100% is B.
Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
yah but what does the GP infrastructure authenticate that information with? Surely not user and group information (nevermind user to IP address mappings) from AD, LDAP and the integrated PAN USER ID Agent!?!?!?!
B - This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service.
Thanks Marcyy, you're awesome! So far you're right every time, i trust ya <3
B is correct. High sensitive environment, always on authentication, accurate/up to date user-to-ip mappings. And all the other options are not mapping methods.
Answer should be "C", because if AD which is extensively used in modern networks to administrate them does not know who users are then they either do not have access to network resources by default or they simply won't be able to login. The firewall groups info it authenticates to global protect users STILL MAKE USE OF AD. Never forget that!!!
The answer is B. GlobalProtect.
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
The other options are not as secure as GlobalProtect.
Option A, LDAP Server Profile configuration, allows for the configuration of multiple LDAP servers. This can make it difficult to track all IP address-to-user mappings.
Option C, Windows-based User-ID agent, relies on the Windows operating system to provide user identity. This can be less secure than using an LDAP server, as the Windows operating system is more susceptible to attack.
Option D, PAN-OS integrated User-ID agent, uses a local database to store user mappings. This database can be easily compromised, making it less secure than using an LDAP server.
B
Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service.
B,C and D are suitable for different reasosn, lets see:
Global protect with always-on is the most secure option, all traffic will be encrypted to its gateway. Not everybody will have it installed so its required to use in combination with other tool to force the installation, such a forescout... or a captive portal or what ever.
Windows based User-ID agent, The agent installation into an AD relay dedicated server is the most used, and allows to connecto to multiple servers.
PAN-OS integrated is the last possible of this three, because it only permits to connect to a 1 server, if the environment has many AD or it have a connection problem, then you are in troubles, definitely this is not the preferrable.
So finally the best choice is Global protect in combination of Win User-id app agent a a good NAC if that security environment deserves.
... Ahora vas y lo cascas.
key is "a high-security environment". In this case you should you use zero trust approach with "authentication first", so you need to use GlobalProtect.
Option B
Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0
"On sensitive and high security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely upon User-ID mappings obtained from more isolated and trusted sources, such as domain controllers. If you are using the User-ID Agent to parse AD security event logs, syslog messages, or the XML API to obtain User-ID mappings, then WMI probing should be disabled. Captive portal can be used as a fallback mechanism to re-authenticate users where security event log data may be stale."
D does exist, though not saying it is correct
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-pan-os-integrated-user-id-agent
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Marcyy
Highly Voted 2 years, 7 months agoDatITGuyTho1337
6 months, 4 weeks agoGivemeMoney
2 years, 6 months ago327c7c8
Most Recent 3 months, 3 weeks agoJRKhan
6 months, 1 week agoDatITGuyTho1337
6 months, 4 weeks agoWaheedeladawy
11 months, 3 weeks agodaytonadave2011
1 year, 4 months agoMauz88
1 year, 5 months agojuan_L
1 year, 11 months agoUFanat
2 years, 1 month agoAbuHussain
2 years, 4 months agoRamanJoshi
2 years, 6 months agoalanouaro
2 years, 6 months agodrrealest
2 years, 7 months agoPlato22
2 years, 7 months agoRJ45TP
2 years, 7 months ago