilot ring → 10% → 50% → 100% with explicit rollback gates. Only after the CA is universally trusted should you flip the Decryption policy to "decrypt".

!Mistake 4 — Letting branches keep their old central-egress habit

The whole point of Remote Networks is local breakout to internet at the closest Prisma compute location. If you steer all branch internet through a Service Connection back to HQ, you re-create the centralised-egress latency you were paying Prisma to eliminate.

!Mistake 5 — Trusting ADEM scores without baselining

An "ADEM 6" is meaningless without context. Baseline normal score per region on a healthy day, then alert on a sustained drop, not on an absolute threshold. Otherwise SecOps will mute the alert by week two.

Pro Tips

💡Tip 1 — Use SAML group claims for policy

Have your IdP send the group memberships in the SAML assertion (Entra: emit security groups; Okta: emit group attribute filtered to relevant groups). Then write Prisma Security rules in terms of those groups. Adding a new Finance user becomes "put them in the Finance AD group" — zero Prisma change required.

💡Tip 2 — Always set Always-On + Pre-Logon on managed devices

Always-On stops users from disabling the tunnel. Pre-Logon brings the tunnel up before the Windows login screen so domain auth, GPO, and Intune policy can reach corporate services from any network. Two settings, massive operational value.

💡Tip 3 — Stream Decryption logs to your SIEM separately

Decryption logs are the canary that tells you a pinned app, an OCSP failure, or a CRL outage broke a critical SaaS. They are noisy but cheap to keep — give them their own SIEM index so SOC can search them without drowning in Traffic logs.

💡Tip 4 — Build a "Prisma down" runbook before you need one

If a single compute location degrades, do you know which branches you have to manually pin to the secondary? Document the failover map: branch → primary region → secondary region → manual cutover steps. Pin the runbook to the same Confluence page as the design.

Quick Reference

The lesson on one screen

Three layers — Portal (global anycast, authN + HIP), Gateway (regional NGFW pipeline), Compute Location (the region + bandwidth pool).
Compute location selection — agent picks lowest RTT Gateway from the Portal-issued list; branches and Service Connections are operator-chosen.
Allocate regional bandwidth first. Unallocated region cannot accept traffic.
Mobile Users = CIE auth + HIP posture + split-tunnel design. Always-On + Pre-Logon on managed devices.
Remote Networks = IKEv2 + ESP + BGP + ECMP across two tunnels to two compute locations.
Service Connections = active-active from two DCs into two regions; advertise summaries; no default route.
ZTNA App Gateway publishes a private app behind a SAML-protected public URL. Clientless Browser Access for agentless users.
ADEM gives per-segment experience scores — your first stop for any "the app is slow" ticket.
Logs live in Strata Logging Service; forward Traffic, Threat, URL, WildFire, Decryption, GP events, System to SIEM via NSS.
Triage flow — Insights → BGP / system log → root cause → verify with ADEM. Never skip the verification step.

What's next?

Next up in the Palo Alto track: Prisma Cloud Defender deployment on EKS and AKS, IaC scanning in CI/CD with Bridgecrew/Prisma Code Security, Prisma SD-WAN ION devices and CloudBlade integration, and a complete day-2 runbook for the L3 SASE on-call. Practice the Mobile User and branch flows on the simulators, then take the cert-style scenario set on exam.techclick.in.

All lessons → Practice on exam.techclick.in