Exam PCNSE All QuestionsBrowse all questions from this exam
Go to Exam
Question 46

Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)

    Correct Answer: C, D, E

    The Palo Alto Networks NGFW (Next-Generation Firewall) allows administrators to authenticate using external authentication services without defining corresponding admin accounts locally. The three authentication services that enable this functionality are SAML, TACACS+, and RADIUS. These services can leverage attributes or vendor-specific attributes (VSAs) for both authentication and role mapping directly on the firewall, eliminating the need for local admin accounts. LDAP, PAP, and Kerberos, on the other hand, typically require local account configuration for full administrative access.

Discussion
DabouncerOptions: CDE

The answer should be C, D, and E https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

kerberosOptions: CDE

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall.

hpbdcbOptions: CDE

"...without defining a corresponding admin account on the local firewall?" so what?! it talks about "authenticate" only! So that means we do not talk about "authorization" here (i.e. role mapping). When it comes to authentication only all of them could be used: ACDEF but.. is that what they wanna see here? more likely they wanna know which can be used without any need to create a local account at all (i.e even authorization) and that leads to: CDE according to: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-local-or-external-authentication-for-firewall-administrators.html#id7484db35-8218-421b-9847-eab796beea99 so most likely CDE is what they wanna see here - imho

awtsuritacunaOptions: CDE

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

confusionOptions: CDE

Without defining user only CDE

lgkhanOptions: CDE

CDE are the correct answers.

bing2021Options: CDE

ldap is not matching questions.

MarshpillowzOptions: CDE

C, D and E are correct

JRKhanOptions: CDE

CDE are correct. With LDAP, you have to define the admin user locally otherwise there is no other way to assign a role to the user. With Radius, tacacs and saml the firewall can utilise the received VSAs or SAML attributes to map to the roles locally defined on the firewall.

1Adrian1Options: ACF

A,C.F is the correct answer

vj77Options: CDE

LDAP is also an answer. I don't understand why NOT, CDEF should be correct. I did LDAP for admin users myself. correct me if I'm wrong. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-ldap-authentication

eyelasers1

Per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html , LDAP can only be used for authentication. The authorization requires that there be a local admin account.

confusion

Ldap requires user to be defined on the FW for authentication and question asks without configuring user.

darcone23

no it doesn’t. I have LDAP and RADIUS auth profile and only local admin under administrators :)

rociohaOptions: CDE

C-D-E https://origin-docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-local-or-external-authentication-for-firewall-administrators.html

PacketFairyOptions: DEF

RADIUS does not need an admin configured. VSAs (Vendor specific attributes) would be used. I log in as Jack, RADIUS sends back a success and a VSA value. If that value corresponds to read/write administrator, I get logged in as a superuser. There are VSAs for read only and user (Global protect access but not admin). I am unsure what other Auth methods can use VSA or a similar mechanisim. If admin users are configured with RADIUS, no need for VSA.

lol1000Options: CDE

c, d, e https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html

kambataOptions: CDE

Correct answer is C, D and E, please !

DaveDKOptions: CDE

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:

jin3209

what is the right answer for the exam alone? ACF or CDE?