Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Palo Alto Networks Exam NGFW-Engineer Topic 2 Question 4 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam
Question #: 4
Topic #: 2
[All NGFW-Engineer Questions]

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

Show Suggested Answer Hide Answer
Suggested Answer: B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.


by Wava at Apr 09, 2025, 10:59 AM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Carlota
29 days ago
Option B is the way to go, no doubt. Separate tenants FTW! Less complexity, more control - perfect for meeting those data sovereignty requirements.
upvoted 0 times
...
Alex
1 months ago
Haha, Option A is like trying to fit a square peg in a round hole. Relying on firewall policies to restrict access? That's just asking for trouble!
upvoted 0 times
Odelia
1 days ago
I agree, Option B seems like a much better approach. Separate tenants for each business unit makes more sense.
upvoted 0 times
...
Brittni
2 days ago
Option A is definitely not the way to go. It's too risky to rely on firewall policies for data isolation.
upvoted 0 times
...
...
Luann
1 months ago
Option C is an interesting idea, but it might add too much overhead to the regional firewalls. I think the CIE-based approaches (B or D) are better solutions here.
upvoted 0 times
Queen
4 days ago
I agree, having separate CIE tenants for each region seems like the most efficient approach.
upvoted 0 times
...
Jaleesa
9 days ago
Option B sounds like a good way to keep things organized by business unit.
upvoted 0 times
...
Adela
11 days ago
Definitely, it would make it easier to manage and ensure data isolation for each region.
upvoted 0 times
...
Keena
16 days ago
I agree, having separate CIE tenants for each business unit seems like the most efficient way to handle this.
upvoted 0 times
...
Rasheeda
29 days ago
Option B sounds like the best approach. It keeps things organized by business unit.
upvoted 0 times
...
...
Pamella
2 months ago
That's a good point, Valentine. Option D does seem like a good balance between centralization and data isolation.
upvoted 0 times
...
Valentine
2 months ago
I disagree, I believe option D is more efficient. It allows for centralized management while still filtering and redistributing only relevant data.
upvoted 0 times
...
Shonda
2 months ago
I'd go with Option D. Segmenting the single tenant makes more sense than creating multiple tenants, and it still allows you to control the data flow effectively.
upvoted 0 times
Eleonore
28 days ago
I agree, having one tenant with segmented data seems like the most efficient way to manage identity data.
upvoted 0 times
...
Tammara
1 months ago
Option D sounds like the best choice. It allows for segmentation within the single tenant.
upvoted 0 times
...
...
Vanesa
2 months ago
Option B seems the most straightforward way to achieve the data isolation requirements. Separate tenants for each business unit is a clean and manageable approach.
upvoted 0 times
Samira
7 days ago
Definitely, having a one-to-one mapping of tenant to business unit simplifies the process.
upvoted 0 times
...
Julio
8 days ago
I agree, it would make it easier to control access to specific identity data.
upvoted 0 times
...
Paulene
28 days ago
Separate tenants for each business unit is a clean and manageable approach.
upvoted 0 times
...
Edison
1 months ago
Option B seems the most straightforward way to achieve the data isolation requirements.
upvoted 0 times
...
Nu
1 months ago
And it ensures that each region's firewall only receives the relevant user and group data.
upvoted 0 times
...
Zona
1 months ago
It definitely helps with maintaining a strict one-to-one mapping of tenant to business unit.
upvoted 0 times
...
Devora
2 months ago
I agree, having separate tenants for each business unit makes it easier to manage.
upvoted 0 times
...
Beata
2 months ago
Option B seems the most straightforward way to achieve the data isolation requirements.
upvoted 0 times
...
...
Pamella
2 months ago
I think option B is the best approach. It ensures strict data isolation for each regional business unit.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77