Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
A . PAN-OS integrated User-ID agent
B . LDAP Server Profile configuration
C . GlobalProtect
D . Windows-based User-ID agent

View Answer

Answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.

Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

"On sensitive and high security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely

upon User-ID mappings obtained from more isolated and trusted sources, such as domain

controllers. If you are using the User-ID Agent to parse AD security event logs, syslog

messages, or the XML API to obtain User-ID mappings, then WMI probing should be

disabled. Captive portal can be used as a fallback mechanism to re-authenticate users

where security event log data may be stale."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0