Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
The Palo Alto Networks NGFW (Next-Generation Firewall) allows administrators to authenticate using external authentication services without defining corresponding admin accounts locally. The three authentication services that enable this functionality are SAML, TACACS+, and RADIUS. These services can leverage attributes or vendor-specific attributes (VSAs) for both authentication and role mapping directly on the firewall, eliminating the need for local admin accounts. LDAP, PAP, and Kerberos, on the other hand, typically require local account configuration for full administrative access.
The answer should be C, D, and E https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall.
"...without defining a corresponding admin account on the local firewall?" so what?! it talks about "authenticate" only! So that means we do not talk about "authorization" here (i.e. role mapping). When it comes to authentication only all of them could be used: ACDEF but.. is that what they wanna see here? more likely they wanna know which can be used without any need to create a local account at all (i.e even authorization) and that leads to: CDE according to: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-local-or-external-authentication-for-firewall-administrators.html#id7484db35-8218-421b-9847-eab796beea99 so most likely CDE is what they wanna see here - imho
CDE are the correct answers.
Without defining user only CDE
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication
what is the right answer for the exam alone? ACF or CDE?
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:
Correct answer is C, D and E, please !
c, d, e https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html
RADIUS does not need an admin configured. VSAs (Vendor specific attributes) would be used. I log in as Jack, RADIUS sends back a success and a VSA value. If that value corresponds to read/write administrator, I get logged in as a superuser. There are VSAs for read only and user (Global protect access but not admin). I am unsure what other Auth methods can use VSA or a similar mechanisim. If admin users are configured with RADIUS, no need for VSA.
C-D-E https://origin-docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-local-or-external-authentication-for-firewall-administrators.html
LDAP is also an answer. I don't understand why NOT, CDEF should be correct. I did LDAP for admin users myself. correct me if I'm wrong. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-ldap-authentication
Per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html , LDAP can only be used for authentication. The authorization requires that there be a local admin account.
Ldap requires user to be defined on the FW for authentication and question asks without configuring user.
no it doesn’t. I have LDAP and RADIUS auth profile and only local admin under administrators :)
A,C.F is the correct answer
CDE are correct. With LDAP, you have to define the admin user locally otherwise there is no other way to assign a role to the user. With Radius, tacacs and saml the firewall can utilise the received VSAs or SAML attributes to map to the roles locally defined on the firewall.
C, D and E are correct
ldap is not matching questions.