Palo Alto Networks SSE Engineer — Question 20

An engineer has configured a Web Security rule that restricts access to certain web applications for a specific user group. During testing, the rule does not take effect as expected, and the users can still access blocked web applications.
What is a reason for this issue?

Answer options

• A. The rule was created with improper threat management settings.
• B. The rule was created in the wrong scope, affecting only GlobalProtect users instead of all users.
• C. The rule was created at a higher level in the rule hierarchy, giving priority to a lower-level rule.
• D. The rule was created at a lower level in the rule hierarchy, giving priority to a higher-level rule.

Correct answer: D

Explanation

The correct answer is D because if the rule is at a lower level in the hierarchy, it will be overridden by a higher-level rule, which can allow access to the blocked applications. Options A and B discuss configuration issues that do not directly relate to the hierarchy problem. Option C incorrectly states the priority relationship, suggesting that a higher-level rule would take precedence, which is not the case here.