Exam PCNSA topic 1 question 23 discussion

From PCNSA Study Guide, page 162: Another reason to choose the Windows agent over the integrated PAN-OS agent is to save processing cycles on the firewall’s management plane. However, if network bandwidth is an issue, you might want to use the PAN-OS integrated agent. But I think multiple WAN links will solve the network bandwidth issue, so the main issue is the management plane resources, so for me answer is A.

Because FW ressources are critical, we have to use Windows-based Agent and because bandwidth is an issue the agent must be placed in the internal network. So answer A.

I spottet for 'A' and seeing the discussion between A or D I still go for 'A' for the following reasons. The question is not mentioning that is a remote site, just a network that have 2 slow wan links and few resources on the management plane. So as say only a network in the question, the 'D' deploying agents on the wan sites does not fit because wan links are slow. and also no mentioning if across wan links could be the remote site or main site, so I think D would not fit the question. But answer A Windows-based agent deployed on the internal network, would fit better on it because the key phrase here is "internal network" that may refer that the network mentioned main site where servers could be stored. user based agent is best practice to locate the agent near the servers to be monitored, so make much sense on A as an answer

This question is actually quoted from EDU-210 book. Here I quote the statement from User_ID (Module 10). "In an infrastructure with remote networks separated by WAN links, the integrated agent is more appropriate for reading remote logs and the Windows-based agent is more appropriate for reading local logs. However, use of the integrated agent is not without cost: It consumes more of the firewall's management plane resources. For this reason, deployment of the Windows agent at the remote sites and having the forward the relevant User-ID information to a firewall on a central network often is beneficial.

From PAN-OS Admin guide: "As a best practice, locate your User-ID agents near the servers it will monitor (that is, the monitored servers and the Windows User-ID agent should not be across a WAN link from each other). This is because most of the traffic for user mapping occurs between the agent and the monitored server, with only a small amount of traffic—the delta of user mappings since the last update—from the agent to the firewall." This suggests D is the correct answer.

No way "A". They are basically giving the prescription of cure in Answer D. Don't use PAN-OS because limited cycles and, putting the Windows Agent on each link solves bandwidth across WAN. Answer: D

The way you configure the User-ID agent depends on the size of your environment and the location of your domain servers. As a best practice, locate your User-ID agents near the servers it will monitor (that is, the monitored servers and the Windows User-ID agent should not be across a WAN link from each other). This is because most of the traffic for user mapping occurs between the agent and the monitored server, with only a small amount of traffic—the delta of user mappings since the last update—from the agent to the firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent.html

D and D only. Bandwidth for A (reading ALL logs) is 10 times bandwidth for B (WMI to read selected logs) and that is 10 times bandwidth for D (transfer of User/IP address pairs)

D is the correct answer because, 1- LDAP authentication doesn't replicate across ADs. 2- Having the remote sites forward the relevant user-ID will keep the mgmt plane on the FW low

Answer is B: If bandwidth is an issue, you may want to use PAN-OS integrated agent because it communicated directly with the servers, whereas the Windows agent communicated with the servers and then communicated the User-ID information to the firewall so that it can update the firewall database.

Windows-based agent is more appropriate for reading local logs i vote for Opt D: deployment of the Windows agent at remote sites and having them forward the relevant User-ID information to a firewall