User mapping learned from sources other than gateway authentication can cause intermittent access issues if it conflicts with the expected user identity used in HIP-based policies. If the firewall is associating the user with an outdated or incorrect mapping, traffic may not match the intended security policies, leading to denials by the Catch-All Deny rule .

If the firewall loses user mapping due to missed HIP report checks , the user may temporarily lose access to policies that require a valid Host Information Profile (HIP) match. When the VPN connection is refreshed, the HIP check is re-initiated, restoring access until the issue repeats.

When onboarding a discovered application for ZTNA Connector , configuring a TCP ping allows Prisma Access to accurately report the application's availability . TCP ping (also known as a TCP connection check ) verifies whether the application's service port is open and responsive , ensuring that the application is reachable before allowing user connections. This method is more reliable than ICMP ping , as many cloud and SaaS applications block ICMP traffic for security reasons.

A ZTNA Connector requires a stable and direct connection to the cloud gateway . When the connector is deployed behind a double NAT (Network Address Translation) , it can cause issues with reachability and session establishment because the cloud gateway may not be able to properly identify and communicate with the connector. Double NAT can interfere with secure tunneling, IP address resolution, and authentication mechanisms , leading to connection failures . To resolve this, the connector should be placed in a network segment with a single NAT or a public IP assignment .

When a large branch office experiences a high volume of employees logging in within a short time frame, the following apply:

Maximum pending TCP DNS requests is 64 – This means that Prisma Access can queue up to 64 pending DNS requests over TCP before dropping additional requests. If more requests are received simultaneously, some may fail or experience delays.

Maximum number of TCP DNS retries is 3 – If a DNS request fails over TCP, Prisma Access will attempt to retry the request up to three times before failing over to another method or returning an error.

SaaS Security Inline allows engineers to customize the risk scores assigned to different SaaS applications based on various factors. By manipulating these risk scores, you can influence how these applications are treated within Security policies.

To limit the use of unsanctioned SaaS applications:

Lower the risk score of sanctioned applications: This makes them less likely to trigger policies designed to restrict high-risk activities.

Increase the risk score of unsanctioned applications: This elevates their perceived risk, making them more likely to be caught by Security policies configured to block or limit access based on risk score thresholds.

Then, you would create Security policies that take action (e.g., block access, restrict features) based on these adjusted risk scores. For example, a policy could be configured to block access to any SaaS application with a risk score above a certain threshold, which would primarily target the unsanctioned applications with their inflated scores.

Let's analyze why the other options are incorrect based on official documentation:

B. Increase the risk score for all SaaS applications to automatically block unwanted applications. Increasing the risk score for all SaaS applications, including sanctioned ones, would lead to unintended blocking and disruption of legitimate business activities. Risk score customization is intended for differentiation, not a blanket increase.

C. Build an application filter using unsanctioned SaaS as the category. While creating an application filter based on the "unsanctioned SaaS" category is a valid way to identify these applications, it directly filters based on the category itself, not the risk score. Risk score customization provides a more nuanced approach where you can define thresholds and potentially allow some low-risk activities within unsanctioned applications while blocking higher-risk ones.

D. Build an application filter using unsanctioned SaaS as the characteristic. Similar to option C, using "unsanctioned SaaS" as a characteristic in an application filter allows you to directly target these applications. However, it doesn't leverage the risk score customization feature to control access based on a graduated level of risk.

Therefore, the most effective way to use risk score customization to limit unsanctioned SaaS application usage is by lowering the risk scores of sanctioned applications and increasing the risk scores of unsanctioned ones, and then building Security policies that act upon these adjusted risk scores.