Palo Alto Networks NGFW Engineer — Question 39

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.
Which action meets the requirements in this scenario?

Answer options

• A. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).
• B. Deploy the Next-Generation Firewalls as normal and install the User-ID agent.
• C. Deploy the Advanced URL Filtering license and captive portal.
• D. Deploy the explicit proxy with Kerberos authentication scheme.

Correct answer: D

Explanation

The correct answer is D because deploying an explicit proxy with Kerberos authentication allows the security device to manage user access to websites while ensuring that authentication is handled back to the Active Directory. Option A does not provide the necessary authentication mechanism, while options B and C do not align with the requirement for a direct connection management by a security device.