Palo Alto Networks Exam NGFW-Engineer Topic 2 Question 4 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam

Question #: 4
Topic #: 2

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

ACreate one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

BEstablish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region's firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

CDisable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

DDeploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Show Suggested Answer

Suggested Answer: B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.

by Wava at Apr 09, 2025, 10:59 AM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Carlota

22 days ago

Option B is the way to go, no doubt. Separate tenants FTW! Less complexity, more control - perfect for meeting those data sovereignty requirements.

upvoted 0 times

...

Alex

23 days ago

Haha, Option A is like trying to fit a square peg in a round hole. Relying on firewall policies to restrict access? That's just asking for trouble!

upvoted 0 times

...

2 months ago

I'd go with Option D. Segmenting the single tenant makes more sense than creating multiple tenants, and it still allows you to control the data flow effectively.

upvoted 0 times

Eleonore

22 days ago

I agree, having one tenant with segmented data seems like the most efficient way to manage identity data.

upvoted 0 times

...

Tammara

27 days ago

Option D sounds like the best choice. It allows for segmentation within the single tenant.

upvoted 0 times

...

2 months ago

I think option B is the best approach. It ensures strict data isolation for each regional business unit.

upvoted 0 times

...