Quiz Entry - updated: 2026.07.05
A KMU has 200 employees. Why is the Palo Alto firewall's local user database a bad place to manage all of them?
Local DB doesn't scale: no SSO, no central revocation, no group policies, no delegation, manual provisioning.
Pain points at 200 users:
- Provisioning: Every new hire requires a manual click in the FW UI — done by network admin, not HR/IT.
- Offboarding: When someone leaves, you must remember to delete them from the FW and every other system. Easy to miss → ex-employees retain VPN access.
- Password policies: No central enforcement (rotation, complexity, history) the way AD/LDAP gives you.
- Auditing: Logs scattered across local DBs of every appliance.
- No SSO: Users have a separate password just for the FW — they'll write it down or reuse.
Right answer: Integrate with Active Directory / LDAP / RADIUS / SAML. Central identity store, group-based policy, immediate revocation, single sign-on.
Tip: Local DB on a network appliance is fine for 5 admins, never for end users. Always external IdP for production.
Go deeper:
Active Directory (Wikipedia) — the centralized directory that replaces the appliance-local DB with one identity store.
RADIUS (Wikipedia) — centralized AAA: how an appliance delegates auth to a central server.