Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
A . A Deny policy for the tagged traffic
B . An Allow policy for the initial traffic
C . A Decryption policy to decrypt the traffic and see the tag
D . A Deny policy with the "tag" App-ID to block the tagged traffic
Answer: B, D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy
Latest PCNSE Dumps Valid Version with 280 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund