To control access based on user identity and time, a Security policy rule must leverage the User-ID and Schedule components. The User-ID feature allows the firewall to identify specific users or groups, such as "third-party contractors," by integrating with directory services. This addresses the "who" part of the requirement. The Schedule object allows the administrator to define specific time windows, such as "outside business hours," during which the policy rule will be active. This addresses the "when" part of the requirement. Combining these two components in a single rule enforces the specified access control.

A. App-ID: This component identifies the application (the "what") being accessed, not the user initiating the connection or the time of the connection.

B. Service: This component defines the transport protocol and port number (the "how") for the traffic, not the user or the time of access.

1. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Security Policy Rule Components": This section details the building blocks of a Security policy rule. It explicitly lists "Source User" and "Schedule" as distinct components for controlling access.

Source User: "The user or group that is the source of the traffic. The firewall must be configured to map IP addresses to usernames for this setting to be effective." This directly corresponds to using User-ID to identify the contractors.

Schedule: "The schedule that specifies the days and times the rule is enforced. Select a predefined schedule or select None (the default) to have the rule enforced at all times." This directly corresponds to the Schedule component for time-based control.

2. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Objects > Schedules": This section describes the creation and application of Schedule objects. It states

"You can apply schedules to security policy rules to control when the rules are active." This confirms the function of the Schedule component for time-based enforcement.

3. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"User-ID": The overview of the User-ID feature explains its purpose: "The User-ID feature of Palo Alto Networks firewalls allows you to configure and enforce firewall policies based on users and groups of users rather than on IP addresses." This confirms User-ID is the correct component for identifying the "third-party contractors" group.