Question 3 - Palo Alto Networks NGFW-Engineer Real Exam Questions [Jan 2026 Update]

Q: 3

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML. Which two actions meet the criteria? (Choose two.)

Options

Correct Answer:

B, C

Explanation

To allow both SAML and RADIUS administrator authentication to function concurrently, a PAN-OS feature called an Authentication Sequence must be used. This involves two primary actions:

1. Creating the new authentication components for SAML. This requires creating a SAML Identity Provider Server Profile and then creating an Authentication Profile that uses, or "applies," this server profile to it.

2. Creating an Authentication Sequence that lists both the new SAML Authentication Profile and the existing RADIUS Authentication Profile.

This sequence allows the firewall to try authenticating an administrator against one profile (e.g., SAML) and, if that fails or is unavailable, try the next profile in the sequence (e.g., RADIUS). This configuration is then applied to the firewall's administrator authentication settings.

Why Incorrect

A. Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.

This is factually incorrect. The Authentication Sequence feature in PAN-OS is specifically designed to allow multiple authentication profiles to be used in tandem.

D. Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.

This describes a technically impossible action. An Authentication Profile can only reference one Server Profile or one Authentication Sequence; you cannot add a Server Profile to another.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"Configure an Authentication Sequence". Device > Authentication Sequence. This section states

"An authentication sequence allows you to try multiple authentication profiles in a specific order... For example

you can create an authentication sequence that first attempts to authenticate users against a Kerberos server. If the Kerberos server is unreachable

the firewall then attempts to authenticate users against an LDAP server

and so on." This directly supports the use of a sequence for the RADIUS and SAML profiles.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"Configure an Authentication Profile and Sequence". Device > Authentication Profile. This guide details the process: "Create an Authentication profile for each authentication service that you plan to use... Create an Authentication Sequence that includes the Authentication profiles you created... Apply the Authentication Sequence to a firewall service." This confirms that creating the SAML authentication profile (Option C) and the sequence (Option B) are the correct

distinct actions.

3. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"Configure SAML Authentication". Device > Server Profiles > SAML Identity Provider. This section outlines the creation of the SAML IdP Server Profile

which is then selected within an Authentication Profile

confirming the action described in Option C.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE