View all questions & answers for the Palo Alto Security Service Edge Engineer Exam Materials exam


Question 6 Discussion

An engineer configures User-ID redistribution from an on-premises firewall connected to Prisma Access (Managed by Panorama) using a service connection. After committing the configuration, traffic from remote network connections is still not matching the correct user-based policies. Which two configurations need to be validated? (Choose two answers)

  • A. Ensure the Remote_Network_Template is selected when adding the User-ID Agent in Panorama.
  • B. Confirm there is a Security policy configured in Prisma Access to allow the communication on port 5007.
  • C. Confirm the Collector Pre-Shared Keys match between Prisma Access and the on-premises firewall.
  • D. Ensure the Service_Conn_Template is selected when adding the User-ID Agent in Panorama.
Correct Answer: C,D

Brave-Dump Clients Votes

CD 100%

Comments



Anonymous User 2026-02-25 14:43:09

Selected Answers: C, D


C. Confirm the collector pre-shared keys match between Prisma Access and the on-premises firewall.
User-ID redistribution uses a Collector Name and Collector Pre-Shared Key to authenticate between the User-ID “collector” and the “agent” (Prisma Access vs. on-prem FW). If these do not match, the redistribution session will not establish and no mappings will be used in policy.

D. Ensure the service conn_template is selected when adding the User-ID agent in Panorama.
When you configure Prisma Access or the on-prem firewall as a User-ID agent/collector in Panorama, you must select the correct Service_Conn_Template for service connections (or Remote_Network_Template for remote networks) in the Templates drop-down so the User-ID config actually applies to the service-connection context used for redistribution.

Why not A and B?

A. Ensure The remote_network_template is selected when adding the User-ID Agent in Panorama.
This is only correct when you are using a remote network connection (RN-SPN); in your scenario, redistribution is over a service connection, so the correct template is Service_Conn_Template, not Remote_Network_Template.


B. Confirm there is a security policy configured in Prisma Access to allow the communication on a port 5007.
User-ID redistribution uses TCP port 5007, but it runs inside the IPSec service/remote-network tunnel; Prisma Access documentation does not require a separate Prisma security policy rule specifically for port 5007 between Prisma and the on-prem firewall, as this traffic is considered control-plane over the established tunnel and managed via the User-ID redistribution configuration and templates.

Ayesha 2026-03-06 15:45:45

Selected Answers: C, D


When User-ID redistribution from an on-premises firewall to Prisma Access via a service connection is configured, and traffic from remote network connections is not matching user-based policies, the following two configurations need to be validated:

Confirm the Collector Pre-Shared Keys match between Prisma Access and the on-premises firewall. The on-premises firewall, acting as a User-ID agent, must be configured with a Collector Name and a Collector Pre-Shared Key. Prisma Access, when configured to collect User-ID mapping from this on-premises firewall, must use the exact same Collector Name and Collector Pre-Shared Key to establish an authenticated connection and receive the identity information . Without matching keys, the redistribution will fail.

Ensure the Service_Conn_Template is selected when adding the User-ID Agent in Panorama. When configuring Prisma Access (managed by Panorama) to collect User-ID mappings from an on-premises firewall that is connected via a service connection, it is crucial to select the Service_Conn_Template in the Templates drop-down when adding the User-ID agent in Panorama. This ensures that the User-ID agent configuration is correctly applied within the context of the service connection, allowing Prisma Access to receive the user mappings from the on-premises firewall