PCNSE Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSE Exam - Question 231

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Show Answer
Correct Answer: B

To use PAN-OS multi-factor authentication (MFA), the enterprise should create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. This approach enables the organization to add an additional layer of security through MFA, leveraging the PAN-OS integration directly for enhanced access control to critical infrastructure systems.

Discussion

16 comments
Sign in to comment
homersimpsonOption: B
Dec 22, 2021

FYI in 10.0 onward, "Captive Portal" is now called "Authentication Portal".

JRKhanOption: B
Jan 13, 2024

B is correct. Given the authentication using AD is already in place, we can safely assume that LDAP server profile is already in use. The MFA will be used as an additional/second authentication factor. Also, the question refers to PAN-OS MFA so it is again safe to assume it will use PAN-OS directly integrated vendors instead of using one through RADIUS.

jeremykebir
Jun 24, 2024

Abolutely right!

TAKUM1yOption: D
Nov 18, 2022

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication

Frightened_AcrobatOption: B
Mar 14, 2023

B and D are both wrong -Authentication policies reference Authentication Enforcement policies directly, not Authentication profiles. However, if one of them has to be right, it's B. D is less right since RADIUS isn't the only MFA option.

magicbr3
Jan 7, 2024

The Captive portal can reference the RADIUS profile and you configure MFA in the captive portal

UFanatOption: B
Jun 12, 2022

You should create an auth profile and use it in captive protal auth policy.

PochexOption: B
Mar 16, 2023

Answer B When we use PANOS MFA, the user will first authenticate with the authentication profile configured (Radius, SAML, Kerberos, TACACS+, LDAP), then an additional factor is configured in the same authentication profile, this factor is the MFA which is used by the Captive Portal.

ericli87
Apr 4, 2023

did anyone see this in the exam?

MarcyyOption: D
Dec 11, 2021

D sounds the most correct from this line in the link. To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs. After evaluating Authentication policy, the firewall evaluates Security policy, so you must configure rules for both policy types.

homersimpson
Dec 22, 2021

I think it's B, because with D you are referencing Radius, which doesn't necessarily imply you're using another factor. With B, you might not have had an auth profile already (since you don't need one with user/pwd auth) so you would be creating one, and you would assign another factor in it. FWIW, this question is poorly worded.

GivemeMoney
Jan 16, 2022

Radius is one option, not "Thee" option, It's B.

Shenanigans123
Apr 5, 2022

I agree with this. Also, D says the Authentication Profile should reference a RADIUS server profile - this would make the primary auth method RADIUS, whereas the question states they want to use AD groups as the primary method, so the profile should use LDAP as the first factor, then add MFA as a second factor. D also does not mention any additional factor. B covers all requirements.

Gngogh
Oct 15, 2022

I just want to highlight that you don't have to use LDAP as first authentication method to be able to retrieve the user groups. In fact, in many deployments RADIUS server queries the AD server for user authentication. Then the firewall if properly configured will do the group mappings. Regardless I also believe the correct answer is B, because has already mentioned it covers all use cases.

scallyOption: D
Sep 10, 2022

To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs. After evaluating Authentication policy, the firewall evaluates Security policy, so you must configure rules for both policy types.

dgonzOption: B
Jul 13, 2023

i think B is closer

mohr22Option: D
Jan 23, 2023

D To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Authentication Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs.

TechnOption: D
Jul 10, 2023

For end-user authentication via the Authentication policy, the firewall directly integrates with several MFA platforms (such as Duo v2, Okta Adaptive, PingID, and RSA SecurID) and integrates through RADIUS with other MFA platforms.

josephrahulOption: D
Jul 16, 2023

Option D To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Authentication Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs.

gc999Option: D
Oct 30, 2023

Would the keyword here is "PAN-OS MFA"? I see the word from the following UR "For remote user authentication to GlobalProtect portals or gateways or for administrator authentication to the PAN-OS or Panorama web interface, you can only use MFA vendors supported through RADIUS or SAML" https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication#:~:text=you%20can%20only%20use%20MFA%20vendors%20supported%20through%20RADIUS%20or%20SAML

EiffelsturmOption: D
Dec 5, 2023

B and C are the same except that B offers more options for the authentication factors in the authentication profile. "Add a RADIUS server profile. This is required if the firewall integrates with an MFA vendor through RADIUS" since D is more granular, I go for D

Gabranch
Dec 8, 2023

I feel like RADIUS is the work-around for those MFA solutions that don't natively integrate with PAN-OS. And the question asks about PAN-OS MFA Integration. That's why I think C over B.

WhizdhumOption: D
Dec 15, 2023

Answer is D. To use MFA for protecting sensitive information, you must configure an Authentication Portal (Captive Portal) to display a web form. To enable additional factors, you can integrate with MFA vendors through RADIUS or vendor APIs. In most cases, and external service is recommended for the first authentication factor.