Palo Alto Networks Exam NGFW-Engineer Topic 2 Question 4 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam

Question #: 4
Topic #: 2

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

ACreate one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

BEstablish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region's firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

CDisable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

DDeploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Show Suggested Answer

Suggested Answer: B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.

by Wava at Apr 09, 2025, 10:59 AM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Pamella

2 days ago

That's a good point, Valentine. Option D does seem like a good balance between centralization and data isolation.

upvoted 0 times

...

Valentine

6 days ago

I disagree, I believe option D is more efficient. It allows for centralized management while still filtering and redistributing only relevant data.

upvoted 0 times

...

Shonda

12 days ago

I'd go with Option D. Segmenting the single tenant makes more sense than creating multiple tenants, and it still allows you to control the data flow effectively.

upvoted 0 times

...

Vanesa

18 days ago

Option B seems the most straightforward way to achieve the data isolation requirements. Separate tenants for each business unit is a clean and manageable approach.

upvoted 0 times

Devora

2 days ago

I agree, having separate tenants for each business unit makes it easier to manage.

upvoted 0 times

...

Beata

3 days ago

Option B seems the most straightforward way to achieve the data isolation requirements.

upvoted 0 times

...

Pamella

19 days ago

I think option B is the best approach. It ensures strict data isolation for each regional business unit.

upvoted 0 times

...