A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama. Which configuration is necessary to retrieve groups from Panorama?
A.
Configure an LDAP Server profile and enable the User-ID service on the management interface.
B.
Configure a group mapping profile to retrieve the groups in the target template.
C.
Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
D.
Configure a master device within the device groups.
I am not sure what you are all relating to, but
.. AD groups are always gathered from LDAP(AD servers), so an LDAP profile must be distributed via template from Panorama. Each FW gets his groups then directly from LDAP.
The MASTER DEVICE is ONLY used for User-ID information gathering! Please take a look in Panorama Device groups, label says "master device is the firewall which Panorama gathers user ID info for use in policies". Nothing to do with groups here!
So answer CANNOT be D if the questrion is related to AD groups! Only A or B are possible.
Answer is C
Direct from Panorama, when you select a User ID Master device the check option for it specifies to store groups too.
"Store users and groups from Master Device if Reporting and Filtering on Groups is enabled in Panorama Settings"
"Configuring Group Mappings on Firewalls using Panorama without the master device."
"Go to Device > User Identification > Group Mapping Settings and generate a new Group Mapping Profile. During the process, select the LDAP Server Profile that was pushed from Panorama."
Configuring a master device within a device group in Panorama is not directly related to retrieving groups from an LDAP directory or solving issues with LDAP group retrieval. The concept of a "master device" in Panorama is more related to managing configurations and pushing them to other devices within the device group, rather than LDAP group retrieval.
Answer is D. To simplify the creation or modification of user- and group-based policies, you can use a Master Device to add the group names to drop-down lists in security policy rules. You need to designate a firewall as a Master Device for each device group. After you add a Master Device, the device group inherits all policies defined on the master device; for this reason, it should be a standalone, dedicated device to be used for that device group. Alternatively, you can enable username-to-user group mapping using an LDAP profile with a Group Include List.
This question is not formed right. It is asking about "retrieving groups from Panorama", but it should be about "Panorama retrieving groups from Firewall".
D is correct but you still need to get the group information on the master device (firewall) which I already configured as decried in A. Please note: You cannot configure A on Panorama.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0
I guess what I am trying to say: I don't like the question. But D seems to be the most correct answer, ignoring how the Group information is provided to the FW.
upvoted 4 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Gab99
Highly Voted 1 year, 10 months agoJared28
9 months, 2 weeks agoJared28
9 months, 2 weeks agoTeachTrooper
Most Recent 23 hours, 32 minutes agonetworkingXIV
1 month, 2 weeks agoMoadil_001
3 months, 1 week ago123XYZT
6 months, 2 weeks agoscanossa
10 months, 1 week agoWhizdhum
1 year agoMetgatz
1 year agodavidpm
1 year, 4 months agoTAKUM1y
2 years, 1 month agoAlen
2 years, 4 months agoJMIB
2 years, 4 months agohabeeb222
2 years, 4 months agoUFanat
2 years, 5 months agomtopolovec
2 years, 6 months agoDavidBackham2020
2 years, 11 months ago