ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 236 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 236
Topic #: 1
[All PCNSE Questions]

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?

  • A. Configure Prisma Access to learn group mapping via SAML assertion.
  • B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.
  • C. Assign a master device in Panorama through which Prisma Access learns groups.
  • D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by prosto_marussia at Jan. 19, 2022, 9:23 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Whizdhum
1 year, 2 months ago
Answer is C. Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect, Mobile Users—Explicit Proxy, or remote network deployment. Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile. The Cloud Identity Engine doesn't auto-populate groups to Panorama, so a master device or Cloud Identity Engine and specify it during the Prisma Access configuration. This answer assumes that the LDAP profile option is not used - Cloud Identity Engine is preferred.
upvoted 1 times
...
Kris92
1 year, 2 months ago
Selected Answer: C
For Group Mapping in Prisma you need Directory Sync, Master Device is only optional, without it you need to specify the full distinguished name (DN) of the group. So none of the options are correct, but if I would need to pick I would go for C.
upvoted 1 times
...
RoamingFo
1 year, 2 months ago
Both C & D are part of the requirements for Group-Based access on this document https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access STEP 2 refers to D "for Prisma Access Nodes to get group mapping" STEP 3 refers to C "For Panorama to get the list of groups" Note Both can be replaced with the Cloud Identity Engine "Recommended"
upvoted 1 times
...
DenskyDen
2 years, 1 month ago
Selected Answer: C
C is the correct answer.
upvoted 1 times
...
TAKUM1y
2 years, 3 months ago
Selected Answer: C
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information#id823f5b30-2c1d-4c87-9ae6-a06573455af7
upvoted 3 times
sujss
1 year, 9 months ago
Relevant text from the link.. You can populate the groups to allow them to be selected in security policy rule drop-down lists by either configuring a next-generation firewall as a Master Device or configuring the Cloud Identity Engine to do so.
upvoted 1 times
...
...
nekkrokvlt
2 years, 5 months ago
D is correct too, you can use LDAP for Group Mapping in Prisma
upvoted 3 times
...
JMIB
2 years, 6 months ago
C is correct Assign a master device in Panorama through which Prisma Access learns groups.
upvoted 1 times
...
prosto_marussia
3 years ago
Should be B. 1. Configure User-ID in Prisma Access 2. Configure User-ID for Remote Network Deployments 3. Configure Your Prisma Access Deployment to Retrieve Group Mapping 4. Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls 5. Collect User and Group Information Using the Directory Sync Service https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access
upvoted 1 times
KKQQ12345
2 years, 6 months ago
Redistribution is for ip-user mapping, not group mapping.
upvoted 1 times
...
prosto_marussia
3 years ago
Ah, no. C is correct. Above is relevant for USED-ID distribution, but for group mappings: Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don’t configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel