New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Palo Alto Networks NGFW-Engineer Exam - Topic 3 Question 9 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam
Question #: 9
Topic #: 3
[All NGFW-Engineer Questions]

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

Show Suggested Answer Hide Answer
Suggested Answer: B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.


by Son at Jul 05, 2025, 06:38 AM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Mabel
2 months ago
B definitely aligns with data sovereignty needs.
upvoted 0 times
...
Terina
2 months ago
C is too limiting; pulling directly from IdPs might complicate things.
upvoted 0 times
...
Rosalyn
2 months ago
Surprised that A is even an option, that sounds risky!
upvoted 0 times
...
Jovita
3 months ago
I disagree, D could work too if segments are set up right.
upvoted 0 times
...
Bettina
3 months ago
Option B seems like the best choice for strict data isolation.
upvoted 0 times
...
Veronika
3 months ago
I have a vague recollection that option C might not be the best since it disables redistribution entirely, but I can't remember the exact implications.
upvoted 0 times
...
Tiara
3 months ago
I practiced a similar question, and I feel like option A could lead to issues with data sovereignty, which we definitely want to avoid.
upvoted 0 times
...
Huey
4 months ago
I'm not entirely sure, but I think option D could work too since it mentions segments within the tenant. That might help with filtering data.
upvoted 0 times
...
Pearly
4 months ago
I remember studying about the importance of data isolation, so option B seems like it would be the safest choice for regional compliance.
upvoted 0 times
...
Carman
4 months ago
I'm not sure I fully understand the difference between the CIE tenant options. I'll need to do some research on how the CIE and Panorama integration works before deciding.
upvoted 0 times
...
Veda
4 months ago
I'm feeling pretty confident about this one. Option B with the separate tenants for each business unit seems like the cleanest way to meet the data sovereignty requirements.
upvoted 0 times
...
Hector
4 months ago
Option D seems like the most straightforward way to achieve the segmentation while keeping things centralized. I'll focus on understanding how the tenant segmentation works.
upvoted 0 times
...
Merilyn
5 months ago
Hmm, I'm a bit confused by the different options. I'll need to re-read the question and think through the pros and cons of each approach.
upvoted 0 times
...
Anabel
5 months ago
This looks like a tricky one. I'll need to carefully consider the requirements around data isolation and minimizing administrative overhead.
upvoted 0 times
...
Rex
7 months ago
Wait, so they want to minimize admin overhead and maintain data isolation? Good luck with that! This sounds like a classic case of 'pick two out of three.'
upvoted 0 times
...
Marvel
7 months ago
Haha, Option A reminds me of that old saying, 'Putting all your eggs in one basket.' Definitely not the way to go here with data sovereignty on the line.
upvoted 0 times
Lavonda
5 months ago
Agreed, we can't take any chances with data sovereignty. Option B is the way to go.
upvoted 0 times
...
Son
5 months ago
Option B sounds like a better choice, keeping each business unit's data separate.
upvoted 0 times
...
Paris
5 months ago
I agree, having all the data in one place could lead to potential security issues.
upvoted 0 times
...
Rashad
5 months ago
Option B sounds like the best approach. Separate tenants for each business unit makes sense.
upvoted 0 times
...
Jettie
5 months ago
Yeah, Option A seems risky. We need to keep the data isolated for each region.
upvoted 0 times
...
Laurena
6 months ago
Option A does seem risky, especially when it comes to data isolation.
upvoted 0 times
...
...
Grover
7 months ago
I agree with Tammara, option D allows for filtering and redistributing only relevant data to each regional firewall.
upvoted 0 times
...
Audry
7 months ago
Option C seems a bit too simplistic. Disabling redistribution entirely and making each firewall pull from its own IdPs feels like it could get messy to manage in the long run.
upvoted 0 times
...
Theodora
7 months ago
I'm leaning towards Option D. Having a single tenant manage the data filtering and redistribution could help minimize the administrative overhead while still meeting the security requirements.
upvoted 0 times
...
Maybelle
7 months ago
Option B definitely seems like the most secure approach here. Keeping the data segmented and only redistributing what's relevant to each region's firewalls is key for data sovereignty.
upvoted 0 times
Lorriane
7 months ago
Agreed, it's important to maintain that strict one-to-one mapping for security and data sovereignty.
upvoted 0 times
...
Jesusita
7 months ago
Option B is definitely the way to go. It ensures that each region only gets the data it needs.
upvoted 0 times
...
...
Cathern
7 months ago
But with option B, we can maintain a strict one-to-one mapping of tenant to business unit.
upvoted 0 times
...
Tammara
7 months ago
I disagree, I believe option D is more efficient.
upvoted 0 times
...
Cathern
7 months ago
I think option B is the best approach.
upvoted 0 times
...

Save Cancel