Palo Alto Networks NGFW Engineer — Question 76

A government agency needs to ensure that all user web access is explicitly mediated and authenticated. The agency has the following requirements:

• Client browsers must be manually configured to send traffic to the firewall's IP address and a specific port.
• The firewall must support seamless single sign-on (SSO) with the users' existing Active Directory credentials.

Which feature set should the engineer configure to meet the agency's requirements?

Answer options

• A. Web proxy in explicit mode with an Authentication policy by using Kerberos
• B. Decryption policy that redirects users to a SAML identity provider for authentication
• C. Web proxy in transparent mode with an Authentication policy by using multi-factor authentication (MFA)
• D. User-ID agent integration with Authentication Portal for authentication

Correct answer: A

Explanation

The correct answer is A because an explicit web proxy allows for manual configuration of client browsers, which meets the agency's requirement for traffic redirection. Option B involves using SAML for authentication, which does not align with the explicit mediation requirement. Option C does not support the necessary manual configuration of client browsers, and option D does not provide the explicit web access control required by the agency.