PCNSE · Question #462
PCNSE Question #462: Real Exam Question with Answer & Explanation
The correct answer is D: Windows-based User-ID agent on a standalone server. Palo Alto Networks best practice recommends using a Windows-based User-ID agent installed on a dedicated standalone server when the firewall's management plane is highly utilized. The PAN-OS integrated User-ID agent runs directly on the firewall's management plane; in a scenario
Question
Your company has to Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized. Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?
Options
- APAN-OS integrated agent
- BCaptive Portal
- CCitrix terminal server agent with adequate data-plane resources
- DWindows-based User-ID agent on a standalone server
Explanation
Palo Alto Networks best practice recommends using a Windows-based User-ID agent installed on a dedicated standalone server when the firewall's management plane is highly utilized. The PAN-OS integrated User-ID agent runs directly on the firewall's management plane; in a scenario with multiple domain controllers across WAN links and a heavily loaded management plane, using the integrated agent would compound the resource strain and degrade firewall performance. Offloading User-ID processing to a dedicated Windows server removes this burden. Option A (PAN-OS integrated agent) is explicitly discouraged when the management plane is under high load. Option B (Captive Portal) is an authentication method, not a User-ID agent type. Option C (Citrix TS Agent) is specific to terminal server environments and does not apply here.
Topics
Community Discussion
No community discussion yet for this question.