Exam PCNSE topic 1 question 539 discussion

Must be A. B is wrong, because XM-API on the firewall does not pull. C is wrong, because the security log is the same on all DCs within an AD domain. D is wrong, because "There did not appear to be direct integration between PAN-OS and the IDM solution."

I think B is correct. XML API: The PAN-OS XML API is used in cases where standard user mapping methods might not work—for example, as third-party VPNs or 802.1x-enabled wireless networks

Answer is A

Answer is B

A is valid.

Real-world scenario https://www.reddit.com/r/paloaltonetworks/comments/izp7ll/wireless_user_identification_in_panos/

There did not appear to be direct integration between PAN-OS and the IDM solution.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/send-user-mappings-to-user-id-using-the-xml-api

The firewall wonˋ t pull, so A https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/send-user-mappings-to-user-id-using-the-xml-api

A Src: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping/syslog

Aanswer is D The User-ID XML API on PAN-OS firewalls can be used to pull authentication events directly from the IDM solution. This will allow Information Security to extract and learn IP-to-user mapping information for VPN and wireless users. The other options are not as effective. Option A would allow Information Security to monitor more domain controllers, but it would not solve the problem of missing authentication events. Option C would not solve the problem because the authentication events are not being captured on the domain controllers. Option D would only work if the VPN concentrators and wireless controllers are configured to send syslog messages to the Windows User-ID agents.

I think I'll go with Answer A. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users. "To obtain user mappings from existing network services that authenticate users—such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for User Mapping. While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on the firewall to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration."

I believe it's A. Here's why: Valid - See link below - A. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Not valid - API doesnt "pull". Period. - B. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Not valid - Devices use Radius, not domain controllers. Wouldnt make a difference. - C. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Almost valid - The windows user-id agent accepts syslog, just like the integrated agent. It doesnt "monitor" the devices... it listens for syslog. See link below - D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f

The link provided by mercysayno765 says to use the integrated PAN-OS User-ID agent to listen for Syslog senders. "To obtain user mappings from existing network services that authenticate users—such as wireless controllers" use Syslog. Further research into setting up Syslog for User-ID agent, it uses a TLS certificate. Which perfectly matches answer A. Answer B says it "pulls" the User-ID agent information. This isn't even how the API works.

The answer is B

The option B would be otherwise ok but I'am not sure about the word "pull" on PAN-OS firewalls. As the firewall itself does not pull the data. You need something to run the script and send that data via XML API to PAN-OS firewall on correct format.

B. Links that mercysayno765 provide below apply.