PDF PCNSE Study Guide

When managing firewalls with Panorama, configurations can be pushed from Panorama templates to managed firewalls. However, there are scenarios where specific settings need to be overridden on the local firewall level due to unique requirements or exceptions.

B. The modification will not be visible in Panorama:

• When an override is made directly on the firewall, this change is not automatically reflected back in Panorama's templates or device groups. The local configuration on the firewall will take precedence over the Panorama pushed configuration for the overridden settings, but these local changes will not be visible in the Panorama interface. This means that while Panorama maintains central control and visibility over the bulk of the configuration, it does not have visibility into local overrides made directly on the firewalls.

This distinction is crucial for auditors and administrators to understand, as it impacts how configurations are managed and synchronized between Panorama and the individual firewalls. Local overrides provide flexibility but require careful management to ensure consistency and compliance with security policies.

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator’s access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.

To use PAN-OS multi-factor authentication (MFA) to secure access to critical assets, the enterprise should configure a Captive Portal authentication policy that uses an authentication sequence. An authentication sequence is a feature that allows the firewall to enforce multiple authentication methods (factors) for users who access sensitive services or applications. An authentication sequence can include up to four factors, such as login and password, Voice, SMS, Push, or One-time Password (OTP) authentication. The firewall can integrate with MFA vendors through RADIUS or vendor APIs to provide the additional factors12.

To configure an authentication sequence, the enterprise needs to create an authentication profile for each factor and then add them to the sequence in the desired order. The enterprise also needs to create a Captive Portal authentication policy that matches the traffic that requires MFA and applies the authentication sequence to it. The Captive Portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The Captive Portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button34.

When a user tries to access a service or application that matches the Captive Portal authentication policy, the firewall redirects the user to the Captive Portal web form for the first factor. After the user successfully authenticates for the first factor, the firewall prompts the user for the second factor through RADIUS or vendor API integration. The firewall repeats this process until all factors in the sequence are completed or until one factor fails. If all factors are completed successfully, the firewall allows the user to access the service or application. If one factor fails, the firewall denies access and logs an event56.

Configuring a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile is not sufficient to use PAN-OS MFA. This option only provides one factor of authentication through RADIUS integration with an MFA vendor. To use multiple factors of authentication, an authentication sequence is required.

Creating an authentication profile and assigning another authentication factor to be used by a Captive Portal authentication policy is not correct to use PAN-OS MFA. This option does not specify how to create or apply an authentication sequence, which is necessary for enforcing multiple factors of authentication.

Using a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns is not relevant to use PAN-OS MFA. This option is a feature of Palo Alto Networks Cortex XDR™ that helps protect endpoints from credential theft by malicious actors. It does not provide any MFA functionality for accessing critical assets7.

References: Authentication Sequence, Configure Multi-Factor Authentication, Configure an Authentication Portal, Create an Authentication Profile, Create an Authentication Sequence, Create a Captive Portal Authentication Policy, Credential Phishing Agent