To control access based on user identity and time, a Palo Alto Networks Security policy rule requires two specific components. The User-ID feature is used to identify the user or group initiating the traffic, allowing the policy to be applied specifically to "third-party contractors." The Schedule object is used to define a specific time window, such as "outside business hours," during which the policy rule will be active. Combining these two components in a single rule enforces both conditions, granting the specified users access only during the allowed time frame.

C. Service: The Service object defines the transport protocol and port number (e.g., TCP/443 for HTTPS). It does not control user identity or the time of access.

D. App-ID: App-ID identifies the specific application traversing the network (e.g., SharePoint, SAP). While essential for the policy, it does not control who can access it or when.

1. Palo Alto Networks, PAN-OS® Administrator’s Guide 10.2 (2021).

Section: Policies > Security > Security Policy Rule Components.

Page/Content: In the description of the "Source" tab, it states: "Source User—The user or group of users to whom the rule applies. The firewall must be configured to map IP addresses to usernames for this setting to be effective." This confirms the use of User-ID for user-based control.

Page/Content: In the description of the "Actions" tab, it states: "Schedule—Attach a schedule to the security policy rule to limit when the rule is enforced." This confirms the use of Schedule objects for time-based control.

2. Palo Alto Networks, Firewall 10.2 Essentials: Configuration and Management (EDU-210) Student Guide (2021).

Module 7: User-ID. This module details how to "configure a Security policy that is based on users and user groups instead of on IP addresses." This directly supports using User-ID to identify the "third-party contractors."

Module 4: Security and NAT Policies. This module illustrates the Security policy creation interface, which includes a dedicated field for "Schedule" to apply time-based enforcement to the rule.