Palo Alto Networks NGFW Engineer — Question 29

An organization has configured GlobalProtect in a hybrid authentication model using both certificate-based authentication for the pre-logon stage and SAML-based multi-factor authentication (MFA) for user logon.
How does the GlobalProtect agent process the authentication flow on Windows endpoints?

Answer options

• A. The GlobalProtect agent uses the machine certificate to establish a pre-logon tunnel; upon user sign-in, it prompts for SAML-based MFA credentials, ensuring both device and user identities are validated before granting full access.
• B. The GlobalProtect agent uses the machine certificate during pre-logon for initial tunnel establishment, and then seamlessly reuses the same machine certificate for user-based authentication without requiring MFA.
• C. Once the machine certificate is validated at pre-logon, the Windows endpoint completes MFA on behalf of the user by passing existing Windows Credential Provider details to the GlobalProtect gateway without prompting the user.
• D. GlobalProtect requires the user to log in first for SAML-based MFA before establishing the pre-logon tunnel, rendering the pre-logon certificate authentication (CA) flow redundant.

Correct answer: A

Explanation

The correct answer, A, accurately describes how the GlobalProtect agent first establishes a pre-logon tunnel using the machine certificate and then prompts for SAML-based MFA credentials during user sign-in, ensuring both device and user authentication. Option B is incorrect because it implies that no MFA is required after pre-logon, which contradicts the use of SAML-based MFA. Option C misrepresents the process by suggesting that MFA is completed without user interaction, which is not how the flow works. Option D incorrectly states that user login for MFA is required before the pre-logon tunnel, which undermines the purpose of the pre-logon certificate authentication.