Palo Alto Networks NGFW Engineer — Question 79

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.

Which configuration in CIE supports this requirement with highest operational efficiency?

Answer options

• A. Configure a CIE tenant, connect Okta, and create segments.
• B. Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.
• C. Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.
• D. Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.

Correct answer: A

Explanation

The correct answer, A, allows for the creation of segments within a single CIE tenant, enabling the holding company to effectively manage identity data flow while adhering to legal restrictions. Option B is incorrect as it bypasses the CIE, which defeats the purpose of central management. Option C does not meet the legal requirements since it involves pushing all data to Panorama and does not respect the constraints of each company's data. Option D complicates the setup without ensuring compliance with the identity data restrictions.