Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 277

Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized. Given this scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

Answer options

• A. PAN-OS integrated agent
• B. Citrix terminal server agent with adequate data-plane resources
• C. Captive Portal
• D. Windows-based User-ID agent on a standalone server

Correct answer: D

Explanation

The Windows-based User-ID agent on a standalone server is recommended because it can operate independently of the firewall's management plane, thereby reducing its load. The other options either integrate too closely with the firewall's management, which could exacerbate the performance issues, or do not provide the necessary capabilities for effective user identification in this scenario.