Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
To tag a username for inclusion in a dynamic user group, two features can be particularly useful. The XML API allows for programmatic tagging of usernames, enabling dynamic assignment based on various criteria or external inputs. Additionally, log forwarding auto-tagging automates the tagging process based on log entries that match predefined criteria. These mechanisms are instrumental in ensuring that usernames are accurately and dynamically included in user groups as per the requirements.
Correct options should be B and C: To dynamically register tags, you can use: - the XML API - the User-ID agent - Panorama - the web interface on the firewall https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
answer: BD https://docs.paloaltonetworks.com/best-practices/10-1/user-id-best-practices/user-id-best-practices/user-id-best-practices-for-dynamic-user-groups Firewall logs - create a log forwarding profile and use the Built-In Actions Custom API scripts
B and D are the answers. See the text from PCNSE Study Guide: Several methods are available to tag or untag usernames. As shown in the following screenshot (in the book), you can manually tag and untag usernames by using the web interface. Usernames can also be tagged and untagged by using the auto-tagging feature in a Log Forwarding Profile. (NOTE: I have practically done both.). You also can program another utility to invoke the PAN-OS XML API commands to tag or untag usernames. (NOTE: I've not tried XML API myself tho.
B. XML API The XML API can be used to programmatically tag usernames. This allows administrators to dynamically assign tags to users based on various criteria or external inputs. These tags can then be used to include the users in dynamic user groups. D. Log forwarding auto-tagging Log forwarding auto-tagging allows for automated tagging based on log entries. When specific logs match predefined criteria, the system can automatically tag the associated usernames. These tags are then used to include the users in dynamic user groups.
answer BD
According to PCNSA Study Guide
Care to share the page?
Its B and D, "You can manually tag and untag usernames using the web interface. Usernames can also be tagged and untagged by using the auto-tagging feature in a log forwarding profile or by programming another utility to invoke PAN-OS XML API commands. " Got this from a file called EDU-210-10.1a-M12-UserID-1.pdf which is can be access in the EDU-210 training course.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
I agree
In the Palo Alto trainings they mention two ways to populate dynamic user group (DUG): 1. XML API 2. Log forwarding auto-tagging In other words, how would you automatically include tagged usernames using Panorama or Web interface?! - The answer is, you do that through defining a filter & an action in Dynamic user groups, followed by Log forwarding configuration, if you don't activate the log forwarding auto-tagging in the security policy, then the Dynamic user group (DUG) will NOT be populated....you can test it yourself in any Palo Alto firewall. Without 'Log forwarding auto-tagging' attached to your security policy, the defined log filter & it's action in DUG will NOT forward any recognised username - which matches the predefined filter & action - to the dynamic user group So the answer is B & D
This question should be reviewed further, according the documentation here is the statement: "You can then use these tags to automatically populate policy objects such as dynamic user groups or dynamic address groups, which can then be used to automate security actions in security, authentication, or decryption policies" Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
To dynamically register tags, you can use: the XML API the User-ID agent Panorama the web interface on the firewall
To dynamically register tags, you can use: the XML API the User-ID agent Panorama the web interface on the firewall https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
Just one question Are User-ID Agent and User-ID Windows based Agent the same thing? If different, the answer should be A and D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
They are askting to tag a specific user. From the given options it mus be B and C. I agree that you would need D to scan your logs and automatically tag users if something happens but the answer does not match the question. A is out of question
I think it BD
B & C Correct