Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Palo Alto Networks Exam NGFW-Engineer Topic 1 Question 2 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam
Question #: 2
Topic #: 1
[All NGFW-Engineer Questions]

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

Show Suggested Answer Hide Answer
Suggested Answer: B

To ensure continuous, secure connectivity and consistent policy enforcement with GlobalProtect in an enterprise environment that uses user- and machine-based certificate authentication, the approach should:

Distribute root and intermediate CAs via Panorama templates: This ensures that all firewalls managed by Panorama share the same trusted certificate authorities for consistency and security.

Use distinct certificate profiles for user vs. machine certificates: This enables separate handling of user and machine authentication, ensuring that both types of certificates are managed and validated appropriately.

Reference an internal OCSP responder: By integrating OCSP checks, the firewall can validate certificate revocation in real-time, meeting the security requirement while minimizing the overhead and latency associated with traditional CRLs (Certificate Revocation Lists).

Automate certificate deployment with Group Policy: This ensures that machine certificates are deployed in a consistent and scalable manner across the enterprise, reducing manual intervention and minimizing user disruption.

This approach supports the requirements for pre-logon, OCSP checks, and minimal user disruption, while maintaining a secure, automated, and consistent authentication process across all firewalls managed via Panorama.


by Celestine at Apr 07, 2025, 06:09 PM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Arlie
1 months ago
I'm not sure, but option B does seem to provide the most comprehensive solution.
upvoted 0 times
...
Rodolfo
1 months ago
I agree with Irma. Option B covers all the necessary requirements.
upvoted 0 times
...
Irma
1 months ago
I think option B is the best approach.
upvoted 0 times
...
Kassandra
2 months ago
Hmm, Option C might seem simpler, but without OCSP, you're just playing with fire. Option B is the safest bet.
upvoted 0 times
Derick
10 days ago
Farrah: Hmm, you make a good point. Option B does seem more secure.
upvoted 0 times
...
Lashandra
26 days ago
User 3: I agree with Lashandra, Option B covers all the bases.
upvoted 0 times
...
Farrah
1 months ago
User 2: I disagree, Option B is the safest choice.
upvoted 0 times
...
Ayesha
1 months ago
User 1: I think Option C is the way to go.
upvoted 0 times
...
...
Dacia
2 months ago
Option D is just asking for a security breach. Self-signed certs and IP-based auth? No thanks, I'll stick with Option B.
upvoted 0 times
Anabel
28 days ago
User2
upvoted 0 times
...
Vanda
1 months ago
User1
upvoted 0 times
...
...
Rasheeda
2 months ago
Ha! Wildcard certs and disabling revocation checks? That's like asking for trouble. Option B is the clear winner here.
upvoted 0 times
...
Hubert
2 months ago
I agree, Option B is the way to go. Automating certificate deployment and management is crucial for reducing complexity and maintaining security.
upvoted 0 times
Deandrea
3 days ago
User 4: I think we can all benefit from automating certificate deployment. Option B is the way to go.
upvoted 0 times
...
Lenita
4 days ago
User 3: It's important to have consistent policy enforcement. Option B covers all the necessary steps for secure connectivity.
upvoted 0 times
...
Mee
5 days ago
User 2: I agree, managing certificates manually can be a hassle. Option B seems like the most efficient approach.
upvoted 0 times
...
Derick
6 days ago
User 1: Option B is definitely the best choice. Automating certificate deployment is key.
upvoted 0 times
...
Glory
7 days ago
User 4: Managing everything through Panorama and Group Policy seems like the most efficient approach.
upvoted 0 times
...
Ernie
8 days ago
User 3: Using distinct certificate profiles for user and machine certs makes it easier to enforce policies.
upvoted 0 times
...
Golda
23 days ago
User 2: I agree, it's important to have a centralized way to manage certificates.
upvoted 0 times
...
Brittni
1 months ago
User 1: Option B is definitely the best choice. Automating certificate deployment is key.
upvoted 0 times
...
...
Simona
2 months ago
Option B seems like the best approach. Using distinct certificate profiles and an internal OCSP responder will ensure consistent policy enforcement.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77