A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?
A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?
To retrieve Active Directory groups and simplify Security policy creation in Panorama, it is necessary to configure an LDAP Server profile and enable the User-ID service on the management interface. This allows the system to access and utilize the group information stored in Active Directory. Other options, such as configuring a master device or group mapping profile, are either not directly related to retrieving groups or are additional steps that depend on having the LDAP configuration in place.
I am not sure what you are all relating to, but .. AD groups are always gathered from LDAP(AD servers), so an LDAP profile must be distributed via template from Panorama. Each FW gets his groups then directly from LDAP. The MASTER DEVICE is ONLY used for User-ID information gathering! Please take a look in Panorama Device groups, label says "master device is the firewall which Panorama gathers user ID info for use in policies". Nothing to do with groups here! So answer CANNOT be D if the questrion is related to AD groups! Only A or B are possible.
Answer is C Direct from Panorama, when you select a User ID Master device the check option for it specifies to store groups too. "Store users and groups from Master Device if Reporting and Filtering on Groups is enabled in Panorama Settings"
Whoops, meant D, the answer is D
D is correct but you still need to get the group information on the master device (firewall) which I already configured as decried in A. Please note: You cannot configure A on Panorama. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0 I guess what I am trying to say: I don't like the question. But D seems to be the most correct answer, ignoring how the Group information is provided to the FW.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
D correct
D correct
This question is not formed right. It is asking about "retrieving groups from Panorama", but it should be about "Panorama retrieving groups from Firewall".
D https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
On the device group settings, you would have to select the master device from which Panorama would pull the users' information from
Answer is D. To simplify the creation or modification of user- and group-based policies, you can use a Master Device to add the group names to drop-down lists in security policy rules. You need to designate a firewall as a Master Device for each device group. After you add a Master Device, the device group inherits all policies defined on the master device; for this reason, it should be a standalone, dedicated device to be used for that device group. Alternatively, you can enable username-to-user group mapping using an LDAP profile with a Group Include List.
D is correct Option
D Correct https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
as per everyones comments, the question needs to be re-worded. if groups are to be pulled from firewall, then D is correct
pulling from Panaroma* B - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIOCA0