Palo Alto Networks Certified Network Security Administrator (PCNSA) — Question 399

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized.
Given the scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

Answer options

• A. Windows-based agent on a domain controller
• B. Captive Portal
• C. Citrix terminal server agent with adequate data-plane resources
• D. PAN-OS integrated agent

Correct answer: A

Explanation

The Windows-based agent on a domain controller is the best practice as it directly integrates with Active Directory, efficiently managing user identification. Other options, such as Captive Portal and Citrix terminal server agent, do not provide the same level of integration and efficiency in this specific environment, while the PAN-OS integrated agent may not handle the same load as a dedicated agent.