PCNSA Question #14: Real Exam Question with Answer & Explanation

Question

Which User-ID agent would be appropriate in a network with multiple WAN links, limited network bandwidth, and limited firewall management plane resources?

Options

• AWindows-based agent deployed on the internal network
• BPAN-OS integrated agent deployed on the internal network
• CCitrix terminal server deployed on the internal network
• DWindows-based agent deployed on each of the WAN Links

Explanation

A Windows-based User-ID agent runs as a separate process on a dedicated Windows server, offloading User-ID data collection and processing away from the firewall's management plane - making it the right fit when firewall resources are constrained. Because it's deployed centrally on the internal network (not per-WAN link), it collects user mappings in one place and forwards them efficiently, avoiding redundant traffic across bandwidth-limited WAN links.

Why the distractors fail:

• B (PAN-OS integrated agent): Runs directly on the firewall itself, consuming the very management plane resources the question says are limited - the opposite of what's needed.
• C (Citrix terminal server agent): A specialized agent for environments where many users share a single IP (VDI/terminal server); it doesn't address WAN or resource constraints.
• D (Windows-based agent on each WAN link): Deploying per-WAN link multiplies complexity and bandwidth overhead - exactly what you're trying to avoid with limited bandwidth.

Memory tip: When you see "limited firewall resources" on an exam, think offload - the Windows-based agent is the only option that moves the work off the firewall. "Internal network" (centralized) vs. "each WAN link" (distributed) is the bandwidth trap: centralized = one agent, one data stream.

No community discussion yet for this question.