Question 2 - Palo Alto Networks PSE-Strata-Pro-24 Real Exam Questions [Jan 2026 Update]

Q: 2

A company plans to deploy identity for improved visibility and identity-based controls for least privilege access to applications and dat a. The company does not have an on-premises Active Directory (AD) deployment, and devices are connected and managed by using a combination of Entra ID and Jamf. Which two supported sources for identity are appropriate for this environment? (Choose two.)

Options

Correct Answer:

C, D

Explanation

In this scenario, the company does not use on-premises Active Directory and manages devices with

Entra ID and Jamf, which implies a cloud-native and modern management setup. Below is the

evaluation of each option:

Option A: Captive portal

Captive portal is typically used in environments where identity mapping is needed for unmanaged

devices or guest users. It provides a mechanism for users to authenticate themselves through a web

interface.

However, in this case, the company is managing devices using Entra ID and Jamf, which means

identity information can already be centralized through other means. Captive portal is not an ideal

solution here.

This option is not appropriate.

Option B: User-ID agents configured for WMI client probing

WMI (Windows Management Instrumentation) client probing is a mechanism used to map IP

addresses to usernames in a Windows environment. This approach is specific to on-premises Active

Directory deployments and requires direct communication with Windows endpoints.

Since the company does not have an on-premises AD and is using Entra ID and Jamf, this method is

not applicable.

This option is not appropriate.

Option C: GlobalProtect with an internal gateway deployment

GlobalProtect is Palo Alto Networks' VPN solution, which allows for secure remote access. It also

supports identity-based mapping when deployed with internal gateways.

In this case, GlobalProtect with an internal gateway can serve as a mechanism to provide user and

device visibility based on the managed devices connecting through the gateway.

This option is appropriate.

Option D: Cloud Identity Engine synchronized with Entra ID

The Cloud Identity Engine provides a cloud-based approach to synchronize identity information from

identity providers like Entra ID (formerly Azure AD).

In a cloud-native environment with Entra ID and Jamf, the Cloud Identity Engine is a natural fit as it

integrates seamlessly to provide identity visibility for applications and data.

This option is appropriate.

Reference:

Palo Alto Networks documentation on Cloud Identity Engine

GlobalProtect configuration and use cases in Palo Alto Knowledge Base

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE