LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

A KMU has 200 employees. Why is the Palo Alto firewall's local user database a bad place to manage all of them?

Local DB doesn't scale: no SSO, no central revocation, no group policies, no delegation, manual provisioning.

Pain points at 200 users:

  • Provisioning: Every new hire requires a manual click in the FW UI — done by network admin, not HR/IT.
  • Offboarding: When someone leaves, you must remember to delete them from the FW and every other system. Easy to miss → ex-employees retain VPN access.
  • Password policies: No central enforcement (rotation, complexity, history) the way AD/LDAP gives you.
  • Auditing: Logs scattered across local DBs of every appliance.
  • No SSO: Users have a separate password just for the FW — they'll write it down or reuse.

Right answer: Integrate with Active Directory / LDAP / RADIUS / SAML. Central identity store, group-based policy, immediate revocation, single sign-on.

Tip: Local DB on a network appliance is fine for 5 admins, never for end users. Always external IdP for production.

Go deeper:

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 05, 2026