Exam PCNSA topic 1 question 88 discussion

B should be the answer:

The PAN-OS Integrated Agent is more efficient in terms of network resources since it filters logs, whereas the Windows-Based Agent sends all security logs to the firewall.

It mentioned 'slightly" used

Less than 10 DCs and minimal utilized management plane makes B the choice.

Only two DCs, same network, same location, slightly utilized management plane... obviously B.

B Which User-ID agent should I use? Use agentless (PAN-OS) If you have a small to medium deployment with 10 or fewer Domain controllers or Exchange servers If you wish to share PAN-OS sourced mappings from AD, Captive portal or Global Protect with other PA devices (max 255 devices) Use User-ID Agent (Windows) If you have medium to large deployment with more than 10 domain controllers If you have multi-domain setup with large number of servers to monitor

It can't be A because PAN doesn't recommend to install the windows agent in the domain controller. I think the correct answer is B.

When they're talking about "sufficient bandwidth" and "sufficient resources" on the firewall, they are always hinting at the PAN-OS integrated agent. When they're talking about "limited network bandwidth" and/or the "management plane is heavily used", then they want you to use the Server agent.

PAN-OS Integrated User-ID Agent agent is used mostly for remote sites and it can't handle multiforest domains. Windows-based User-ID Agent at the local site. In this case its all on the same network so I think it should be "A"

Although, the Windows-based agent and the PAN-OS integrated agent perform the same basic tasks, they use different underlying communication protocols. This difference makes each agent more appropriate for different environments. The Windows-based agent uses MS-RPC, which requires the full Windows Security logs to be sent to the agent, where they are filtered for the relevant User-ID information. The PAN-OS integrated agent uses either the Windows Management Instrumentation, of WMI, or the Windows Remote Management Protocol, or WinRM which enables the agent to retrieve only the User-ID information from the Windows Security logs. The result is that, in an infrastructure with remote networks separated with WAN links, the integrated agent is more appropriate for reading remote logs and the Windows-based agent is more appropriate for reading local logs.However, uses of the integrated agent is not without cost: it consumes more of the firewall’s management plane resources. For this reason, deployment of the Windows agent at remote sites and having them forward the relevant User-ID information to firewall on a central network often is beneficial.

More then one domain? That is not supported with PA agent

network bandwidth isn't an issue in this case, I think A is correct

, if network bandwidth is an issue, you might want to use the PAN-OS integrated agent because it communicates directly with the servers, whereas the Windows agent communicates with the servers and then communicates the User-ID information to the firewall so that it can update the firewall database. For more information about the different agents and how they are used, see the following information: • “Block Threats by Identifying Users ” module in the EDU-110 and EDU-210 training, Firewall Essentials: Configuration and Management I think B is correct answer

B should be the answer