Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
GlobalProtect should be used in a high-security environment where all IP address-to-user mappings must be explicitly known. GlobalProtect ensures that users authenticate to gain access to the network, making the IP address-to-username mapping explicitly known. This method provides a high degree of security as it verifies user identity before granting access, which is critical in sensitive environments.
100% is B. Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
B - This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service. Thanks Marcyy, you're awesome! So far you're right every time, i trust ya <3
yah but what does the GP infrastructure authenticate that information with? Surely not user and group information (nevermind user to IP address mappings) from AD, LDAP and the integrated PAN USER ID Agent!?!?!?!
key is "a high-security environment". In this case you should you use zero trust approach with "authentication first", so you need to use GlobalProtect.
B. GlobalProtect makes the most sense here because you're forcing the users to authenticate with GP before having access.
B,C and D are suitable for different reasosn, lets see: Global protect with always-on is the most secure option, all traffic will be encrypted to its gateway. Not everybody will have it installed so its required to use in combination with other tool to force the installation, such a forescout... or a captive portal or what ever. Windows based User-ID agent, The agent installation into an AD relay dedicated server is the most used, and allows to connecto to multiple servers. PAN-OS integrated is the last possible of this three, because it only permits to connect to a 1 server, if the environment has many AD or it have a connection problem, then you are in troubles, definitely this is not the preferrable. So finally the best choice is Global protect in combination of Win User-id app agent a a good NAC if that security environment deserves. ... Ahora vas y lo cascas.
Guys, can anyone suggest where I can buy the best PCNSE dumps with correct answers
Option B Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
B is correct. High sensitive environment, always on authentication, accurate/up to date user-to-ip mappings. And all the other options are not mapping methods.
The answer is B. GlobalProtect. GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known. The other options are not as secure as GlobalProtect. Option A, LDAP Server Profile configuration, allows for the configuration of multiple LDAP servers. This can make it difficult to track all IP address-to-user mappings. Option C, Windows-based User-ID agent, relies on the Windows operating system to provide user identity. This can be less secure than using an LDAP server, as the Windows operating system is more susceptible to attack. Option D, PAN-OS integrated User-ID agent, uses a local database to store user mappings. This database can be easily compromised, making it less secure than using an LDAP server.
GlobalProtect is the best method
Answer should be "C", because if AD which is extensively used in modern networks to administrate them does not know who users are then they either do not have access to network resources by default or they simply won't be able to login. The firewall groups info it authenticates to global protect users STILL MAKE USE OF AD. Never forget that!!!
B Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service.
It;s B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0 "On sensitive and high security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely upon User-ID mappings obtained from more isolated and trusted sources, such as domain controllers. If you are using the User-ID Agent to parse AD security event logs, syslog messages, or the XML API to obtain User-ID mappings, then WMI probing should be disabled. Captive portal can be used as a fallback mechanism to re-authenticate users where security event log data may be stale."
Wrong, there is no such thing as D. Answer should be B or A
D does exist, though not saying it is correct https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-pan-os-integrated-user-id-agent