Palo Alto Networks Exam PCNSE Topic 4 Question 69 Discussion

Actual exam question for Palo Alto Networks's PCNSE exam

Question #: 69
Topic #: 4

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?

AAdd domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.

BConfigure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.

CConfigure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution

DConfigure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Show Suggested Answer

Suggested Answer: C

User-ID group mapping is a feature that allows Panorama to retrieve user and group information from directory services such as LDAP or Active Directory1. This information can be used to enforce security policies based on user identity and group membership.

To configure User-ID group mapping on Panorama, you need to perform the following steps1:

Select Panorama > User Identification > Group Mapping Settings

Click Add and enter a name for the server profile

Select a Server Type (LDAP or Active Directory)

Click Add and enter the server details (IP address, port number, etc.)

Click OK

Select Group Include List and click Add

Select the groups that you want to include in the group mapping

Click OK

Commit your changes

By configuring User-ID group mapping on Panorama, you can see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules2.

by Simona at Apr 23, 2023, 10:57 AM

Limited Time Offer

25%

Off

Get Premium PCNSE Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Mirta

1 months ago

I bet the folks at Information Security are racking their brains over this one. *chuckles* Option C seems like the obvious choice to me - let's not overcomplicate things, eh?

upvoted 0 times

...

Martha

1 months ago

Option C all the way! Why waste time adding more domain controllers when you can just tap into the IDM solution and get the data you need?

upvoted 0 times

...

Vanda

2 months ago

Haha, looks like someone's got a security gap to close! I'd say C is the way to go - pulling the data straight from the IDM solution is the most elegant solution.

upvoted 0 times

Kristeen

6 days ago

C) Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution

upvoted 0 times

...

3 months ago

I think option B is the best choice. Configuring the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS will allow us to capture authentication events for VPN and wireless users.

upvoted 0 times

...