Palo Alto Networks SSE Engineer — Question 39

How can a senior engineer use Strata Cloud Manager (SCM) to ensure that junior engineers are able to create compliant policies while preventing the creation of policies that may result in security gaps?

Answer options

• A. Use security checks under posture settings and set the action to “deny” for all checks that do not meet the compliance standards.
• B. Configure role-based access controls (RBACs) for all junior engineers to limit them to creating policies in a disabled state, manually review the policies, and enable them using a senior engineer role.
• C. Configure an auto tagging rule in SCM to trigger a Security policy review workflow based on a security rule tag, then instruct junior engineers to use this tag for all new Security policies.
• D. Run a Best Practice Assessment (BPA) at regular intervals and manually revert any policies not meeting company compliance standards.

Correct answer: A

Explanation

The correct answer is A because implementing security checks that deny non-compliant policies directly prevents security gaps. Option B allows for reviews but does not prevent policy creation that may be problematic. Option C relies on tagging and workflow processes, which may not be as effective in preventing immediate security gaps. Option D involves reactive measures that do not stop non-compliant policies from being created in the first place.