Which PAN-OS method of mapping users to IP addresses is the most reliable?
Correct Answer: B
GlobalProtect provides accurate, timely mappings by requiring user authentication on network changes, device posture shifts, or logon events, using both internal and external gateways for comprehensive coverage across remote and on-premises users without relying on external agents or syslog delays.
Question 42
An engineer is implementing a new rollout of SAML for administrator authentication across a company's Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML. Which two actions meet the criteria? (Choose two.)
Correct Answer: B,C
B). Create an authentication sequence that orders the RADIUS profile first followed by the SAML profile, allowing the firewall to attempt RADIUS authentication and fall back to SAML if needed, supporting tandem operation for administrator logins. C). Create and apply an authentication profile using the SAML Identity Provider Server Profile, which can then be sequenced alongside the existing RADIUS profile without disrupting current authentication.
Question 43
Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
Correct Answer: A,B
In the Palo Alto Networks architecture, establishing a site-to-site VPN requires a clear understanding of how the Security Policy engine interacts with different traffic flows. According to technical documentation (Step 7 of the IPSec configuration guide), there are two distinct categories of traffic to consider: theControl Plane (negotiation) and theData Plane(transit). First, the IKE negotiation (UDP 500/4500) and IPSec/ESP packets are directed at the firewall's own external interface. Because the peer gateway is usually reachable through the same zone as that interface (e.g., 'Untrust'), the traffic is processed asintrazone. By default, PAN-OS includes anintrazone-defaultsecurity policy set to 'Allow'. Consequently, the tunnel can technically establish without an explicit rule, provided no manual 'Deny All' rule precedes it. This confirms that negotiation is allowed by default via the intrazone policy. Second, regarding the data traffic entering or exiting the tunnel interface, the firewall applies standard zone- based inspection. While the firewall is stateful and policies are unidirectional, the documentation specifies that creating separate rules for each direction (one for inbound and one for outbound) isoptional. An administrator can choose to create two granular rules for tighter control or combine both directions into a single rule by adding both the internal and tunnel zones to the source and destination fields. This flexibility allows for a more streamlined rulebase while still meeting security requirements.