Exam PCNSE All QuestionsBrowse all questions from this exam
Go to Exam
Question 539

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM).

There did not appear to be direct integration between PAN-OS and the IDM solution.

How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?

    Correct Answer: A

    To solve the issue of capturing authentication events for VPN and wireless users, Information Security can configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. This approach allows the system to receive authentication events from external sources, such as RADIUS, through Syslog, thereby enabling the extraction and learning of IP-to-user mapping information. Configuring the User-ID agent to accept Syslog messages over a secure channel ensures that authentication events from devices not directly integrated with the domain controllers are still captured and utilized for security policies.

Discussion
TeachTrooperOption: A

Must be A. B is wrong, because XM-API on the firewall does not pull. C is wrong, because the security log is the same on all DCs within an AD domain. D is wrong, because "There did not appear to be direct integration between PAN-OS and the IDM solution."

dgonzOption: B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/send-user-mappings-to-user-id-using-the-xml-api

ArtbrutOption: A

The firewall wonˋ t pull, so A https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/send-user-mappings-to-user-id-using-the-xml-api

sov4Option: A

I believe it's A. Here's why: Valid - See link below - A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Not valid - API doesnt "pull". Period. - B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Not valid - Devices use Radius, not domain controllers. Wouldnt make a difference. - C. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Almost valid - The windows user-id agent accepts syslog, just like the integrated agent. It doesnt "monitor" the devices... it listens for syslog. See link below - D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f

ali_sh85Option: B

I think B is correct. XML API: The PAN-OS XML API is used in cases where standard user mapping methods might not work—for example, as third-party VPNs or 802.1x-enabled wireless networks

MarshpillowzOption: A

Answer is A

ThunnuOption: B

Answer is B

Andromeda1800Option: A

A is valid.

techplusOption: B

Real-world scenario https://www.reddit.com/r/paloaltonetworks/comments/izp7ll/wireless_user_identification_in_panos/

piipoOption: B

There did not appear to be direct integration between PAN-OS and the IDM solution.

piipo

Sorry is A.

Merlin0oOption: A

A Src: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping/syslog

WaheedeladawyOption: B

Aanswer is D The User-ID XML API on PAN-OS firewalls can be used to pull authentication events directly from the IDM solution. This will allow Information Security to extract and learn IP-to-user mapping information for VPN and wireless users. The other options are not as effective. Option A would allow Information Security to monitor more domain controllers, but it would not solve the problem of missing authentication events. Option C would not solve the problem because the authentication events are not being captured on the domain controllers. Option D would only work if the VPN concentrators and wireless controllers are configured to send syslog messages to the Windows User-ID agents.

Waheedeladawy

Sorry is B

PaloSteveOption: A

I think I'll go with Answer A. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users. "To obtain user mappings from existing network services that authenticate users—such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for User Mapping. While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on the firewall to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration."

Frightened_AcrobatOption: A

The link provided by mercysayno765 says to use the integrated PAN-OS User-ID agent to listen for Syslog senders. "To obtain user mappings from existing network services that authenticate users—such as wireless controllers" use Syslog. Further research into setting up Syslog for User-ID agent, it uses a TLS certificate. Which perfectly matches answer A. Answer B says it "pulls" the User-ID agent information. This isn't even how the API works.

procheeseburgerOption: B

The answer is B

rampa70Option: B

The option B would be otherwise ok but I'am not sure about the word "pull" on PAN-OS firewalls. As the firewall itself does not pull the data. You need something to run the script and send that data via XML API to PAN-OS firewall on correct format.

mlj23Option: B

B. Links that mercysayno765 provide below apply.