Palo Alto Networks Exam NGFW-Engineer Topic 1 Question 2 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam

Question #: 2
Topic #: 1

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

AUse a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.

BDistribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.

CConfigure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.

DDeploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Show Suggested Answer

Suggested Answer: B

To ensure continuous, secure connectivity and consistent policy enforcement with GlobalProtect in an enterprise environment that uses user- and machine-based certificate authentication, the approach should:

Distribute root and intermediate CAs via Panorama templates: This ensures that all firewalls managed by Panorama share the same trusted certificate authorities for consistency and security.

Use distinct certificate profiles for user vs. machine certificates: This enables separate handling of user and machine authentication, ensuring that both types of certificates are managed and validated appropriately.

Reference an internal OCSP responder: By integrating OCSP checks, the firewall can validate certificate revocation in real-time, meeting the security requirement while minimizing the overhead and latency associated with traditional CRLs (Certificate Revocation Lists).

Automate certificate deployment with Group Policy: This ensures that machine certificates are deployed in a consistent and scalable manner across the enterprise, reducing manual intervention and minimizing user disruption.

This approach supports the requirements for pre-logon, OCSP checks, and minimal user disruption, while maintaining a secure, automated, and consistent authentication process across all firewalls managed via Panorama.

by Celestine at Apr 07, 2025, 06:09 PM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Arlie

1 months ago

I'm not sure, but option B does seem to provide the most comprehensive solution.

upvoted 0 times

...

Rodolfo

1 months ago

I agree with Irma. Option B covers all the necessary requirements.

upvoted 0 times

...

Irma

1 months ago

I think option B is the best approach.

upvoted 0 times

...

2 months ago

Option D is just asking for a security breach. Self-signed certs and IP-based auth? No thanks, I'll stick with Option B.

upvoted 0 times

Anabel

22 days ago

User2

upvoted 0 times

...

Vanda

26 days ago

User1

upvoted 0 times

...

Rasheeda

2 months ago

Ha! Wildcard certs and disabling revocation checks? That's like asking for trouble. Option B is the clear winner here.

upvoted 0 times

...

2 months ago

Option B seems like the best approach. Using distinct certificate profiles and an internal OCSP responder will ensure consistent policy enforcement.

upvoted 0 times

...