U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Palo Alto Networks NGFW-Engineer Exam - Topic 3 Question 9 Discussion

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.Which approach achieves this segmentation of identity data?
B) Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region's firewalls, maintaining a strict one-to-one mapping of tenant to business unit.
A) Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.
C) Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).
D) Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Palo Alto Networks NGFW-Engineer Exam - Topic 3 Question 9 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam
Question #: 9
Topic #: 3
[All NGFW-Engineer Questions]

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

Show Suggested Answer Hide Answer
Suggested Answer: B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.


Contribute your Thoughts:

0/2000 characters
Mabel
6 months ago
B definitely aligns with data sovereignty needs.
upvoted 0 times
...
Terina
6 months ago
C is too limiting; pulling directly from IdPs might complicate things.
upvoted 0 times
...
Rosalyn
6 months ago
Surprised that A is even an option, that sounds risky!
upvoted 0 times
...
Jovita
7 months ago
I disagree, D could work too if segments are set up right.
upvoted 0 times
...
Bettina
7 months ago
Option B seems like the best choice for strict data isolation.
upvoted 0 times
...
Veronika
7 months ago
I have a vague recollection that option C might not be the best since it disables redistribution entirely, but I can't remember the exact implications.
upvoted 0 times
...
Tiara
7 months ago
I practiced a similar question, and I feel like option A could lead to issues with data sovereignty, which we definitely want to avoid.
upvoted 0 times
...
Huey
7 months ago
I'm not entirely sure, but I think option D could work too since it mentions segments within the tenant. That might help with filtering data.
upvoted 0 times
...
Pearly
8 months ago
I remember studying about the importance of data isolation, so option B seems like it would be the safest choice for regional compliance.
upvoted 0 times
...
Carman
8 months ago
I'm not sure I fully understand the difference between the CIE tenant options. I'll need to do some research on how the CIE and Panorama integration works before deciding.
upvoted 0 times
...
Veda
8 months ago
I'm feeling pretty confident about this one. Option B with the separate tenants for each business unit seems like the cleanest way to meet the data sovereignty requirements.
upvoted 0 times
...
Hector
8 months ago
Option D seems like the most straightforward way to achieve the segmentation while keeping things centralized. I'll focus on understanding how the tenant segmentation works.
upvoted 0 times
...
Merilyn
8 months ago
Hmm, I'm a bit confused by the different options. I'll need to re-read the question and think through the pros and cons of each approach.
upvoted 0 times
...
Anabel
9 months ago
This looks like a tricky one. I'll need to carefully consider the requirements around data isolation and minimizing administrative overhead.
upvoted 0 times
...
Rex
11 months ago
Wait, so they want to minimize admin overhead and maintain data isolation? Good luck with that! This sounds like a classic case of 'pick two out of three.'
upvoted 0 times
...
Marvel
11 months ago
Haha, Option A reminds me of that old saying, 'Putting all your eggs in one basket.' Definitely not the way to go here with data sovereignty on the line.
upvoted 0 times
Lavonda
9 months ago
Agreed, we can't take any chances with data sovereignty. Option B is the way to go.
upvoted 0 times
...
Son
9 months ago
Option B sounds like a better choice, keeping each business unit's data separate.
upvoted 0 times
...
Paris
9 months ago
I agree, having all the data in one place could lead to potential security issues.
upvoted 0 times
...
Rashad
9 months ago
Option B sounds like the best approach. Separate tenants for each business unit makes sense.
upvoted 0 times
...
Jettie
9 months ago
Yeah, Option A seems risky. We need to keep the data isolated for each region.
upvoted 0 times
...
Laurena
10 months ago
Option A does seem risky, especially when it comes to data isolation.
upvoted 0 times
...
...
Grover
11 months ago
I agree with Tammara, option D allows for filtering and redistributing only relevant data to each regional firewall.
upvoted 0 times
...
Audry
11 months ago
Option C seems a bit too simplistic. Disabling redistribution entirely and making each firewall pull from its own IdPs feels like it could get messy to manage in the long run.
upvoted 0 times
...
Theodora
11 months ago
I'm leaning towards Option D. Having a single tenant manage the data filtering and redistribution could help minimize the administrative overhead while still meeting the security requirements.
upvoted 0 times
...
Maybelle
11 months ago
Option B definitely seems like the most secure approach here. Keeping the data segmented and only redistributing what's relevant to each region's firewalls is key for data sovereignty.
upvoted 0 times
Lorriane
11 months ago
Agreed, it's important to maintain that strict one-to-one mapping for security and data sovereignty.
upvoted 0 times
...
Jesusita
11 months ago
Option B is definitely the way to go. It ensures that each region only gets the data it needs.
upvoted 0 times
...
...
Cathern
11 months ago
But with option B, we can maintain a strict one-to-one mapping of tenant to business unit.
upvoted 0 times
...
Tammara
11 months ago
I disagree, I believe option D is more efficient.
upvoted 0 times
...
Cathern
11 months ago
I think option B is the best approach.
upvoted 0 times
...

Save Cancel