Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 236

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.

However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.

How can policies based on group mapping be learned and enforced in Prisma Access?

Configure Prisma Access to learn group mapping via SAML assertion.

Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.

Assign a master device in Panorama through which Prisma Access learns groups.

Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

Correct Answer: D

To enable Prisma Access to enforce policies based on group mapping from an on-premises Active Directory (AD), you need to create a group mapping configuration that references an LDAP profile pointing to your domain controllers. This setup allows Prisma Access to retrieve user group information directly from the AD, enabling the necessary policy enforcement based on groups.

Discussion

TAKUM1yOption: C

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information#id823f5b30-2c1d-4c87-9ae6-a06573455af7

sujss

Relevant text from the link.. You can populate the groups to allow them to be selected in security policy rule drop-down lists by either configuring a next-generation firewall as a Master Device or configuring the Cloud Identity Engine to do so.

nekkrokvltOption: D

D is correct too, you can use LDAP for Group Mapping in Prisma

WhizdhumOption: C

Answer is C. Configure the Directory Sync component of the Cloud Identity Engine to retrieve user and group information from your Active Directory (AD); then, configure Group Mapping Settings in your Mobile Users—GlobalProtect, Mobile Users—Explicit Proxy, or remote network deployment. Alternatively, you can enable username-to-user group mapping for mobile users and users at remote networks using an LDAP server profile. The Cloud Identity Engine doesn't auto-populate groups to Panorama, so a master device or Cloud Identity Engine and specify it during the Prisma Access configuration. This answer assumes that the LDAP profile option is not used - Cloud Identity Engine is preferred.

Kris92Option: C

For Group Mapping in Prisma you need Directory Sync, Master Device is only optional, without it you need to specify the full distinguished name (DN) of the group. So none of the options are correct, but if I would need to pick I would go for C.

RoamingFoOption: D

Both C & D are part of the requirements for Group-Based access on this document https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access STEP 2 refers to D "for Prisma Access Nodes to get group mapping" STEP 3 refers to C "For Panorama to get the list of groups" Note Both can be replaced with the Cloud Identity Engine "Recommended"

DenskyDenOption: C

C is the correct answer.

JMIBOption: C

C is correct Assign a master device in Panorama through which Prisma Access learns groups.

prosto_marussiaOption: B

Should be B. 1. Configure User-ID in Prisma Access 2. Configure User-ID for Remote Network Deployments 3. Configure Your Prisma Access Deployment to Retrieve Group Mapping 4. Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls 5. Collect User and Group Information Using the Directory Sync Service https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access

prosto_marussia

Ah, no. C is correct. Above is relevant for USED-ID distribution, but for group mappings: Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don’t configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html

KKQQ12345

Redistribution is for ip-user mapping, not group mapping.