Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 460

A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication.

What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings?

Answer options

• A. Deploy a PAN-OS integrated User-ID agent on each vsys
• B. Deploy the GlobalProtect vsys as a User-ID data hub
• C. Deploy a M-200 as a User-ID collector
• D. Deploy Windows User-ID agents on each domain controller

Correct answer: B

Explanation

The correct answer, B, is efficient because it allows the GlobalProtect vsys to act as a central hub for User-ID data, streamlining the process of IP to username mapping across multiple vsys. Option A is less efficient as it requires deploying agents on each vsys separately, while option C involves additional hardware that may not be necessary. Option D also increases complexity by requiring multiple agents on domain controllers without the centralization benefits of option B.