Free Palo Alto Networks SSE-Engineer Actual Exam Questions - Question 4 Discussion

D imo, higher-level rules often override lower ones, ignoring the new restriction.

Guessing B makes sense since if the rule only applies to GlobalProtect users and the test users aren’t using that, the restriction won’t work. The scope seems like the main blocker here.

Option B, rule scope limits impact to GlobalProtect users only.

Probably B, rule scope limits it to GlobalProtect users, so others bypass it.

It’s not about hierarchy levels here, so C and D seem less likely since those deal with rule priority rather than scope. The key issue is that the rule only applies to GlobalProtect users, which means if the user group isn’t part of that scope, they won’t be restricted. So, B makes sense because the scope is too narrow—blocking just GlobalProtect users leaves others unaffected, explaining why the block didn’t work during testing. If the intention was to restrict all users in that group regardless of how they connect, the scope should’ve been broader.

B imo, if the rule only covers GlobalProtect users, others won’t be affected.

Maybe B here. If the rule was set only for GlobalProtect users, but the group trying to access isn’t connecting through that, the block wouldn’t apply. It’s easy to mix up scopes like that, so the restriction ends up targeting fewer users than intended. That could explain why the test users still get through despite the rule.

Sounds like the rule’s lower in hierarchy, so higher ones override it—D.

C imo, because if the rule is created too high in the hierarchy, it might get overridden by more specific lower-level rules. That means the block might not apply where it’s actually needed. So even though D is possible, C fits the typical issue with rule priority better in this scenario.

D seems right—if the rule’s lower in the hierarchy, a higher-level rule might override it, so the block won’t work as expected.