Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 225

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on- premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?

Answer options

• A. Configure Prisma Access to learn group mapping via SAML assertion.
• B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.
• C. Assign a master device in Panorama through which Prisma Access learns groups.
• D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

Correct answer: C

Explanation

The correct answer is C because assigning a master device in Panorama allows Prisma Access to learn group information from the configured device. Option A is incorrect since SAML assertions are not used for group mapping in this context. Option B is not applicable as group mapping redistribution does not facilitate group learning in Prisma Access. Option D is also incorrect as it suggests an LDAP profile which is not required for group mapping in this scenario.