Palo Alto Networks NGFW-Engineer Exam - Topic 1 Question 2 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam

Question #: 2
Topic #: 1

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

AUse a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.

BDistribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.

CConfigure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.

DDeploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Show Suggested Answer

Suggested Answer: B

To ensure continuous, secure connectivity and consistent policy enforcement with GlobalProtect in an enterprise environment that uses user- and machine-based certificate authentication, the approach should:

Distribute root and intermediate CAs via Panorama templates: This ensures that all firewalls managed by Panorama share the same trusted certificate authorities for consistency and security.

Use distinct certificate profiles for user vs. machine certificates: This enables separate handling of user and machine authentication, ensuring that both types of certificates are managed and validated appropriately.

Reference an internal OCSP responder: By integrating OCSP checks, the firewall can validate certificate revocation in real-time, meeting the security requirement while minimizing the overhead and latency associated with traditional CRLs (Certificate Revocation Lists).

Automate certificate deployment with Group Policy: This ensures that machine certificates are deployed in a consistent and scalable manner across the enterprise, reducing manual intervention and minimizing user disruption.

This approach supports the requirements for pre-logon, OCSP checks, and minimal user disruption, while maintaining a secure, automated, and consistent authentication process across all firewalls managed via Panorama.

by Celestine at Apr 07, 2025, 06:09 PM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Bea

2 months ago

Manual renewals on each firewall? No thanks, that’s a nightmare!

upvoted 0 times

...

Tamala

2 months ago

Wait, are we really trusting self-signed certs? That seems sketchy.

upvoted 0 times

...

Rasheeda

3 months ago

I disagree, using a wildcard cert seems risky.

upvoted 0 times

...

Odette

3 months ago

Definitely prefer distinct profiles for user and machine certs.

upvoted 0 times

...

Ashlee

3 months ago

Option B sounds solid with the automation and OCSP checks.

upvoted 0 times

...

Dorethea

3 months ago

Option C sounds tempting for simplicity, but I feel like relying solely on CRLs might not be enough for continuous connectivity.

upvoted 0 times

...

Antonette

4 months ago

I practiced a similar question where we had to manage certificates via Panorama, and I think distributing CAs is crucial for consistency.

upvoted 0 times

...

Keneth

4 months ago

I'm not entirely sure, but I think disabling revocation checks like in option A could lead to security risks.

upvoted 0 times

...

Salome

4 months ago

I remember we discussed the importance of using internal CAs and OCSP checks for security, so option B seems like the right choice.

upvoted 0 times

...

Cyndy

4 months ago

Distributing the CAs and using distinct certificate profiles for users and machines seems like the most comprehensive solution to me. Automating the deployment with Group Policy is also a nice touch. I'm leaning towards option B.

upvoted 0 times

...

Bobbie

4 months ago

Option D sounds like the easiest approach, but it probably doesn't meet the security and consistency requirements they're looking for. I'll have to rule that one out.

upvoted 0 times

...

Ahmed

5 months ago

Hmm, the question mentions a lot of specific requirements like pre-logon, OCSP checks, and managing multiple firewalls. I'm not sure I fully understand all the nuances, but option B seems to hit the key points.

upvoted 0 times

...

Pansy

5 months ago

This looks like a complex question involving certificate management and GlobalProtect configuration. I'll need to carefully read through the details and think through the implications of each option.

upvoted 0 times

...

Arlie

10 months ago

I'm not sure, but option B does seem to provide the most comprehensive solution.

upvoted 0 times

...

Rodolfo

10 months ago

I agree with Irma. Option B covers all the necessary requirements.

upvoted 0 times

...

Irma

10 months ago

I think option B is the best approach.

upvoted 0 times

...

Kassandra

10 months ago

Hmm, Option C might seem simpler, but without OCSP, you're just playing with fire. Option B is the safest bet.

upvoted 0 times

Derick

9 months ago

Farrah: Hmm, you make a good point. Option B does seem more secure.

upvoted 0 times

...

Lashandra

9 months ago

User 3: I agree with Lashandra, Option B covers all the bases.

upvoted 0 times

...

Farrah

10 months ago

User 2: I disagree, Option B is the safest choice.

upvoted 0 times

...

Ayesha

10 months ago

User 1: I think Option C is the way to go.

upvoted 0 times

...

Dacia

10 months ago

Option D is just asking for a security breach. Self-signed certs and IP-based auth? No thanks, I'll stick with Option B.

upvoted 0 times

Anabel

10 months ago

User2

upvoted 0 times

...

Vanda

10 months ago

User1

upvoted 0 times

...

Rasheeda

10 months ago

Ha! Wildcard certs and disabling revocation checks? That's like asking for trouble. Option B is the clear winner here.

upvoted 0 times

...

Hubert

11 months ago

I agree, Option B is the way to go. Automating certificate deployment and management is crucial for reducing complexity and maintaining security.

upvoted 0 times

Deandrea

9 months ago

User 4: I think we can all benefit from automating certificate deployment. Option B is the way to go.

upvoted 0 times

...

Lenita

9 months ago

User 3: It's important to have consistent policy enforcement. Option B covers all the necessary steps for secure connectivity.

upvoted 0 times

...

Mee

9 months ago

User 2: I agree, managing certificates manually can be a hassle. Option B seems like the most efficient approach.

upvoted 0 times

...

Derick

9 months ago

User 1: Option B is definitely the best choice. Automating certificate deployment is key.

upvoted 0 times

...

Glory

9 months ago

User 4: Managing everything through Panorama and Group Policy seems like the most efficient approach.

upvoted 0 times

...

Ernie

9 months ago

User 3: Using distinct certificate profiles for user and machine certs makes it easier to enforce policies.

upvoted 0 times

...

Golda

9 months ago

User 2: I agree, it's important to have a centralized way to manage certificates.

upvoted 0 times

...

Brittni

10 months ago

User 1: Option B is definitely the best choice. Automating certificate deployment is key.

upvoted 0 times

...

Simona

11 months ago

Option B seems like the best approach. Using distinct certificate profiles and an internal OCSP responder will ensure consistent policy enforcement.

upvoted 0 times

...