Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
To block traffic in real time using a dynamic user group (DUG), it is essential to have policies that can handle both the initial tagging of the traffic and the subsequent blocking. A Decryption policy is not necessarily required (option A), and an Allow policy for the initial traffic (option C) would not block traffic. Instead, a Deny policy with the 'tag' App-ID (option B) and a Deny policy for the tagged traffic (option D) are the two necessary components. They ensure that traffic is first identified and reported (tagged), and then subsequently blocked based on the tags.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
This question was on the exam.. Nov 2023
Step 5. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy
C and D correct
C and D
Per the links already posted here.