After successfully creating a SAML authentication type and authentication profile in Cloud Identity Engine , the next step is to configure a corresponding SAML authentication profile in Strata Cloud Manager and link it to the Cloud Identity Engine profile . This ensures that Prisma Access (Managed by Strata Cloud Manager) can authenticate mobile users using the configured SAML identity provider (IdP), enabling seamless user authentication and access control.

In Prisma Access , configuring a notification profile allows engineers to receive alerts when IPSec tunnels experience downtime or instability. By defining specific conditions for remote network IPSec tunnels , the notification profile ensures that the engineer is proactively informed about tunnel failures, flapping, or degraded performance . This approach enables timely troubleshooting and minimizes disruptions for users relying on the IPSec tunnels.

In Prisma Access Browser (PAB) , allowing access to applications while enforcing data masking or watermarking provides security for BYOD (Bring Your Own Device) users without heavily impacting the user experience. Data masking ensures that sensitive information is obscured , reducing the risk of data leakage, while watermarking can deter unauthorized screenshots or data exfiltration. This approach balances security and usability , allowing users to work efficiently while protecting corporate data.

Updating the Cloud Services plugin in Prisma Access does not disrupt existing traffic flows because the upgrade process is designed to be seamless and transparent . Prisma Access ensures high availability by maintaining active sessions and policies while applying the update in the background. This allows ongoing connections to continue without interruptions, minimizing impact on user experience.

To meet the customer’s requirements, GlobalProtect and Remote Networks should be used as follows:

GlobalProtect : This enables secure access for mobile users, ensuring internet filtering, data center connectivity, and access to branch locations.

Remote Networks : This is used to provide security and connectivity for branch locations, ensuring internet filtering and data center access.

Service Connections : These allow both mobile users and branch locations to securely connect to the data center for internal resources.

This configuration ensures that mobile users and branch locations can securely access the internet while maintaining a segregated and secure connection to internal resources. It also aligns with Prisma Access's best practices for security enforcement, traffic filtering, and centralized management .

Enabling eBGP for dynamic routing and configuring Remote Networks ensures seamless connectivity between branch locations, mobile users, and the data center. eBGP allows Prisma Access to dynamically exchange routes with the Customer Premises Equipment (CPE), optimizing path selection without requiring manual updates. Configuring Remote Networks and defining branch IP subnets using static routes ensures controlled and segmented routing, aligning with security policies. This setup provides proper internet filtering, data center connectivity, and restricted access for B2B partners while keeping management responsibilities aligned.

When onboarding a new branch office to an existing IPSec termination node in Prisma Access , the QoS bandwidth is not automatically assigned . Instead, the newly added branch remains unallocated until the administrator manually assigns bandwidth within the QoS configuration settings . This ensures that customized bandwidth per site remains intact and allows for fine-tuned traffic management based on business needs.

Palo Alto Networks documentation clearly states that when configuring the traffic replication feature in Prisma Access, you must specify an internal security appliance as the destination for the mirrored traffic. This appliance, typically a Palo Alto Networks next-generation firewall or a third-party security tool, is responsible for receiving and analyzing the replicated traffic for various purposes like threat analysis, troubleshooting, or compliance monitoring.

Let's analyze why the other options are incorrect based on official documentation:

B. Dedicated cloud storage location: While Prisma Access logs and other data might be stored in the cloud, the mirrored traffic for real-time analysis is directly streamed to a designated security appliance, not a passive storage location.

C. Panorama: Panorama is the centralized management system for Palo Alto Networks firewalls. While Panorama can receive logs and manage the configuration of Prisma Access, it is not the direct destination for real-time mirrored traffic intended for immediate analysis.  

D. Strata Cloud Manager (SCM): Strata Cloud Manager is the platform used to configure and manage Prisma Access. It facilitates the setup of traffic replication, including specifying the destination appliance, but it does not directly receive or analyze the mirrored traffic itself.  

Therefore, the mirrored traffic from the traffic replication feature in Prisma Access is directed to a specified internal security appliance for analysis.

The "400 Bad Request" error when attempting SAML authentication through the Cloud Identity Engine (CIE) suggests a misconfiguration in the SAML metadata . This typically occurs when the endpoint URLs, certificates, or entity IDs do not match between Cloud Identity Engine and the IdP portal . To resolve this, verify that:

The SAML metadata uploaded to Cloud Identity Engine matches the configuration from the IdP .

The ACS (Assertion Consumer Service) URL, Entity ID, and certificate are correctly set.

There are no incorrect or expired certificates in the Cloud Identity Engine and IdP configuration .

By ensuring the SAML metadata is properly configured in both systems , authentication should proceed without errors.

To meet the customer’s requirements, two separate Prisma Access instances should be deployed:

Instance 1 should include mobile users, remote networks, and private access for internal connectivity. This ensures that mobile users can access the internet, data centers, and remote branch locations while enforcing security policies.

Instance 2 should be configured with remote networks and private application access for B2B connections. This instance will restrict access to only the required internally developed applications using non-standard ports, ensuring that partners cannot access other corporate resources.

By using specific configuration scopes for different connection types , the security team can manage access to mobile users and branch locations, while the network team can manage B2B partner connections. This ensures proper segmentation of management responsibilities while maintaining security and compliance.