Refer to the exhibit. A security analyst reviews a traffic log entry in JSON format. Which firewall feature is responsible for including the 'user' field in the log?
Correct: User-ID maps IP addresses to usernames and includes the user in traffic logs.
Why this answer
The 'user' field in a traffic log is populated by User-ID, which maps IP addresses to usernames by monitoring authentication events from Active Directory, LDAP, or terminal services agents. This allows the firewall to log and enforce policies based on user identity rather than just IP addresses.
Exam trap
The trap here is that candidates confuse Captive Portal (which authenticates users for web access) with User-ID (which passively maps IPs to usernames for logging and policy enforcement), leading them to choose Captive Portal instead of User-ID.
How to eliminate wrong answers
Option A is wrong because Data Filtering is a security profile that controls the transfer of sensitive data patterns (e.g., credit card numbers) in application traffic, not user identity mapping. Option B is wrong because Captive Portal is an authentication mechanism that intercepts HTTP traffic to enforce user login before granting network access, but it does not passively map IP-to-user for all traffic logs; User-ID handles that mapping. Option C is wrong because GlobalProtect is a remote access VPN solution that can provide user identity via its gateway, but the 'user' field in a traffic log is populated by the User-ID agent, not solely by GlobalProtect.